Site Resource Settings

Configure settings for resources on the platform such as alerts, apps, APIs, connections, comments, discussions, groups, tickets, users, reviews, and business security.

Note: this section contains information about the configuration settings defined within the Akana API Platform, which apply to the entire developer portal.

For information about the configuration settings defined in the Akana Administration Console, which apply only to the specific container, refer to Admin Console Settings.

Table of Contents

  1. Where do I configure settings for the platform?
  2. How do I configure settings for alerts?
  3. How do I configure settings for APIs?
  4. How do I configure settings for apps?
  5. How do I configure App OAuth Profile Authorization settings?
  6. About security challenge questions
  7. How do I configure settings for security challenge questions?
  8. How do I configure settings for comments?
  9. How do I configure settings for app/API connections?
  10. How do I configure settings for discussions?
  11. How do I configure settings for groups?
  12. How do I configure settings for login policy?
  13. How do I configure settings for password policy?
  14. How do I configure settings for reviews?
  15. How do I configure settings for business security?
  16. How do I configure CAPTCHA on the platform?
  17. How do I configure settings for tickets?
  18. How do I configure settings for users?
  19. How do I configure settings for two-factor authentication of users (2FA)?
  20. How do I prevent referencing external sites in developer portal content pages?

Where do I configure settings for the platform?

You can configure many basic settings that control various aspects of the platform and how it operates.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

You can control settings for the following resources:

For site settings, see Site Settings.

Back to top

How do I configure settings for alerts?

You can configure alert settings to determine which features will be available for alerts on the platform.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

This setting... Controls this feature...
Alert Comment Workflow Definition The workflow definition that will apply to new comments on alerts on the platform (existing comments are not affected).
Markdown Support

Indicates whether Markdown is supported for alerts. Markdown support includes linking and file upload. If disabled, alerts are plain text.

For more information about Markdown support, see How do I enable Markdown for Forum items?

External Link Support Indicates whether external links are supported in Markdown for alerts. Applicable only if Markdown Support is enabled.
To configure alert settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Alerts.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for APIs?

You can configure API settings to determine which features will be available for all APIs on the platform. If a feature is disabled in the API settings page, it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

You can configure the API settings shown in the tables below:

Note: When you change a setting, it might take up to five minutes for the change to take effect.

General API Settings:
This setting... Controls this feature...
Add a new API Determines whether users can create an API that isn't already set up as a service in the API Gateway. Choose this option if users won't need to take advantage of the advanced capabilities offered by the API Gateway. (Default: enabled)
Publish an existing service as an API Determines whether users can create an API by referencing a service already defined in the API Gateway. Choose this option if users might want to use the flexible service definition model offered by the API Gateway. (Default: disabled)
API Scope Groups Determines whether scope groups (API Scope Groups) can be created (groups created in the context of a specific API, that are related only to that API). If this option is enabled, the API Admin can create groups via the API > Visibility > Groups page.
API Promotion Applicable only if the promotion feature is enabled: Determines whether API Admins can promote APIs between environments. If the API Promotion setting is disabled, the API Admin sees the API's topology chain, but there is no Promote button to promote the API to the next environment in the chain. For more information on API promotion, see Using Custom Metadata on the Developer Portal (for Site Admins) and Promoting an API to the Next Environment (for information on how the feature works for API Admins).
Validate Unique Context Path

Determines whether the developer portal validates that the context path is unique for each API (for example, http://www.acmepaymentscorp.com/api/payments). If disabled, the same combination of URL and context path is allowed for multiple APIs.

Note: Unless APIs have their own vanity URLs, APIs on the platform will have the same hostname. Each API must have a unique endpoint, and the platform's validation that the context path is unique ensures that the API endpoint will be unique. If you are sure that each API that is/will be hosted on your developer portal will have a unique context path, you can disable this setting. Otherwise, leave it enabled (the default). If your developer portal includes more than one API with the same endpoint, results will not be as expected.

