Security

Overview

On the Security page, you can manage security settings across the entire QueryPie platform. This document provides descriptions for each security configuration option.

Starting from version 10.3.0, the configuration items for each service have been relocated. Previously found under Administrator > General > Security, they are now available under each service’s General section: (for example: Databases / Servers / Kubernetes).

Web Console Login Settings

Manage security settings related to logging into the QueryPie Web Console.

Account Security Policy

Configure security policies for QueryPie accounts, such as account lockout and expiration.

• Account Expiration Period (Days) : Defines the inactivity period (in days) after which an account is marked as expired.

• Expiration Reminder (Days) DEPRECATED : Specifies how many days in advance users are notified about upcoming account expiration.

• Maximum Login Failures before Account Lockout : Sets the threshold for failed login attempts before the account is locked.

  • Default: 5 failed attempts within 60 minutes.

  • When Enable is selected, you can customize the number of attempts and time window (e.g., lock the account after 5 failed attempts within 1,440 minutes).

• Restrict Concurrent Login : Enhances account security by limiting the number of active sessions per user account to one session per environment (Web, Agent). This ensures only the most recent login remains active, and any previous sessions are automatically logged out upon the next activity.

• Concurrent Login Restriction Behavior: When enabled, the oldest active session is terminated to allow a new login.

  • Note: Active sessions at the time of enabling this option are not immediately terminated. Instead, they will be logged out when a new login occurs.

  • Logout Notification Behavior: If the same account is used to log in from a different environment, the existing session is terminated and the user receives a notification.

    • While the user is active within the Web Inactivity Timeout or Agent Session Timeout period, the notification appears when the user performs explicit UI actions (e.g., button clicks, page navigation) that communicate with the server.

    • Notifications are displayed for up to 24 hours from the time of the conflicting login. Web, User Agent, and Multi-Agent environments each enforce concurrent login restrictions independently.

Password Setting

Configure password policies for QueryPie accounts to enhance account security.

• Maximum Password Age : Defines the password expiration period. Users are required to change their password after the specified number of days (Default: 90 days).

• Password History : Prevents reuse of previous passwords. The system stores the specified number of previous passwords and restricts users from reusing them during password changes.

• Minimum Length : Sets the minimum password length (Default: 9 characters).

• Password Complexity Requirements : Enforces password complexity rules to strengthen security.

  • Lower case letter (a-z) : Requires at least one lowercase letter

  • Upper case letter (A-Z) : Requires at least one uppercase letter

  • Number (0-9) : Requires at least one numeric digit

  • Special character (e.g., !@#$%^&*) : Requires at least one special character

  • Limit 3 repeating characters and numbers (e.g., aaa, bbb) : Restricts the use of more than 3 identical consecutive characters or digits

  • Limit 3 consecutive characters and numbers (e.g., abc, 123) : Restricts sequences of 3 or more consecutive characters or digits

  • Restrict nearby characters on the keyboard (e.g., qwe, ert) : Disallows sequences of 3 or more adjacent characters on a keyboard layout

  • Does not contain part of personal information (Username, Primary email) : Prohibits the use of parts of the user’s personal information (e.g., username, primary email) in the password

Timeout

Configure timeout policies for the Web Console and Agent applications.

• Web Inactivity Timeout (Minutes) : Defines the inactivity period for the Web Console. If no user activity is detected within the specified time, the session will time out (Default: 60 minutes).

• Agent Session Timeout (Minutes) : Sets the session timeout period for the Agent application. After the specified duration, users are automatically logged out from the Agent (Default: 1,440 minutes).

QueryPie Web IP Access Control

Configure IP restriction policies for accessing QueryPie.

• All Users : Defines IP restriction settings applied to all users (Default : 0.0.0.0/0).

• Each User : When enabled, you can configure Allowed Zones for individual users.

  • To set up user-specific Allowed Zones, refer to the User Profile page.

  • Use Individual Configuration of Allowed Zones for Each User : Allows you to configure IP Allowed Zones per user.

    • When enabled, a View User to Allowed Zone Mappings link appears, letting you view mappings between users and their assigned Allowed Zones.

    • View User to Allowed Zone Mappings : Opens a modal window displaying the list of Allowed Zones assigned to each user. You can search for users by Display Name. The list includes each user’s Name, Login ID, Email, and all assigned IP addresses.

  • Require Allowed Zones for User Access : Enforces the use of IP Allowed Zones for user logins.

    • When enabled, any user without an assigned Allowed Zone will be blocked from logging into QueryPie. Users can still access the login page, but their login attempts will be denied.

Important Notes on Enabling IP Access Control Policies

When Require Allowed Zones for User Access is enabled, users who are blocked from logging in due to missing Allowed Zone configurations can submit a request to allow access from a new IP address via the IP Registration Request workflow. For more details, refer to the IP Registration document.

• Admin Page Access Control : This policy restricts access to the Admin Page to administrators connecting from specified IP addresses or ranges. When enabled, only administrators accessing from registered IP addresses can access the Admin Page.

  • Access Requirements:

    • The user must have Administrator privileges.

    • The user’s IP address must fall within the range defined in All Users settings.

    • The user’s IP address must also be included in the Admin Page Access Control list.

  • Important Notes on Admin Page Access Control

    • Any IP address added to Admin Page Access Control must also be included in the parent All Users configuration.

    • If you attempt to add an IP address that is not listed under All Users, an error will occur, and the settings will not be saved.

Q. What happens if a user tries to access the QueryPie Web Console from a non-allowed IP address?

A. If a user attempts to access the Web Console from an IP address that is not allowed, they will be blocked from viewing any page within the console and will see an access restriction message, as shown below.

If the All Users setting is configured with the default value (0.0.0.0/0) and specific Allowed Zones are set for individual users, the user can reach the login page, but login attempts will be denied.

Caution for IP Restriction Settings

The configurations on the Security page are applied immediately upon saving. If the entered IP does not match the administrator’s IP with this option enabled, even administrators will be logged out immediately after saving. Please apply with caution.

Secret Store Settings

Configure whether to use the Secret Store. Currently, HashiCorp Vault is supported.

Navigate to the General > Integrations menu for Vault registration.

Q. I want to disable the Secret Store, but the toggle is grayed out. What should I do?

A. Navigate to the Administrator > General > Integrations > HashiCorp Vault menu to check if there are registered Vaults. The toggle can only be deactivated after all registered Vaults have been removed.

Once the Secret Store is activated and Vault registration is complete, you will be able to select the authentication information storage option on the DB Connection Details page or the Server Group Details page.

Others

Manage additional security settings.

• Export a file with Encryption : Determines whether a password is required when downloading files.

  • If Required is selected, a password must be specified when downloading the file.