This article explains how system administrators can use a list of IP addresses to restrict access to Clarity Human Services.
Working with IP whitelists can be very tricky, and if this feature is not understood or set up properly, it will have a significant impact on your Clarity Human Services site. Please read this article very carefully.
The Authentication Policy setting offers two options for users to access your Clarity Human Services site:
- "Basic Authentication" means that all of your users can log in to your site without having to use a specific IP address.
- "IP Whitelist" means that only users whose IP address has been added to the IP Whitelist can log in to your site. When the Authentication Policy is set to “IP Whitelist,” any user attempting to log in with an IP address that is not set up in the instance will not be able to log in to the instance. If a user who has been IP whitelisted leaves an agency, remove their IP address from the instance so that it is not possible for them to log in.
Important Considerations when using the IP Whitelist Feature:
- Authentication Policy is a system-level setting that applies to all users in the system. It is not possible to apply the “IP Whitelist” option to some agencies and the “Basic Authentication” option to the rest of the agencies.
- It is very important to add the IP addresses of all devices (office locations, mobile devices, VPNs, Bitfocus Help Desk, etc) that will be used to access the system. Users will not be allowed to access Clarity Human Services with an IP address that is not set up in the instance.
- If you want to use the “IP Whitelist” feature, you will need to add the IP addresses to the IP Whitelist as described below before selecting “IP Whitelist” as the Authentication Policy. Be sure to add all IP addresses that will be used to access the system.
Global IP Whitelist
To add an IP address to the IP Whitelist, navigate to SETUP > SETTINGS. In the Advanced Options sidebar, select Global IP Whitelist.
The IP WHITELIST page appears, Click CREATE A NEW IP ADDRESS.
The ADD IP ADDRESS pop-up appears.
The Agency field allows you to designate whether the IP address will be associated with all agencies or with a specific agency.
- If you want all users in the system to be able to log in to the site from that IP address, regardless of their primary agency, select “All Agencies” from the picklist. Setting up IP Address(es) for “All Agencies” means that all users will only be allowed to log in to their Clarity Human Services account from the specified IP Address(es).
- If you want to restrict access for an IP address to just the users who have a specific agency as their primary agency, select that agency from the picklist. Setting up IP Address(es) for specific agencies means that users who have primary agency access for any of the specific agencies will only be able to log in to their Clarity Human Services account from the specified IP Address(es).
In the IP Address field, enter the IP Address that will be accessing the system. (To find your IP address, visit www.whatismyip.com or type “what’s my IP address?” into a search engine.)
Click SAVE CHANGES .
The IP address will now appear on the IP WHITELIST page. IP addresses that are associated with all agencies will be identified as “Any Agency” in the Agency column. IP addresses that are associated with a specific agency, whether they were added here or through the agency’s IP WHITELIST described below, will be identified by that agency’s name in the Agency column.
You may use the SEARCH function to search for IP addresses associated with a specific agency. The default search option, “Any agency,” displays all IP addresses that have been added.
Once you have set up all the IP addresses that will be allowed to access Clarity Human Services, you will navigate back to SETUP > SETTINGS and scroll down to Account Settings and change the Authentication Policy from “Basic Authentication” to “IP Whitelist.”
Once you click MODIFY SETTINGS at the bottom of the page, any users accessing Clarity Human Services from an IP address that is not set up in the IP whitelist settings will be immediately locked out of the system.
Agency IP Whitelist
Note: It is not possible to set the Authentication Policy at the agency level; i.e., it is not possible to apply the “IP Whitelist” option to some agencies and the “Basic Authentication” option to the rest of the agencies.
Setting up an Agency IP Whitelist simply means that users who do not have primary agency access to that agency will not be able to log in to their Clarity Human Services account even with an IP address that has been set up for “All Agencies.” When an Agency IP Whitelist is set up, only users who have primary agency access to the designated IP address will be able to log in to their Clarity Human Services account.
Consider a scenario where an IP address of 12.34.255.89 has been added to the Agency IP Whitelist for Test Agency 2 in Clarity Human Services.
- Example 1: Alicia, who has primary agency access to Test Agency 2, attempts to log in to Clarity Human Services from 12.34.255.89. She will be allowed to log in to her account.
- Example 2: James, who does not have primary agency access to Test Agency 2, also attempts to log in to Clarity Human Services from 12.34.255.89. He will not be allowed to log in.
To view or add IP addresses associated with a specific agency, navigate to MANAGE > SHARING for that agency and select IP Whitelist from the Advanced Options sidebar.
The IP WHITELIST page will be displayed. Any IP addresses specific to this agency that have been added here or on the Global IP Whitelist page will be displayed. To add another IP address to this agency’s IP Whitelist, click ADD NEW ADDRESS.
On the ADD IP ADDRESS pop-up, enter the IP address and click ADD RECORD.
Updated: 8/11/2023