API Workflow Definition The workflow definition that will apply to all new APIs on the platform (existing APIs are not affected).
Public API Settings:
This setting... Controls this feature...
Supported Determines whether public APIs are supported on the platform. Public APIs are visible to all users, including anonymous users. If this setting is disabled, only private APIs are allowed.
Ratings Determines whether users can rate public APIs. If disabled, the ratings feature does not appear in the user interface for public APIs.
Sandbox Endpoint Determines whether public APIs will have the option of having a Sandbox endpoint.
Reviews Determines whether users can write and share reviews of public APIs. If disabled, the reviews feature does not appear in the user interface for public APIs.
Sandbox Auto Approval Determines whether public APIs with a Sandbox endpoint will allow access to it automatically upon request, or will explicitly approve or deny each request.
Scopes Determines whether the Admin will have the option to define scopes (part of the Licenses feature). If implemented, individual API operations can be assigned to different scopes for packaging into different licenses.
Live Endpoint Determines whether public APIs will have the option of having a Live endpoint.
Live Auto Approval Determines whether public APIs with a Live endpoint will allow access to it automatically upon request, or will explicitly approve or deny each request.
Private API Settings:
This setting... Controls this feature...
Supported Determines whether private APIs are supported on the platform. Private APIs are visible only to invited users. If this setting is disabled, only public APIs are allowed.
Sandbox Endpoint Determines whether private APIs will have the option of having a sandbox endpoint.
Sandbox Auto Approval Determines whether private APIs with a sandbox endpoint will allow sandbox access automatically upon request, or will explicitly approve or deny each request.
Live Endpoint Determines whether private APIs will have the option of having a Live endpoint.
Live Auto Approval Determines whether private APIs with a Live endpoint will allow access to it automatically upon request, or will explicitly approve or deny each request.
Independent Group Determines whether private APIs will have the option of having API Scope Groups associated with them.
Ratings Determines whether users can rate private APIs. If disabled, the ratings feature does not appear in the user interface for private APIs.
Reviews Determines whether users can write and share reviews of private APIs. If disabled, the reviews feature does not appear in the user interface for private APIs.
Scopes Determines whether the Admin will have the option to define scopes (part of the Licenses feature). If implemented, API operations can be assigned to different scopes for packaging into different licenses.
To configure API settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > APIs.
  3. Change the settings as needed. For explanations of your choices, refer to the tables above.
  4. When done, click Save.

Back to top

How do I configure settings for apps?

You can configure app settings to determine which features will be available for all apps on the platform. If a feature is disabled in the app settings page it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

Available app configuration settings are shows in the tables below:

Note: When you change a setting, it might take up to five minutes for the change to take effect.

General App Settings:
This setting... Controls this feature...
User-Defined Identity

Determines whether users can define their own unique App ID for the app. If this field is enabled, two additional fields appear on the Add/Edit App Info page, so users can define their own values for the following:

  • App ID
  • Shared Secret

Valid values: Enabled for Site Admins Only / Enabled / Disabled

Simultaneous Access to Sandbox and Live If enabled, grants access to both environments in one request.
Shared Secret Display

Determines how an app’s Shared Secret is displayed when viewed on the App Details page; either in plain text or encrypted.

Note: If you change this setting when there are existing apps on the platform, it is effective immediately for all apps. If you make a change, make sure app developers are notified.

App Promotion (8.4.19 and later)

Applicable only if the promotion feature is enabled: Determines whether app developers can promote apps between environments. If the App Promotion setting is disabled, the app developer sees the app's topology chain, but there is no Promote button to promote the app to the next environment in the chain (taxonomy).

Note: For app promotion to work, the User-Defined Identity setting must also be enabled (either of the two Enabled settings is fine).

App Workflow Definition

The workflow definition that will apply to all new apps on the platform (existing apps are not affected).

There is no default app workflow. One out-of-the-box workflow is available:

  • appversion-workflow-template1
App Team Membership Workflow Definition

The workflow definition that will apply to all new app team members on the platform (existing app team members are not affected).

