1. Overview of the Security Controls in Businessmap
2. How to access the Security Controls?
1. Overview of the Security Controls in Businessmap
The Security Controls and the Card Controls provide а way to manage your security environment at a global account level. These options ensure better data protection and defense against intrusion and unauthorized access to the system. The Security Controls are managed by Account Owners or users granted with "Manage Security Settings" privilege.
Switch the toggles to enable or disable the following security controls for the entire account:
Security Controls
- Public Filters - Enable or disable the creation of Public Filters in the account. If disabled, then the access to all existing Public filters will be revoked.
- Only internal users can access public filters - Allow logged users only to access public filters. If disabled, anyone on the internet with a link can view data in the public filter.
- Power BI search reports - control which users can create Power BI search reports in the account. If enabled, you can grant access to everyone, Account Owners, or specific users to generate Power BI search reports. When disabled, all existing Power BI search reports will be revoked, and users won't be able to create new ones.
- Public reports - Enable or disable the creation of Public Reports anywhere in the account. If disabled, access to all existing Public Reports will be revoked.
- Card attachments - enable or disable file attachments inside cards and initiatives. If disabled, then users will not be able to attach any files from their PC or cloud storage to the cards and initiatives. You can set a size limit for card attachments between 1 and 30 megabytes. This size limit also applies to card attachments uploaded through the email integration.
- Allow inline images - Enable or disable inline images in the card's description, subtasks, comments, board/column/lane description, or rich text widget. If disabled, users will not be allowed to add new inline images. All existing inline images will not be visible until the security control is enabled again. Similar to card attachments, you can set a size limit for the inline images — between 1 and 7 megabytes.
- Log out on browser close - log out users when they close their internet browser.
- Only Account Owners can create and copy workspaces and boards - If enabled, it allows the creation of workspaces and boards only by Account Owners. If disabled, Workspace Managers will be able to create boards too.
- Only Account Owners can delete workspaces and boards - If disabled, Workspace Managers will be able to delete the boards that they are assigned to.
-
Do not send email confirmation upon email address change - if enabled, the email address will be changed immediately, without confirmation by the user. The user would only receive an email informing them that the change of their email address has been performed.
-
Only Account Owners, Authors, or Shared with users can edit or delete business rules - Allow only Account Owners, authors of business rules, or users with whom the business rule is shared to edit or delete business rules. If disabled, users with Manage Business Rules admin privilege will be able to edit or delete business rules too.
-
Notify owners or specific users over email when another user is invited as or promoted to an Account Owner - If enabled, Account Owners and selected users will receive an email notification when a user has been invited as or promoted to an Account Owner.
Note: the superuser and the user that has been promoted will not receive this email notification. -
API access - It enables Account Owners and users with the necessary admin privileges to manage which users can and cannot access the API. You can grant API access to everyone, Account Owners only, or select specific users.
Note: If there is a role that enables “access API v1” from the Board Permissions, the users with that role will not be able to access the API if the API access security control is disabled. -
Globally visible card fields - Customize which card fields (Owner, Title, Custom ID, or Type) are visible to all users, irrespective of their board role permissions or whether they are members of a board. For example, if a card field is not selected as visible, users who are not board members will not see its value in specific locations, such as tooltips on cards linked to that board. By default, this setting is enabled and all four elements are visible.
Note: Board members and Workspace managers of the respective board will see these card fields even if the setting is disabled. -
Allow users to request access to board - If enabled, all users in the account will be able to request access to boards they are not members of from a button located under all available workspaces in the Home Dashboard. The setting lets you select who in the account will receive the access requests — Workspace managers (of the board the user wants access to), Owners, Specific users, or Users with specific roles*. When the security setting is disabled, users will not see the access request button.
*If you select this option, all users assigned to the board who have one of the specified roles will receive a board access request. If there is no user with the specified role assigned to the board, Account Owners will be notified about the board request via email. In that case, Account Owners can manually add that user to the board. Let's say only users with role A can grant access to boards. If Tom had that role when another user requested access to a board but then Tom's role was changed, Tom will still receive the request notification, but he won't be able to grant it. Keep in mind that Workspace Managers and Account Owners won't receive access requests if "users having specific roles" is enabled, unless they are part of a team assigned to the respective board with the specified role.
Note: To request access to a board, users need to open the Home Dashboard and scroll down to the “Request Access” button under all available workspaces. When users request access to a board, they can only see its name and ID. To ensure the correct board is requested (for example, in cases where multiple boards share the same name), users need to know the board ID. Once submitted, an access request can either be approved or denied. In either case, the user will receive an email notification about it.
-
Enable AI - It allows users in the account to use AI to generate subtasks. If enabled, your card data is securely sent to a third-party AI service (Azure OpenAI by Microsoft). As per Microsoft's guidelines, your data is kept private, it is never shared, and is never used to train their AI models.
- Note: This setting does not apply to the Businessmap AI Coach and the Businessmap AI Assistant.
Password Policy
Account Owners and users with the “Manage Security Settings” privilege can access the Password Policy menu inside the Administration panel, and will be able to define the following policies for account passwords:
- Require at least one uppercase letter
- Require at least one lowercase letter
- Require at least one digit
- Require at least one non-alphanumeric character (ex. !, @, #, etc.)
- Require minimum length – between 6 and 24 characters. (we recommend 10 or more)
- Password lifetime – when turned on, this option allows you to define a period (between 7 and 365 days) after which users need to change their password
- Enforce two-factor authentication (2FA) for all users – this option will automatically enable 2FA authentication for all users inside the account
Important: by default all new users, including those who decide to change their password, are required to have a password length of at least 6 characters.
Note: If you change the password policies and there is a user with a password that doesn’t meet the new requirements, the system will automatically redirect the user at their next login to change their password. Users will see the password requirements that have been applied and the system will show them whether they meet them or don’t.
Card Controls
In general, the card control options define who in the account will be able to create, edit, and delete card elements. This can be set to Account Owners/Admins*, Account Owners/Admins* and Workspace Managers, or "everyone" (allows any user to manage those card elements).
*An Admin is a user who has the “Manage Card Elements” admin privilege but is not an Account Owner.
- Users that can manage Blockers - select any of the three options.
- Users that can manage Stickers - select any of the three options.
- Users that can manage Tags - select any of the three options.
- Users that can manage Types - select any of the three options.
- Users that can manage Templates - select any of the three options.
- Users that can manage Custom Fields - select any of the three options.
- Users that can manage Milestones - select any of the three options.
2. How to access the Security Controls?
To access the Security Controls, open the Administration panel at the top right side of your board and select the Security & Audit tab.
To learn all about the Audit logs, please check the following article.