Portal security

Portals have several facets of security:

  • Protocol: Platform portals use the HTTPS protocol.
  • Authentication: A portal can allow authenticated or non-authenticated visitors. Authenticated visitors must log in to the portal using a Login Form. You can develop a portal that allows non-authenticated visitors to some pages and restricts other pages to authenticated visitors. You limit access to a specific portal page to authenticated visitors by selecting the Only logged in portal users can access this page check box in the portal page's properties. There are two types of user accounts that can log in to a portal:
    • Users - accounts created for your tenant as Platform User records.
    • Platform object records - accounts created for objects with the Portal User attribute. For example, you might create an Employee object and add the Portal User attribute to it. The Portal User attribute adds User Name and Password fields to the object. Users whose accounts are based on records of the Employee object type can login to a portal whose Login Form page specifies the Employee object. This allows users who do not have Platform accounts to use a portal as authenticated portal visitors. See Creating a portal user for details on creating this type of user account.
    Each Login Form is configured to allow only one type of user account to log in.
  • Password requirements: You can set rules for password authentication can be set when you edit a Password field on an object with the Portal User attribute. This includes:   
    • The minimum length of the password.

    • Whether the password must include both letters and digits.

    See Minimum Password Strength Requirements for more information.

  • Access control: Access rights for portal users are set for user accounts in the following ways:
    • For accounts based on Platform User records, access rights are specified for that user's role.
    • For accounts created for objects with the Portal User attribute, access rights are specified for the Portal User role. These permissions cannot be relationship-based and they cannot include Location/Department/Function (LDF) filters.
    • Access rights for records created by portal users are set for the Record Creator pseudo-role. See The Record Creator role for information about the Record Creator role.
  • As an additional security measure, you can specify a whitelist of IP addresses to be checked when a portal user logs in. For information about the additional security setup and administration, see Advanced setup and administration.

The login session for portal user expires after a certain period of inactivity. Platform Private Cloud customers can configure this time interval. See Shared Properties for more information.

Administrators can login into a portal as a selected visitor from the portal view page by clicking the login form page name under Login As in the More actions drop-down.

Setting permissions for portal user objects requires careful planning to ensure that portal users cannot access information they are not supposed to access. See Creating portals with authentication for examples.