Public App Settings:
This setting... Controls this feature...
Supported Determines whether apps with a visibility setting of Public will be supported on the platform.Public apps are visible to all users; login is not required.
Reviews Determines whether users will be able to write and share reviews of apps with a visibility setting of Public. If this setting is disabled, the reviews feature does not appear in the user interface for public apps.
Ratings Determines whether users will be able to rate apps with a visibility setting of Public. If this setting is disabled, the ratings feature does not appear in the user interface for public apps.
Private App Settings:
This setting... Controls this feature...
Supported Determines whether apps with a visibility setting of Private will be supported on the platform. Private apps are visible only to invited users.
Reviews Determines whether users will be able to write and share reviews of apps with a visibility setting of Private. If this setting is disabled, the reviews feature does not appear in the user interface for private apps.
Ratings Determines whether users will be able to rate apps with a visibility setting of Private. If this setting is disabled, the ratings feature does not appear in the user interface for private apps.
Registered User Settings:
This setting... Controls this feature...
Supported Determines whether apps with a visibility setting of Registered Users will be supported on the platform. Apps with this setting are visible only to users who are logged in.
Reviews Determines whether users will be able to write and share reviews of apps with a visibility setting of Registered Users. If this setting is disabled, the reviews feature does not appear in the user interface for apps with this visibility setting.
Ratings Determines whether users will be able to rate apps with a visibility setting of Registered Users. If this setting is disabled, the ratings feature does not appear in the user interface for apps with this visibility setting.
To configure app settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Apps.
  3. Change the settings as needed. For explanations of your choices, refer to the tables above.
  4. When done, click Save.

Back to top

How do I configure App OAuth Profile Authorization settings?

As part of app setup, app developers can specify which settings they want to use when connecting to an API using OAuth. These settings are configured from the App Details page: App Details > OAuth Profile.

There are five groups of settings on this page.

The first four are controlled by the app developer, and are detailed in What are the settings available on the App OAuth Profile page? (app developer help):

  • Branding Settings
  • Access Token Settings
  • Authentication Settings
  • ID Token Settings

Settings in the last group are controlled by the Site Admin or specially authorized app developers only:

  • Authorization Settings

The last set, Authorization Settings, are normally not visible to the app developer. In most cases, these settings can only be configured by the Site Admin. However, the Site Admin can implement a custom workflow that allows app developers to modify these settings. If the custom workflow is in place, app developers will see the settings.

Note: These settings give the app developer significant responsibility. In most cases, app developers should not be able to configure these settings for their apps. Only implement the custom workflow that allows app developers to modify these settings if you are absolutely sure they fully understand the meaning of the various settings and will use them appropriately.

For information about the first four setting categories, available to all app developers, refer to What are the settings available on the App OAuth Profile page? (app developer help).

Information about the additional Authorization settings, normally available only to a Site Admin, is given in the table below.

Authorization Settings:
Setting Explanation / possible values
Allowed Grant Types By default, all grant types supported by the OAuth Provider are allowed (Global Setting). To restrict the OAuth grant types allowed, click and then specify which grant types are allowed for this app.
OpenID Connect Supported If the application supports OpenID Connect for OAuth, check this box.
Grant Expiration By default, the grant expiration time is derived based on the OAuth Provider configuration (Global Setting). To specify a longer or shorter grant expiration time for the app, click the button and specify the number of hours until the grant expires.
Access Token Expiration By default, the access token expiration time is derived based on the OAuth Provider configuration (Global Setting). To specify a longer or shorter access token expiration time for the app, click the button and specify the number of seconds until the grant expires.
Bypass Authorization If OAuth authentication for this application should bypass the authorization page, check this box. For example, this might be appropriate for an internal application.
To configure app OAuth profile settings:
  1. Log in to the developer portal.
  2. Go to the App Details page for the app, and click OAuth Profile.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

For information about how to implement custom workflow to enable these settings for app developers on the OAuth Profile page, refer to Custom Workflows in the Developer Portal.

