Best practices for using security access profiles

Use security access profiles to define tenant‑level security configuration overrides that are associated with individual users or security roles. These profiles provide a centralized and consistent way to enforce stricter access controls for specific user populations without affecting the entire tenant configuration.

Security access profiles can be used to override default settings related to:

  • Idle session timeout
  • Login IP ranges
  • Login hours

By design, all of these controls are optional. If a setting isn't defined in a profile, the default behavior of the tenant remains in effect.

If a security access profile doesn't specify overrides:

  • Idle session timeout: Default value for a tenant applies (configured in the session configuration UI).
  • Login IP ranges: Access is allowed from any IP address.
  • Login hours: Access is allowed at all times.

These conditions ensure that security access profiles are additive and non‑disruptive unless explicitly configured.

When to use security access profiles

Security access profiles are best used when stricter security controls are required for these specific users or roles:

  • Administrators with access to sensitive tenant configurations
  • Users handling personally identifiable information (PII) or regulated data
  • Users in shared or public workspaces
  • Users accessing the system from controlled corporate networks
  • Support or service users with elevated privileges

You can apply restrictive controls only where necessary, instead of applying them tenant‑wide.

Idle session time-out

An idle session time-out defines the maximum period of inactivity before a user’s session is automatically terminated and the user is logged out. This helps reduce the risk of unauthorized access.

With security access profiles, the maximum period of inactivity can override the tenant default idle session time-out defined in the UI of the session configuration.

You can set the idle session timeout as low as 5 minutes, making it suitable for high‑risk scenarios.

Best practices

  • Configure short idle session time-outs for:
    • Users working in shared or public environments
    • Administrators and users with access to PII
  • Don't use very low time-out values for general business users unless operationally justified. It can affect productivity.

Login IP range restrictions

The login IP range configuration restricts user access to specific IP addresses or IP ranges. This control is commonly used to ensure access only from these sources:

  • Corporate networks
  • VPNs
  • Trusted partner networks

By default, Infor doesn't restrict login IP addresses. If no IP ranges are defined in a security access profile, users may log in from any IP address.

Best practices

  • Define login IP ranges for:
    • Administrative accounts
    • Service or integration users
    • Roles with elevated permissions
  • To reduce maintenance overhead, use IP ranges rather than single IP addresses where it is possible.
  • To prevent accidental lockouts, validate IP ranges carefully before enabling restrictions.

Login hours

Login hours define when users can authenticate to the system. Access attempts outside the configured time window are denied.

Login hours are useful for limiting system access:

  • Outside business hours
  • During defined maintenance or support windows
  • For time‑bound operational roles

By default, Infor doesn't restrict login hours, and users may log in at any time unless explicitly configured in a profile.

Best practices

  • Apply login hours to:
    • Temporary users or contractors
    • Operational roles with defined shifts
    • High‑risk accounts
  • Ensure login hours consider time zones and operational coverage.

Assignment and precedence

Security access profiles can be assigned at the user level and the security role level.

If a user receives a security access profile, both directly and through a security role, the user‑level profile takes precedence. This ensures that individual security exceptions can be applied without modifying role‑based expectations.

When profile assignments are updated, users must sign out and sign back in for new session‑related settings to take effect.