Skip to Content
Administrator ManualGeneralCompany ManagementSecurity

Overview

You can manage security settings for QueryPie in the Security page. This document provides descriptions of each security setting.

From version 10.3.0, service-specific configuration items have been moved from Administrator > General > Security to each service’s General submenu (Administrator > {Service} > General > Configurations) for each service (Databases / Servers / Kubernetes).

Web Console Login Settings

Manage security settings related to QueryPie Web login.

Account Security Policy

You can set security policies such as account lockout and expiration for QueryPie accounts.

Screenshot-2025-08-27-at-4.25.50-PM.png

  • Account Expiration Period (Days) : Criteria for long-term inactivity to process account expiration
  • Expiration Reminder (Days) : Set the criteria for sending account expiration notification emails. You can select multiple desired dates from 1 to 14 days from the dropdown list. For example, if you select 14, 7, and 1, notification emails will be sent 14 days, 7 days, and 1 day before account expiration.
    • This feature only works in environments where Email settings are completed in the Integration menu.
    • If no notification period is selected, expiration notification emails will not be sent.
  • Maximum Login Failures before Account Lockout : Account lockout policy for login failures
    • Specify maximum allowed QueryPie login failures (Default: 60 minutes, 5 times)
    • When Enable is selected, additional input of count and period range criteria is possible (e.g., account lockout after 5 failures within 1440 minutes)
  • Restrict Concurrent Login : Concurrent login restriction feature that limits the number of concurrent logins that can be active for a single user login account across multiple environments (Web, Agent respectively) to 1, maintaining only the most recent login as active and automatically logging out previous logins upon next activity to strengthen account security.
    • Concurrent login restriction method: When this option is enabled, the oldest login session is terminated and new logins are allowed.
      • However, sessions already logged in at the time of enabling the option are not immediately terminated but maintained. When a new user logs in, the existing user session is logged out.
    • Logout notification display method: When logging in with the same account from a different environment, the existing session is terminated and a notification is displayed to the user.
      • When the user is active within the Web Inactivity Timeout or Agent Session Timeout range, the notification appears when communicating with the server through explicit UI actions (e.g., button clicks, page transitions, etc.).
      • Notifications appear when user API calls such as button clicks occur. Notifications are displayed for 24 hours from the time of other login occurrences. Web, User Agent, and Multi-Agent each have individual concurrent login restrictions applied.

Password Setting

You can set password policies for QueryPie accounts.

image-20250515-091250.png

  • Maximum Password Age : Password change cycle (Default: 90 days)
  • Password History : Criteria for prohibiting reuse of previous passwords
    • Stores password history for the specified number and prohibits using the same password when changing passwords
  • Minimum Length : Minimum password length (Default: 9 characters)
  • Password Complexity Requirements : Password complexity settings
    • Lower case letter (a-z) : Lowercase letters required
    • Upper case letter (A-Z) : Uppercase letters required
    • Number (0-9) : Numbers required
    • Special character (e.g., !@#$%^&*) : Special characters required
    • Limit 3 repeating characters and numbers (e.g., aaa, bbb) : Restrict 3 or more repeating characters/numbers
    • Limit 3 consecutive characters and numbers (e.g., abc, 123) : Restrict 3 or more consecutive characters/numbers
    • Restrict nearby characters on the keyboard (e.g., qwe, ert) : Restrict 3 or more adjacent keyboard strings
    • Does not contain part of personal information (Username, Primary email) : Restrict use of personal information (Username, Primary email) in passwords

Timeout

You can set timeout policies for web console and agents.

image-20250515-091410.png

  • Web Inactivity Timeout (Minutes) : Web console timeout criteria (Default: 60 minutes)
    • Timeout processing when there is no activity for the specified time
  • Agent Session Timeout (Minutes) : Agent session timeout criteria (Default: 1,440 minutes)
    • Maintains agent app login for the specified time and processes logout when elapsed

QueryPie Web IP Access Control

You can set IP restriction policies when accessing QueryPie.

Screenshot-2025-06-26-at-2.14.46-PM.png

  • All Users : IP restriction settings applied to all users (Default: 0.0.0.0/0)
  • Each User : When toggled on, Allowed Zone settings are possible for individual users
    • For methods to set Allowed Zones per user, see User Profile
    • Use Individual Configuration of Allowed Zones for Each User : Sets individual IP allowed zones (Allowed Zone) for each user.
      • When enabled, a View User to Allowed Zone Mappings link is displayed to check user lists and IP allowed zones assigned to each user.
      • View User to Allowed Zone Mappings : Click to view user-specific Allowed Zone lists in a modal window. You can search by user name (Display Name), and the list shows user names, login IDs, emails, and all assigned IP addresses.
    • Require Allowed Zones for User Access : A policy that enforces user IP allowed zone settings as mandatory.
      • When this option is enabled, users without individual IP allowed zones (Allowed Zone) set cannot log in to QueryPie. Access to the login page is possible, but login attempts are blocked.

Precautions when enabling IP access control policies Users blocked from login due to enabling the Require Allowed Zones for User Access option can request access permission for new IP addresses through the ‘IP Registration Request’ workflow. (For details, refer to the Requesting IP Registration document.)

  • Admin Page Access Control : Sets policies to restrict IPs of administrators who can access the administrator page. You can restrict access to the administrator page only to administrators connecting from specific IP addresses or ranges by enabling the toggle.
    • Access Requirements:
      • Users must have administrator privileges.
      • User’s connection IP must be included in the IP range set in ‘All Users’.
      • User’s connection IP must be included in the IP list registered in ‘Admin Page Access Control’.
    • Precautions when setting administrator page access control
      • When adding IPs to Admin Page Access Control, those IPs must be included in the upper All Users setting. If you try to save after adding IPs not registered in All Users , an error occurs and the settings are not saved.

Q. What screen do users see when trying to access the QueryPie web console from an unauthorized IP? A. When attempting to access from an unauthorized IP, access to any page within the QueryPie web console is not possible, and users will see the guidance screen below. If the default value (0.0.0.0/0) is registered in All Users and specific Allowed Zones are set for individual users, access to the login page is possible but login is not possible.

When not matching IP registered in QueryPie Web Access Control > All Users

When not matching IP registered in QueryPie Web Access Control > All Users

When not matching Allowed Zone registered in Users > Update User

When not matching Allowed Zone registered in Users > Update User

IP restriction setting precautions Settings on the Security page are applied immediately upon saving. Therefore, if the entered IP does not match the IP of the administrator who set the option, the administrator will be logged out immediately upon saving , so please apply carefully.

Secret Store Settings

Sets whether to use Secret Store. Currently supports HashiCorp Vault.

screenshot-20240726-152042.png

Vault registration is performed in the General > Integrations menu.

Q. I want to disable Secret Store activation, but the toggle is disabled. A. Check if there are any Vaults registered in the Administrator > General > Integrations > HashiCorp Vault menu. The toggle can be disabled after all registered Vaults are removed.

After Secret Store usage activation and Vault registration are completed, you can select the authentication information storage in the DB connection detail page or Server Group detail page.

DB Connection detail page > Connection Information > Secret Store selection

DB Connection detail page > Connection Information > Secret Store selection

Server Group detail page > Accounts > Secret Store selection

Server Group detail page > Accounts > Secret Store selection

Others

Manages other security settings.

screenshot-20240726-152051.png

  • Export a file with Encryption : Whether to enter password when downloading files
    • When Required is selected, file password specification is mandatory when downloading files
Last updated on
GeneralAllowed Zones