Back to top

About security challenge questions

Security challenge questions allow users to set up answers to questions, that only they will know, to act as a backup layer for authentication purposes.

Normal authentication to the Akana API Platform is by username/password, unless two-factor authentication (2FA) is in place. However, security challenge questions/answers allow the user to set up information by which he/she can authenticate without a password in certain scenarios, such as if the user forgot the password.

Ideally, the answers to the questions should be pieces of information that are not easily findable in the public domain. For example, questions such as "What is your mother's maiden name?" or "what is the name of your dog" might be easy for a malicious hacker to find the answers to, on the internet or on social media. Questions that prompt for information less easily discoverable, such as the person's favorite childhood vacation spot or their childhood best friend's dog, are more secure.

When you're setting up security challenge questions, bear in mind usability as well as security. If you make the questions too difficult, users might forget their own answers, or might write down the answers. If you make them too easy, a hacker could find out the answer from the internet or social media. It's a balance.

Note: In the developer portal, the security challenge feature doesn't allow users to give the same answer twice. This is a precaution against users being lazy and using a default value, which is less secure, rather than setting up authentic answers to the questions.

Adding Constraints

Adding constraints to security challenge questions, such as minimum number of letters, numbers, or uppercase characters, increases the security of the question/answer security challenge scenario. However, don't forget usability. For example:

  • If the question asks for pet's name, the answer is not likely to contain numbers. If the question asks for city of birth, the answer should allow spaces since many city names have more than one word. Make sure that the questions and the constraints work together sensibly.
  • Some last names include special characters such as an apostrophe, so setting a constraint that doesn't allow special characters in a last name field might stop the user from setting the true value, thus making it more difficult later on for the user to retrieve account access using the challenge questions/answers.

Note: The number of questions you set up on this page does not control the number of security questions presented to the user. It only affects the selection. The number of security questions required is in Business Security Settings; Challenge Count. See How do I configure settings for business security? below.

Back to top

How do I configure settings for security challenge questions?

The platform comes with defaults for security challenge questions. However, you can add new questions and you can delete existing questions.

You can change the constraints for an existing question, such as how many characters are required or allowed, but you can't change the question itself.

When you delete a security challenge question, it remains in the database but is no longer available for selection by users. However, if a user has already set up an answer to a question that is later deleted, and the user then needs to use the question (for example, if the user forgot his/her password), the question and answer are still available for use.

To add a security challenge question:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Challenges.
  3. Click Add Security Question.
  4. On the Add Security Question page, specify the question code, the question, and any constraints you want to put in place for the answer. For information on the fields, see Security Challenge Questions: Settings below.
  5. When done, click Save. The question is immediately added to the list, and is available for users to choose from.

Note: For tips and general information about choosing security challenge questions, see About security challenge questions above.

To update a security challenge question:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Challenges.
  3. On the list of security questions, find the question you want to update.
  4. To the right of the question, click Edit (pencil icon).
  5. On the Edit Security Question page, change values for the question, as needed. You can change any values except the question code and the question itself. For information on the fields, see Security Challenge Questions: Settings below.
  6. When done, click Save.
To delete (inactivate) a security challenge question:

Note: When you delete a security challenge question, it is no longer available for users to select from the list of questions and to set up an answer for. However, if any users have already chosen this question and set up an answer, they will still be able to use this question. For example, let's say User A chooses question A and provides an answer, and then you remove question A from the list. If User A chooses Forgot Password or any other activity that requires answering a security challenge question, the same question will be presented, and the user's answer can be validated against the stored answer.

  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Challenges.
  3. On the list of security questions, find the question you want to delete (inactivate).
  4. To the right of the question, click Delete (X icon).
  5. At the confirmation message, click OK. The question is removed from the list.
Security Challenge Questions: Settings

Information about the field values is given below.

