Documentation
Documentation

System Settings: Security

The Security settings provide a range of configurable security settings that help administrators protect user accounts, enforce strong passwords, and control access across TopClass.

To configure these settings, do the following:

  1. Go to System Administration > System Settings.

  2. Click Security.

  3. Update the following settings:

    • Super Administrator timeout – Enter a value (in minutes) to define how long a Super Administrator can remain inactive before being automatically logged out. Setting this helps maintain security by ensuring inactive sessions do not remain open.

    • JavaScript Entry in Content – Allow JavaScript code to be entered into the Rich Text Editor on Content screens.

    📘

    Note

    Enabling this option can expose your site to cross-site scripting (XSS) vulnerabilities. Only enable it if you fully understand and trust the scripts being added.

    • JavaScript Entry in Descriptions - Allow JavaScript code to be entered into the Rich Text Editor for non-content description fields.

    📘

    Note

    As with content areas, enabling JavaScript here may create XSS risks. Use only in secure, controlled environments.

    • Allow switch user – Select Yes to allow system administrators to log in as a student without changing the student’s password. A Login as User link appears on the Manage Users > General tab when this option is enabled. This is useful for troubleshooting user-specific issues.
    • Password create link expiry - Set how long (in hours) a password creation link remains valid. Enter 0 to prevent the link from expiring. Shorter expiry times improve security by limiting the lifespan of open password creation requests.
    • Two-Factor authentication - Select Yes to enable Two-Factor Authentication for all users. 2FA adds an extra layer of protection by requiring users to verify their identity using a secondary method (e.g., an authentication app).
    • Two-Factor authentication for super admins only - Select Yes to enable Two-Factor Authentication only for Super Administrators. This helps protect high-level accounts without requiring all users to enroll in 2FA.
    • Max attempts - Enter the number of times a user can attempt to enter a valid PIN before their account is locked. Limiting login attempts helps prevent unauthorized access through brute-force attacks.
    • Max attempts PIN- Enter the number of allowed attempts for users to enter a valid PIN before being locked out. Use a low value for enhanced security or a higher one to reduce lockouts due to user error.
    • 2FA QR code size – Specify the pixel size for the Two-Factor Authentication QR code (applies to both width and height). The maximum allowed value is 500. Adjust this to ensure the code is easily scannable on different devices.
    • Allow modify shortcuts - Allow users to customize their shortcuts. This provides flexibility for users to tailor their workspace to frequently used areas of the system.
    • PIN characters - Select which types of characters are allowed in user PINs (letters, digits, or both). Restricting character types can simplify user experience, while allowing mixed types improves security.
    • PIN expiry - Set the number of days before a PIN must be changed. Enter 0 to disable expiry. Regular PIN changes can help prevent unauthorized access from compromised credentials.
    • PIN length - Enter the minimum required length for user PINs. Longer PINs enhance security by increasing the number of possible combinations.
    • Password characters - Select the character types allowed in passwords. Use stricter options for simpler user management, or allow all characters for stronger password security:

      • Any Characters - Allows users to include any combination of letters, numbers, symbols, or special characters in their password. The special characters are optional and are not enforced with this option.

      • Letters or Digits Only - Restricts passwords to letters (A–Z, a–z) and digits (0–9). Special characters are not permitted, making passwords easier to remember but slightly less secure.

      • Letters Only – Requires only alphabetical characters (A–Z, a–z) in passwords. This setting is the least secure option and is not generally recommended.

      • Digits Only – Requires only numeric characters (0–9). Use this option only in low-risk environments or when compatibility with numeric-only authentication systems is required.

      • Letters & Numbers – Requires passwords to contain at least one letter and one number. Special characters are permitted but not required. This option enforces a moderate level of password strength while maintaining ease of use for most users.

      • Letters, Numbers, & Special Characters – Requires passwords to contain at least one letter (A–Z, a–z), one number (0–9), and one special character (e.g., !, @, #, $). All three must be present for the password to be valid. This option provides the highest level of security and is the preferred choice for most organizations.

    📘

    Note

    When adding users in bulk, if one record fails password validation, no subsequent records are processed; for example:

    • If the first record fails validation, all following records are ignored.
    • If the first passes and the second fails, the first is created, but all records after the second are ignored.
    • This applies to all password validation failures, including character and length requirements. Before importing, validate passwords in your CSV to ensure they meet the system’s current password policy and prevent skipped records.
    • Password expiry - Set how many days a password remains valid before the user must change it. Enter 0 to prevent expiration. Regular password changes are recommended for maintaining account security.
    • Password length - Enter the minimum length required for passwords. A longer minimum improves account protection against brute-force attacks.
    • Password reset link expiry - Specify how long (in minutes) a password reset link remains valid. Enter 0 if the link should never expire. Shorter durations help reduce security risks from exposed reset links.
    • Shopping Cart HTTPS Enabled - Select Yes to require HTTPS for all shopping cart transactions. Enabling this ensures all payment and user data is securely transmitted.
    • System Administrator - Enter the username of the default system administrator. This account typically has full access and is used for initial system setup and management.
    • Administrator timeout - Enter the number of minutes of inactivity before administrators are automatically logged out. The default value is 10 minutes. Set to 0 if administrators should remain logged in indefinitely, though this is not recommended for shared systems.
    • New user must change password - Select Yes to require newly created users to change their password at first login. This ensures that default or temporary passwords are replaced with secure, user-selected credentials.
    • User timeout - Enter the number of minutes of inactivity after which students are automatically logged out. The default is 10 minutes. Set to 0 if students should remain logged in indefinitely, though this is not recommended for shared or public computers.
    • Use PIN - Select Yes to require users to enter a PIN before taking a test. Enabling this adds an extra layer of verification to ensure that only authorized users can begin or access assessments.