Security Overview

Back to Articles
General For Super Administrators Security Administration Last updated: June 20, 2025 Version: 1.0

Security Overview

Understand the comprehensive security architecture of the Shifts platform, including authentication, authorization, data protection, and security monitoring features designed to protect your organization’s data.

Overview

The Shifts platform implements a robust, multi-layered security architecture to protect your organization’s data, ensure proper access control, and provide comprehensive audit capabilities. This article explains the key security components and how super administrators can configure and monitor security across the platform.

Security Architecture

The Shifts platform security is built on several interconnected layers:

Multi-Tenant Isolation

  • Complete Data Separation: Each business’s data is fully isolated from others
  • Automatic Query Scoping: All database queries are automatically scoped to the current business
  • Tenant Context: System maintains current business context to prevent cross-tenant access
  • API Isolation: API endpoints respect tenant boundaries

Authentication System

  • Multi-Factor Authentication (2FA): Time-based one-time password (TOTP) implementation
  • Backup Access Codes: Emergency access when primary 2FA method is unavailable
  • Session Management: Secure cookie-based sessions with encryption
  • Account Lockout: Protection against brute force attacks

Authorization Framework

  • Role-Based Access Control: Permissions tied to system and organizational roles
  • Permission Hierarchy: Inheritance of permissions through role hierarchy
  • Fine-Grained Permission Keys: Granular control over system functionality
  • Business-Specific Roles: Customizable roles for each organization

Accessing Security Administration

To access the security administration features:

  1. Log in with super administrator credentials
  2. Navigate to Super Admin > Security Administration
  3. Select the security area you want to manage

Key Security Components

Authentication Security

Manage how users authenticate to the system:

Two-Factor Authentication

  • Enforcement Policies: Configure which roles require 2FA
  • Grace Period: Set time windows for enabling 2FA
  • Verification Methods: Configure supported 2FA methods
  • Backup Codes: Manage emergency access code policies

Password Policies

  • Complexity Requirements: Configure minimum password strength
    • Length (8-64 characters)
    • Character types (uppercase, lowercase, numbers, special)
  • Expiration Settings: Set password expiration periods
  • History Enforcement: Prevent password reuse
  • Reset Procedures: Configure secure reset flows

Network Security

Control and monitor system access based on location:

IP Restrictions

  • Allowed IP Ranges: Define permitted network locations
  • Enforcement Modes:
    • Passive: Log violations without restricting
    • Warning: Alert users about violations but allow access
    • Strict: Block access from unauthorized IPs
  • Business-Level Controls: Set different policies for each business
  • Location-Specific Rules: Configure unique rules for different locations

Geofencing

  • Location Verification: Confirm physical presence at work locations
  • Radius Configuration: Set acceptable distance parameters
  • Enforcement Options: Configure validation requirements
  • Override Policies: Define who can bypass location requirements

User Management Security

Control user access and authentication:

Account Security

  • Lockout Policies: Configure failed attempt thresholds
  • Account Recovery: Manage secure account recovery processes
  • Session Duration: Set maximum session lengths
  • Concurrent Sessions: Control multiple login behavior

Domain Restrictions

  • Email Domain Validation: Restrict registration to approved domains
  • Disallowed Domains: Maintain blacklist of prohibited domains
  • Subdomain Management: Configure business-specific subdomains

Attendance Verification

Prevent time tracking fraud:

Time Tracking Security

  • Clock-in Verification: Configure methods to validate clock-in/out
  • Photo Verification: Optional facial recognition for time tracking
  • Device Validation: Control which devices can be used
  • Time Window Restrictions: Set allowed windows for check-in/out

Fraud Detection

  • Suspicious Activity Monitoring: Automatic flagging of unusual patterns
  • Location Spoofing Detection: Identify attempts to falsify location
  • Device Fingerprinting: Track and validate device characteristics
  • Manager Review Triggers: Automatic escalation of suspicious activities

Audit and Monitoring

Track system usage and security events:

Activity Logging

  • User Activity Tracking: Comprehensive logging of user actions
  • Security Event Monitoring: Focused tracking of security-related events
  • IP and Location Logging: Record of access locations
  • Device Tracking: Monitor device usage patterns

Security Analytics

  • Security Dashboards: Visual monitoring of security metrics
  • Trend Analysis: Identification of security patterns over time
  • Alert Configuration: Set up notifications for security events
  • Compliance Reporting: Generate reports for security compliance

Business-Level Security Management

Configure security settings for individual businesses:

Security Profiles

  • Profile Templates: Standardized security configurations
  • Business-Specific Settings: Customize security for each organization
  • Default Policies: Set baseline security requirements
  • Compliance Enforcement: Ensure businesses meet security standards

Access Control Management

  • Business Administrator Tools: Delegate security management
  • Role Configuration: Define and assign roles with appropriate permissions
  • Location Hierarchy: Structure location-based access control
  • Permission Templates: Standardized permission sets

API Security

Secure programmatic access to the platform:

API Token Management

  • Token Generation: Create and manage API access credentials
  • Permission Scoping: Limit API access to specific functions
  • Usage Monitoring: Track API usage patterns
  • Rate Limiting: Prevent abuse through request throttling

Best Practices

For optimal security management:

  1. Defense in Depth: Implement multiple security layers rather than relying on a single control
  2. Least Privilege: Grant only the minimum permissions required for each role
  3. Regular Audits: Review security logs and settings quarterly
  4. Incremental Enforcement: Roll out stricter security gradually to minimize disruption
  5. Documentation: Maintain records of security configurations and changes
  6. Testing: Regularly test security controls for effectiveness
  7. User Education: Ensure administrators understand security features

Security Response

Handle security incidents effectively:

Incident Management

  • Alert Response: Process for addressing security alerts
  • Lockdown Procedures: Emergency access restriction capabilities
  • Investigation Tools: Audit logs and event timelines
  • Remediation Steps: Standard procedures for common incidents

Related Resources

This article should be updated when:

  1. New authentication methods are added
  2. Changes to security policy options
  3. Updates to fraud detection mechanisms
  4. New audit or logging capabilities
  5. Additional API security features
  6. Changes to the security administration interface
Article ID: security_overview
Related Articles
Access Control Policies
Learn how to use the access control policies feature in the Shifts platform to optimize your workflow and improve productivity.
Security Audit Logs
Learn how to use security audit logs to monitor, track, and investigate user activities, security events, and system changes to maintain security compliance and detect potential threats.
Workflow Automation
Learn how to use the comprehensive workflow automation features in the Shifts platform to optimize scheduling, notifications, approvals, and resource allocation while improving productivity.
In This Section
Workflow Automation
Advanced Configuration
System-wide Defaults
Advanced Configuration
Advanced System Customization
Advanced Configuration
Security Audit Logs
Security Administration
Performance Optimization Tools
System Features View All Articles in This Section