Setting Explanation / possible values
Question Code A unique code to identify the question in the database. Example: com.soa.challenge.question.color. You can use any code as long as it's not already in use. Once you've created the question, you can't change the code. If you choose a code that's in use, you'll see a warning message.
Question Choose a simple and clear question. Ideally, it should be something that users will be able to remember but that is not common knowledge about the user. Once you've created the question, you can't change it. For tips and general information about choosing security challenge questions, see About security challenge questions above.
Minimum Length The minimum number of characters required in the response to this question.
Maximum Length The maximum number of characters allowed in the response to this question.
Minimum Letter Count The minimum number of letters required in the response to this question.
Maximum Letter Count The maximum number of letters allowed in the response to this question.
Minimum Number Count The minimum number of whole numbers required in the response to this question.
Maximum Number Count The maximum number of whole numbers allowed in the response to this question.
Minimum Uppercase Letters The minimum number of uppercase letters required in the response to this question.
Special Characters Allowed The special characters allowed in the response to this question. If a value is provided for the Minimum Special Characters field, at least one allowed special character must be defined.
Minimum Special Characters The minimum number of special characters required in the response to this question. If no value is specified, all characters are allowed.
Can Answer Contain Spaces? Indicates whether the response to this question can include spaces.
Is Answer Case-Sensitive? Indicates whether the response to this question is case-sensitive.
Enabled? Indicates whether this question is included on the list of choices when a user is setting up answers to security challenge questions. Default: Enabled. Clearing the check box marks the question as inactive so that it isn't included on the list of choices for users.

Back to top

How do I configure settings for comments?

You can configure settings to determine which features will be available for all comments on the platform.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

This setting... Controls this feature...
Publishing of Comments Indicates whether comments are published automatically or must be approved by a moderator (Admin).
Markdown Support

Indicates whether Markdown is supported for comments. Markdown support includes linking and file upload. If disabled, comments are plain text.

For more information about Markdown support, see How do I enable Markdown for Forum items?

External Link Support Indicates whether external links are supported in Markdown for comments. Applicable only if Markdown Support is enabled.
To configure comment settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Comments.
  3. Change the setting as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for app/API connections?

You can configure connection settings to determine which features will be available for app/API connections on the platform. If a feature is disabled in the connection settings page it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

General App/API Connection Settings
This setting... Controls this feature...
Sandbox Contract Workflow Definition The workflow definition that will apply to all new sandbox contracts on the platform (existing contracts are not affected).
Live Contract Workflow Definition The workflow definition that will apply to all new Live contracts on the platform (existing contracts are not affected).
Sandbox Contract Comment Workflow Definition The workflow definition that will apply to new comments on sandbox contracts on the platform (existing comments are not affected).
Live Contract Comment Workflow Definition The workflow definition that will apply to new comments on Live contracts on the platform (existing comments are not affected).
To configure app/API connection settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Connections.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for discussions?

You can configure settings to determine which features will be available for discussions on the platform.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

Discussion Settings
This setting... Controls this feature...
Discussion Workflow Definition The workflow definition that will apply to all new discussions on the platform. Existing discussions are not affected.
Discussion Comment Workflow Definition The workflow definition that will apply to all new discussion comments on the platform. Existing discussion comments are not affected.
Publishing of Discussions Indicates whether discussions are published automatically or must be approved by a moderator (Admin).
Markdown Support

Indicates whether Markdown is supported for discussions. Markdown support includes linking and file upload. If disabled, discussions are plain text.

For more information about Markdown support, see How do I enable Markdown for Forum items?

External Link Support Indicates whether external links are supported in Markdown for discussions. Applicable only if Markdown Support is enabled.
To configure discussion settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Discussions.
  3. Change the settings as needed. For the workflow definition, you can:
    • Choose the out-of-the box workflow, workflow:definition:discussion.
    • Choose a custom workflow, if a Site Admin or Business Admin uploaded a custom workflow for discussions.
    • Revert to the default, no workflow for discussions, if a workflow was previously assigned.
  4. When done, click Save.

