This guide will explain how to troubleshoot Login and Access issues throughout Pentana Risk. For more information on specific permissions please see our What are Permissions in Pentana Risk? guide. For more information on configuring our 'Go To' menu please see our How do I configure the 'Go To..' menu? guide.
- Auditing Logins
- Common Login Issues
- Resetting your password
- Permissions and Application Access
- IP Whitelisting
Login audits can be used to view when and how your users are logging into the system. This can be helpful when tracing back changes to the application or diagnosing access issues.
Creating an Audit Trail Query
Firstly, open the GoTo Menu and navigate to Site Admin and then Audit Trail. Once viewing the Audit Trail, select the 'Log in' filter button, which will show all Logins in the past 180 days.
When looking at the Audits trail entries, there are three types of Login:
- Login - Classic Login
- Login Browser - Browser Login
- Login SSO - User logged into Browser via Single sign-on
By hovering over a row in the Audit Trail, a blue filter icon will appear at the beginning of the Row. When selected, you can choose to filter the Results but the User or Date.
In Browser, Audit trail Queries cannot be saved, however, the URL for your Query is unique. Therefore you can bookmark your Query and return to it anytime without having to re-apply filters.
Exporting the results
You can use the Print function located at the Top right of the page, next to the help button. This will capture the filters you have set for the Query and all the results on the page you are viewing.
Another method is to create an Audit Trail Report in Classic. Although you cannot filter the Audit trail in the Report you can use Excel to further analyse the data.
Once the login data is in Excel you can analyse it as required. For example...
- Get the total Browser and Classic logins.
- Remove duplicate rows to see the number of Users that logged into Browser and Classic.
- You could also create a PI to track your Browser logins each month, using this data.
- Discover users that only log in to Classic. You could then talk to them about upgrading to Browser.
Preventing Users from accessing Classic
The 'Classic Log In' Permission grants Users the ability to log into Classic, therefore this Permission can be removed from the User to prevent them from logging in.
If a User needs to access Classic-only features such as Scorecards and Report Layouts, you can limit the visibility of their Topic buttons so they can only see Classic Modules, and will then only use Classic when needed.
Common Login Issues
Bad Password and User Locking
Locks are enabled when an attempt to log in as a specific user fails three times due to a bad password. This is designed to prevent brute entry breaches of the system. A User can be locked out separately in Browser and Classic, so it’s important to check the system that the User is having issues accessing.
For more information on Password administration and tools, please see our article here.
If a User attempts to log in using the incorrect password once, an error will appear over the login form:
If this is repeated twice more, a new error will appear:
Once a profile is locked, this will be indicated in their User notebook:
Login failures and locking can also be viewed in the Audit Trail by any Users with Site Admin:
To unlock a User, the Users account must be unlocked via the User Notebook menu in whichever platform they were locked out of. So if a user was locked out of Browser, their User will need unlocking in Browser.
To unlock a User in Browser, click on their name and select ‘Unlock’ (you will need Site Admin permissions to do this):
Failure to login will be marked with an error message. Once the failure has occurred enough times the system will lock the User.
The failure can be viewed in the Audit Trail:
In the User notebook, the button to unlock the profile is in the toolbar:
Attempts to log in with an incorrect Username will not be recorded Audit Trail. An error will be displayed on the User's screen however it is the same error as a login attempt with an incorrect password, thus if the User does not receive a 'User locked message' after three attempts it is likely that they are using an incorrect Username. A Users Username/Login ID can be viewed in the User Notebook and should be confirmed with a User having difficulties logging in.
When User accounts are made inactive, they cannot be logged into the system. If they attempt to login, they will see the below error:
Attempts to login to an Inactive account are not audited in the Audit trail. Note, to see inactive Users in the User list you must have Site Admin permission.
Site Admins can set an Expiry policy on the site. More information can be found in our online help. This is accessed in the ‘Site Admin’, ‘General’ then ‘User Expiry’. This is disabled by default, but Site Admins can set a policy based on last login date:
When a User is made inactive it will be recorded in the Audit Trail:
Resetting your password
You can use the 'Forgotten your password?' link on your login page to reset your password. Simply input the email associated with your email, and you will receive an email shortly with a link where you can change your password.
I didn't receive an email
Make sure to look in your junk and spam folders and check with your IT that your network hasn't blocked the email. This could also be because your User does not have an email address associated with it or the email is incorrect. Ask a Site Admin to check this for you.
'Unfortunately, this email address is in use by more than one user...'
If you receive this message in your Password email it means that you cannot reset your password as your email is being used by more than one User. Therefore you may need to ask a Site admin to remove the email from any User accounts that you are not using.
Permissions and Application Access
Access to specific areas of the application can be administered in a number of ways in both Classic and Browser.
Access in Browser is limited by Permissions and explicit visibility of the ‘Go To..’ menu options. If a User does not have visibility of the ‘Go To..’ menu option, they will be unable to access the module directly.
Site Admin Users will have visibility of all ‘Go To..’ options, including the ‘Site Admin’ section which holds additional administration options.
For more information on configuring ‘Go To..’ menu access please see the ‘How do I configure the ‘Go To..’ menu?’ guide.
Access in Classic is limited by module permissions and visibility of ‘Topic Buttons’. These can be altered in two places:
- Via the ‘Topics’ button available under the ‘Admin’ topic.
- Via the User notebook in Classic
Permission Based Access
If a User doesn’t have the appropriate permissions to access a page or item, they will be met with an access error (even when accessing via a direct link):
For more information on administering and viewing Ownerships please see our ‘What are Ownerships in Pentana Risk?’ article.
For more information on administering and viewing Permissions please see our ‘What are Permissions in Pentana Risk?’ article.
IP Whitelisting is a security feature within Pentana Risk Browser that allows you to configure your site so that it can only be accessed by selected IP addresses. It is not a requirement that you use this feature as it is simply an optional security tool.
This feature can only be configured by Site Admins and this page can be found under the IP Whitelisting option in the 'Site Admin' section of the 'Go To..' Menu. On the IP Whitelisting page, you can enter the IP addresses you wish to whitelist into the text field. The IP addresses listed will be the ones allowed access to your site, if the list is empty, then this feature is not enabled.
Your computer's IP address is listed in bold above the text field, however, if your IP changes after restarting your computer (dynamic IP), we do not recommend that you use this feature. You may also need to consider any Users who may be working from a different location such as another office or from home and any VPN Users.
When a User logs into Browser, their IP will be checked against any that you have whitelisted and they will be automatically prevented from accessing the site, if their IP address does not match. They will see the above message when their IP does not match the whitelisting Rules.
As shown in the above grey boxes, IP addresses must be separated by a white space and ranges are declared by placing a hyphen between two IPs. Rather than whitelisting several single IP addresses, it can be much more efficient to use ranges as you can whitelist each IP address that is in-between both IPs in the Range.
Once you have finished editing the whitelist you can select the 'Save' button to save and apply your changes. Please note that saving your changes will not affect any Users who are currently logged on as the IP is only checked from the point of login. You can also use the 'Revert' button to remove any unsaved changes to the IP Address whitelist.