Configure marketplace security

Marketplace Managers can manage security settings for their marketplace, including password policy, authentication, session timeout settings, support access, and OpenID trusted realms.

To configure marketplace security

📝 Note: If the AppDirect logo appears in the upper-left corner of the page, when Manage > Marketplace appears in this topic, click the grid icon > Switch to | Store, instead.

1. Go to Manage > Marketplace > Settings > SETTINGS| Security. The Security page opens.
2. Configure any of the following settings, as required (some settings are optional).

Setting	Available options	Description
Password Policy	Default	This is the minimum security policy. Default passwords do not expire automatically. Each marketplace account must be secured with a password that contains at least eight characters and meets the following requirements: Contains at least one letter (A - Z or a - z) Contains at least one digit (0 - 9) or special character (~!@#$%^&*()_+=<>?)
	Moderate	Moderate passwords expire automatically and must be changed within 90 days of their creation date. You can configure your marketplace to send users an email notification when their passwords are scheduled to expire. Each marketplace account must be secured with a password that contains at least eight characters and meets the following requirements: Contains at least one letter (A - Z or a - z) Contains at least one digit (0 - 9) or special character (~!@#$%^&*()_+=<>?)
	Strict	Strict passwords expire automatically and must be changed within 90 days of their creation date. You can configure your marketplace to send users an email notification when their passwords are scheduled to expire. Each marketplace account must be secured with a password that contains at least ten characters and meets the following requirements: Contains at least one uppercase letter (A - Z) Contains at least one lowercase letter (a - z) Contains at least one digit (0 - 9) or special character (~!@#$%^&*()_+=<>?)
Forbidden Passwords (optional)	N/A	To prevent users from creating passwords that do not meet security requirements, you can enter a comma-separated list of invalid passwords in the Forbidden Passwords field. You can use an asterisk (*) as a wildcard that matches all characters. For example, pwd* prevents any password that begins with pwd. The field is not case sensitive. To prevent the word password from being used as a password, enter PASSWORD, Password, or password.
Force Re-authentication (optional)	N/A	For increased security you can enable this setting to force users to re-authenticate when they access pages where they can perform sensitive actions—for example, delete their own account or change their primary email address.
Force Re-authentication Grace Period	N/A	You can define the number of seconds that users have after they leave a page that contains sensitive information, without having to re-authenticate when they return to the page. If you enter 0 (zero), users must always re-authenticate. If you do not change the setting, the 60-day default value applies.
Session Timeout	N/A	You can define the number of minutes after which a timeout occurs for marketplace users who are not administrators. If you do not change the setting, the 30-day default value applies.
Session Timeout (Company Admins)	N/A	You can define the number of minutes after which a timeout occurs for Company Administrators. If you do not change the setting, the 30-minute default value applies.
Persistent Login Expiration	N/A	You can set the number of days that a marketplace user remains logged in after they click Keep me logged in on the login page. If you do not change the setting, the 30-day default value applies.
Persistent SSO Expiration	N/A	You can define the number of days that marketplace users remain logged in after they are authenticated with a trusted mobile application that has enabled persistent Single Sign-On (SSO)—for example, Mobile MyApps. If you do not change the setting, the 28-day default value applies.
Activation email expiration	N/A	You can define the number of minutes after which an activation or invitation token expires. If you set the number of minutes to 0, there is no expiry.
Access policy	N/A	The access policy defines how authenticated users access the marketplace. It applies to all companies in your marketplace. If you do not change the setting, the default Allow access from any IP address setting is applied.
	Allow access from any IP address	Allows access from any IP address, for any role. This is the default setting.
	Require access from trusted IP addresses (all users)	Users can only access the marketplace from one of the IP addresses listed in the Trusted IP addresses field. If you select this setting, the Trusted IP addresses pane opens. Enter a comma-separated list of trusted IP addresses. CIDR notation is supported.
	Require access from trusted IP addresses (by user role)	If you select this setting, a list of user roles and a Trusted IP addresses pane open. Users with the roles that you select can only access the marketplace from one of the IP addresses added to the Trusted IP addresses field. The restrictions do not apply to users in other roles.
Support Access (optional)	N/A	After this setting is enabled, Marketplace support users can request permission to access any user's account to act on their behalf and help them resolve issues. If the user grants access, the Marketplace support user can perform any action as if they were the user.
OpenId Trusted Realms (Optional)	N/A	You can enter a comma-separated list to add one or more DNS-resolvable domains or subdomains whose single sign-on (SSO) requests your marketplace trusts when it acts as an OpenID 2.0 identity provider (IdP)—for example, acme.com or sales.acme.com. The marketplace automatically authorizes incoming OpenID 2.0 SSO requests from the trusted realms that you add. For all other realms, every user is manually prompted to trust the realm during their first SSO.

3. Click Save Settings. Your security settings are saved and enforced on your marketplace.