Back to top

How do I configure settings for groups?

You can configure group settings to determine which features will be available for all groups on the platform. If a feature is disabled in the group settings page it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

Available group configuration settings are shows in the tables below:

Note: When you change a setting, it might take up to five minutes for the change to take effect.

General Group Settings
This setting... Controls this feature...
Group Support Determines whether groups are supported on the platform. If this setting is disabled, nothing about groups appears in the platform and no other options relating to groups are available.
Group Membership Workflow Definition The workflow definition that will apply to all new groups on the platform (existing groups are not affected).
Group Membership Comment Workflow Definition The workflow definition that will apply to all new comments on groups on the platform (existing comments are not affected).
Public Group Settings:
This setting... Controls this feature...
Supported

Determines whether public groups are supported on the platform. Public groups are visible to all users, including anonymous users. If this setting is disabled, only private groups are allowed. Valid values:

  • Enabled for Admins
  • Enabled
  • Disabled
Ratings Determines whether users can rate public groups. If disabled, the ratings feature does not appear in the user interface for public groups.
Reviews Determines whether users can write and share reviews of public groups. If disabled, the reviews feature does not appear in the user interface for public groups.
Private Group Settings:
This setting... Controls this feature...
Supported Determines whether private groups will be supported on the platform. Private groups are visible only to invited users. If this setting is disabled, only public groups are allowed. Valid values:
  • Enabled for Admins
  • Enabled
  • Disabled
Ratings Determines whether users can rate private groups. If disabled, the ratings feature does not appear in the user interface for private groups.
Reviews Determines whether users can write and share reviews of private groups. If disabled, the reviews feature does not appear in the user interface for private groups.
To configure group settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Groups.
  3. Change the settings as needed. For explanations of your choices, refer to the tables above.
  4. When done, click Save.

Back to top

How do I configure settings for login policy?

You can configure login policy settings to control the login rules for local users logging in to the platform and for the developer portal session configuration.

A value of 0 (zero) in one of these fields indicates that there is no value specified, with the exception of Active Login Session Timeout (see below).

Note: When you change a setting, it might take up to five minutes for the change to take effect.

Login Policy Settings
This setting... Controls this feature...
Maximum Number of Consecutive Failed Attempts The maximum number of consecutive failed login attempts before the user's account is disabled.
Time Period for Max Failed Attempts The period of time, in minutes, over which the number of failed login attempts is calculated.
Suspension Time (Minutes) The period of time, in minutes, for which the user's account is locked after failed login attempts.
Inactive Login Session Timeout (Minutes) The period of time, in minutes, after which the user is automatically logged out of the developer portal user interface (any theme) if the session is inactive.
Active Login Session Timeout (Minutes) The period of time, in minutes, after which the user is automatically logged out of the developer portal user interface (any theme) even if the session is active. Users are prompted shortly before the timeout, so that they can save their work before the forced timeout. For this field, if the value is set to 0, the active session timeout is set to 30 minutes (the default).
Support Persistent Sessions A security setting. Default: enabled, which means that the session cookie persists if the browser is closed, until it expires. If this setting is disabled, for added security, the cookie expires if the browser is closed. Exact behavior might vary according to the user's browser version and preferences. For more information, see How can I set up the developer portal so that the cookies are not persistent?
To configure login policy settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Login Policy.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for password policy?

You can configure settings to control password policy for local users logging in to the platform.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

