Security Tab
About the Security Tab
All Qualtrics data and brands are protected with the utmost care. However, sometimes you may want additional security settings, such as the ability to track which users are logged in, add more requirements to passwords, modify how many failed logins lead to an account lockout, and so much more.
If you have purchased the Enterprise Security Package, Brand Administrators can access all these settings and more by going to the Admin page and selecting Security.
Security Settings
Security Settings is the first section under the Security tab.
Allow Proxy Logins
Proxy logins allow Brand Admins or higher privileged accounts to log into different user accounts on this brand through the Users tab. By deselecting Allow Proxy Logins, you are making it so no Brand Admin can directly log into a user’s account.
Enable Two-factor Authentication
When you select Enable Two-factor Authentication, users must provide a verification code after providing their username and password in order to login. Users can set a preferred method of receiving this code – for example, through email or an authentication app on their phone.
On next login, users will go through the enrollment process where they set up their preferred verification method.
Users will also receive an email with backup codes, which serve as a recovery option if they lose access to their verification method. If a user needs to reset their backup codes or reconfigure their two-factor authentication setup, they can do so from their User Settings.
Once the setup is complete, future logins for that user will use the two-factor authentication process.
Users can personally select from a number of authenticator apps, including Google Authenticator, Duo Mobile, and Authy.
Minimum Password Requirements
You can customize the requirements of passwords created in your brand. When you leave a field blank, that means that feature is not required in the password. The above example shows the default password requirements.
User Sessions
- Minutes of inactivity until automatic logout: Determine how long someone can be in their account, not navigating pages or making edits, before they are logged out. This can be helpful so that accounts left open on idle screens cannot be accessed by passersby.
Qtip: The default session timeout is 60 minutes without user activity.
- Maximum Concurrent Sessions Per User: Determine how many people can be active in one account at once. If this number is exceeded, the newest user trying to log in will not be allowed into the account.
Qtip: The default maximum number of concurrent sessions for all brands is 500.
Account Lockout
When a user repeatedly gets the username or password to an account wrong, the system will lock them out. This is a feature available on all Qualtrics brands, which ensures that strangers cannot get access to accounts that don’t belong to them.
However, with the Security tab, you can specify more about how this Account Lockout system works.
- Select the number of failed login attempts.
- Select the timeframe within which these login attempts occur.
- Select how many minutes the account will be locked before it can be logged into again.
Disable Inactive Accounts
Sometimes accounts will sit around in a brand for a long time without any use. It can be tedious to keep track of these accounts individually, and you may not necessarily want to set an account expiration date.
You can choose to disable accounts after a number of predetermined days. Note that disabling an account will not delete it – you, as the brand administrator, can always re-enable the account.
Active Sessions
The Active Sessions section will show you all the users currently logged in on your brand, plus identifying information.
If you see suspicious account activity or you would like to force a user to log out for any reason, select the user(s) and click End Session. Click End All Sessions to end all active sessions.
To adjust the table format, click the down arrow next to a column and select an action.
The available actions are:
- Pin Column: Pin the column so it cannot be moved. This will also make the column visible while you scroll horizontally.
- Unpin Column: Unpin a pinned column.
- Move Column Left: Move the column 1 place to the left.
- Move Column Right: Move the column 1 place to the right.
You can also hover between columns and drag the column divider to change the width of a column.
Activity Logs
In the Activity Logs section, you can see actions users have taken across your Qualtrics organization.
For each entry, you may see a date, the username or user ID of the account the event happened to, and an event category and name.
In this section, we’ll explain how to use the Activity Log to find information on events. If you want a full list of possible events and what they mean, see Events Tracked in the Activity Log.
Event Details
To view more information about an event, click on it. This panel includes a lot of the same information in the columns, plus:
- Id: An internally generated session ID.
- Brand Id: Your organization ID.
- Ip Address: The IP Address where this activity took place.
- Timestamp: When the event started. Times are always given in the user account’s time zone.
Depending on the event type, there can be other information included about what happened.
Filtering Logs
You can filter your logs by time range, specific events, or search terms. The search supports user IDs, partial and whole usernames, and event types and categories.
To deselect events, click Clear selection.
Exporting Logs
- Click Export.
- Choose between CSV (comma-separated values) and TSV (tab-separated values) file types.
- Click Export files.
- You’ll be taken to Your Downloads, where you can see file status and download it once it’s ready.
Customizing and Sorting Columns
You can sort by any of the columns available. Click the arrow next to a column to move it left or right, or to pin it to the left.
Events Tracked in the Activity Log
The following is a list of event categories and event types tracked in the activity log.
Admin
- Account settings proxy login access: A user has given Qualtrics Support permission to proxy log into their account.
- Admin reports export: A user exported Admin Reports.
- Brand anonymity setting change: A user edited organization-wide anonymity settings.
- EX pseudonymization: A user edited the organization-wide pseudonymization policy.
- Help modal settings change: A user edited the organization-wide settings for the help window.
- Organization settings change: A user has edited organization settings.
- Survey approval: A user has requested approval, dismissed a request, approved a request, denied a request, or commented on a request. See more on Project Approval.
- User page individual view: A Brand or Division Admin viewed a user on the Users tab.
- User page main view: A user viewed the Users tab.
Brand change
- Brand change: The organization has just been created or updated with new permissions. This includes changes to the brand type, base URL, expiration date, and brand description. Each change is indicated by the original value and the new value.
Dashboard settings
- Update anonymity decorator: Anonymity settings have been updated in a dashboard.
- Update scales decorator: The Scales settings have been updated for a dashboard.