User Settings
This setting... Controls this feature...
Minimum Password Length The minimum number of characters allowed in a password.
Maximum Password Length The maximum number of characters allowed in a password.
Minimum Letter Count The minimum number of letters required in a password.
Minimum Number Count The minimum number of whole numbers required in a password.
Minimum Uppercase Letters The minimum number of uppercase letters required in a password.
Minimum Special Characters The minimum number of special characters required in a password. If no value is specified, all characters are allowed.
Special Characters Allowed The special characters allowed in the password. If a value is provided for MinSpecialCharCount, at least one allowed special character must be defined.
Number of Previous Passwords Checked for Match Indicates the number of previous passwords that the new password is checked against, and rejected if there is a match.
Force Password Change Period (Days) Indicates the time interval, in days, before a user is prompted to change the password. If set to 0 (zero), password changing is not enforced.
Can Password Contain Spaces? Indicates whether a password can include spaces.
Is Password Case-Sensitive? Indicates whether a password is case sensitive.
Can Password Match Username? Indicates whether the password and the username can be the same.
Can Password Match Email? Indicates whether the password and the email address can be the same.
To configure password policy settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Password Policy.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for reviews?

You can configure settings to determine which features will be available for reviews on the platform.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

Review Settings
This setting... Controls this feature...
Review Workflow Definition The workflow definition that will apply to all new reviews on the platform. Existing reviews are not affected.
Publishing of Reviews Indicates whether reviews are published automatically or must be approved by a moderator (Admin).
Markdown Support

Indicates whether Markdown is supported for reviews. Markdown support includes linking and file upload. If disabled, reviews are plain text.

For more information about Markdown support, see How do I enable Markdown for Forum items?

External Link Support Indicates whether external links are supported in Markdown for reviews. Applicable only if Markdown Support is enabled.
To configure review settings:
  1. Go to Settings > Reviews.
  2. Change the settings as needed. For the workflow definition, you can:
    • Choose the out-of-the box workflow, workflow:definition:review.
    • Choose a custom workflow, if a Site Admin or Business Admin uploaded a custom workflow for reviews.
    • Revert to the default, no workflow for reviews, if a workflow was previously assigned.
  3. When done, click Save.

Back to top

How do I configure settings for business security?

You can configure settings to control the level of security associated with platform elements, and to control certain elements relating to security that affect platform users.

You can use the default out-of-the-box user workflow in combination with user settings and business security settings relating to users, to control user experience on the platform and if needed to restrict what users can do. If you need more flexibility, you can design your own custom workflow.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

Business Security Settings
This setting... Controls this feature...
CSRF Support for Read Requests

If enabled, a CSRF token must be sent with the request for all Read requests that require login. The CSRF token is sent on login; including it in requests helps prevent malicious CSRF attacks.

Default: Disabled.

Note: If this setting is disabled, and you enable it, you and any other users already logged in when the setting change takes effect (up to five minutes) will need to refresh, or log out and log back in again.

Encrypt Challenge Answers If enabled, the user's answers to security challenge questions are encrypted in the database.
CSRF Support for Write Requests

If enabled, a CSRF token must be sent with all Write requests. The CSRF token is sent on login; including it in requests helps prevent malicious CSRF attacks.

Note: If this setting is disabled, and you enable it, you and any other users already logged in when the setting change takes effect (up to five minutes) will need to refresh, or log out and log back in again.

Challenge Count

Determines how many security challenge questions a single user must answer. Cannot exceed the total number of questions defined.

Note: If you want to require security challenge questions but no challenge count is available, you must first set up the questions. See How do I configure security challenge questions?

Allow User Enum If disabled, additional security is in effect for new account setup and password reset scenarios, to help prevent user enumeration. For more information, refer to How can I protect from vulnerability in Signup and Forgot Password scenarios?
Allow users to modify their own profiles If enabled, a user can modify the profile information, including the email address if it is associated with a local account.
CAPTCHA Supported If enabled, CAPTCHA challenges are used in the developer portal; for example, on the Forgot Password page. See How do I configure CAPTCHA on the platform? below.
Allow display of external content in developer portal content pages If enabled, users can view external webpages if they are referenced in platform content pages. For more information, see How do I prevent referencing external sites in developer portal content pages? below.
To configure business security settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Security.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure CAPTCHA on the platform?

The developer portal's security features include the capability for the Site Admin to enable CAPTCHA challenge/response tests on certain pages. Using a CAPTCHA helps ensure that the entity performing the action is a human, not a bot.