Dashboards
- Dashboard usage: A user has interacted with a dashboard. This includes dashboard editors and viewers.
Datasets
- Data tab export data: A user has exported recorded responses in any format in Data & Analysis.
- Data tab export responses to PDF: An individual response has been exported to PDF.
- Data tab export responses in progress: A user has exported responses in progress.
- Data tab manage downloads: A user tab has downloaded a file from the Manage Downloads
- Data tab single response view: A user has viewed an individual response.
- Data tab view: A user has viewed the Data section of Data & Analysis.
Directories
- Bulk contact change: A user has uploaded many contacts or changes to existing contacts in XM Directory.
- Contact export: A user has exported contacts from XM Directory.
- Contact list operation: A user has viewed, made changes to, or used mailing list options on a contact list in XM Directory.
- Contact list operation: A user has viewed or made changes to a contact in XM Directory.
- Directory operation: A user has viewed or made changes to a directory in XM Directory.
- Directory settings operation: A user has updated XM Directory settings, such as contact frequency, duplicate merging, directory messages, and more.
Distribution
- Distribution: A user has created a distribution in their project.
Libraries
- Library files graphics: A user has viewed or taken action in the library.
Organization
- Brand settings: A user has edited organization settings, particular related to login or SSO.
Projects
- EX program: A Pulse program has been created, edited, or deleted. This event includes changes to the other projects and settings in the larger program.
Public API
- API access: A user in your organization has performed API calls.
Reports
- Export printed report: A user has exported an Advanced-Report This includes PDF, DOCX, PPTX, and JPG export types. Does not include EX or 360 reports.
- Export view results report: A user has exported Results. This includes PDF, DOCX, PPTX, and CSV export types.
Tickets
- Ticket customer activity: A user has viewed the customer activity of a ticket.
- Ticket exports: A user has exported tickets.
- Ticket follow-up details survey: A user created or edited a follow-up details survey. This event can also trigger when a follow-up details survey receives a response. See more on Ticket Feedback Surveys.
- Ticket survey response: A user viewed the embedded data or full survey response in a ticket.
User Access Control
- Employee record access control modified: Employee Record Access Control has been enabled or disabled.
- Modify columns metadata tag: A data access tag has been applied to columns metadata or removed from them.
- Modify data access tag: A data access tag has been created, updated, or deleted.
User Authentication
- API Token Change: A user generated an API token.
- Login: View regular, proxy, SSO, and Failed logins. To learn more about a login, click on a user and view the information to the right.
- Proxy Login will be true if it was a proxy login. You’ll also see additional information under “proxy details,” including the ID of the user who proxied into the account.
- Is Successful will be false for failed logins.
- You’ll also see information such as URL the user logged in from, location, how they authenticated (e.g., SAML for SSO organizations), and the platform of login (browser and operating system).
- Password change: Any time a user changes their own password in the Account Settings
- Password reset: Whenever a password is reset. This includes users choosing Forgot Your Password? on the login page, Brand Admins sending password resets, or the user having to change their password because the password expired or you set new minimum requirements.
- Session creation: Any time an account is logged into, thus creating a new session. This is different from Logins because it doesn’t count failures or allow you to check for proxies. If you click a user, it will show when the session ended.
- Session termination: Every time a session terminates, either because a user logged out or an administrator forced them to. To see which, click the termination and look at the Reason
- User change: Any time a user is created or deleted. Click a user for more information. Action will show whether the user was edited, created, or deleted. You’ll also be able to see what details were edited.
User Management
- Brand privilege change: Your Qualtrics organization’s permissions have been changed.
- Load participants page: A user opened the Participants page in an EX project or the User Admin of a CX Dashboard. Click the event to see the product line (e.g., CX or EX).
- Modify participant metadata: A participant’s metadata has been updated right on the Participants page in an EX project or the User Admin of a CX Dashboard. Click the event to see the product line.
- Org hierarchy export participants: Hierarchy participants have been exported.
- Org hierarchy export units: Hierarchy units have been exported.
- Org hierarchy import units: Hierarchy units have been imported.
- Participants management confirm person import: A user has imported a participant file with no errors.
- Participants management export persons: A user exported participants.
- Participants management get existing persons: When adding participants, the system has to identify which participants already exist in the directory so they aren’t added to the directory again as duplicates.
- Participants management get jobs: A user opened Manage Imports/Updates/Exports on the Participants page.
- Participants management get metadata: When adding participants, the system identifies which participants already exist in the directory, and pulls their metadata.
- Participants management get metadata mapping: A user managed metadata.
- Participants management get person information: A user searched for a participant.
- Participants management mark confirm import: A step that takes place on the back-end once a participant import has been started with no error.
- Participants management preview person import: Once a participant import has been started, but hasn’t been completed yet, there’s usually a step where you see a summary of the changes.
- Participants management remove persons: Participants were removed.
- Participants management update unique identifiers: Participant unique identifiers were updated.
- Participants management validate person import: A step that takes place on the back-end when importing participants, evaluating the quality of the file. This event is only for Engagement projects.
- Role change: A role was created, edited, or removed. Click the event to see the product line. Appears for both EX roles and CX roles.
- Role membership change: A user was added to or removed from a role.
- Role permission change: Permissions were added to, updated in, or removed from a role.
- User permission change: Permissions have been created, edited, or removed for a user.
Qtip: A few of these events will happen surrounding the same action, especially if it’s related to participant import. For example, if you import participants onto an engagement project, you usually see the following events, in order:
- Participants management validate person import
- Participants management preview person import
- Participants management mark confirm import
- Participants management confirm person import