The feature supports Google reCAPTCHA, reCAPTCHA v2, for validation of users by means of the "I'm not a robot" check box.

Note: This feature does not support invisible reCAPTCHA or reCAPTCHA Android.

If you enable CAPTCHA support in the security settings, users will have to answer CAPTCHA challenges on these pages:

  • Sign Up
  • Forgot Password

Before enabling the feature, you must set up a Google reCAPTCHA account. Set up the correct domain for your developer portal in the reCAPTCHA account, without protocol (for example, acmepaymentscorp.com), and get the values for the Site Key and the Secret.

Once the Google reCAPTCHA account is set up with the domain value for the developer portal (for example, acmepaymentscorp.com), and the developer portal setting is enabled and set up with the CAPTCHA values, users signing up or clicking Forgot Password will be presented with a CAPTCHA challenge which they must pass as part of entering information on those pages.

To enable CAPTCHA support in the developer portal
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Security.
  3. In the CAPTCHA Support field, click Enabled.
  4. In the CAPTCHA Site Key field, enter the Site Key value for your reCAPTCHA account.
  5. In the CAPTCHA Secret Key field, click Edit, and then enter the secret value for your reCAPTCHA account.

    Note: The CAPTCHA Secret Key is never displayed anywhere in the developer portal user interface. In addition, the developer portal API doesn't return the secret key. It's encrypted and stored securely in the database.

  6. Click Save.

Back to top

How do I configure settings for tickets?

You can configure ticket settings to determine which features will be available for tickets on the platform. If a feature is disabled in the ticket settings page it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

General Ticket Settings
This setting... Controls this feature...
Ticket Support Determines whether tickets are supported on the platform. If this setting is disabled, nothing about tickets appears in the platform and no other options relating to tickets are available.
Ticket Workflow Definition The workflow definition that will apply to all new tickets on the platform (existing tickets are not affected).
Ticket Comment Workflow Definition The workflow definition that will apply to new comments on tickets on the platform (existing comments are not affected).
Visibility

Determines who can see unpublished tickets. Valid choices:

  • Public: Visible to anyone who has visibility of the associated API.
  • Private: Visible only to the submitter, API Admins, and app team members only if the ticket was submitted in the context of a specific API.
Markdown Support

Indicates whether Markdown is supported for tickets. Markdown support includes linking and file upload. If disabled, tickets are plain text.

For more information about Markdown support, see How do I enable Markdown for Forum items?

External Link Support Indicates whether external links are supported in Markdown for tickets. Applicable only if Markdown Support is enabled.
To configure ticket settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Tickets.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for users?

You can configure user settings to determine which features will be available for users on the platform. If a feature is disabled in the user settings page it will not be present in the user interface.

Unless otherwise noted, settings are either enabled or disabled.

Note: When you change a setting, it might take up to five minutes for the change to take effect.

User Settings
This setting... Controls this feature...
User Workflow Definition The workflow definition that will apply to all new users on the platform. Existing users are also added to the workflow when they log in if the Upgrade CM Models action is invoked as part of upgrade.
News Update Notification If enabled, news update notifications can be sent to all users, as long as the users have not opted out by clearing the Email me news updates check box on the user profile page. For more information, see How do I enable or disable email notifications?
Validity Period for Account Added by Site Admin (days)

The period, in days, for which a new user account added by a Site Admin is valid. If the user doesn't log in during the validity period, the account expires.

Choices: any single digit 1–30; 45, 60, 90, 120, 150, or 180. You can also choose Never Expire.

Enforce Challenge Questions on Login If enabled, users must provider answers to security challenge questions when logging in to the platform for the first time.
Validity Period for Password Reset Code (in hours)

The period, in hours, for which a password reset code is valid.

Choices: 2, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 60, 120, 180, or 240. You can also choose Never Expire.

Default: 48 hours.

User Self-Signup

Determines whether the platform signup page is generally available for users to sign themselves up.

Default: Enabled.

Validity Period for Signup Code (in days)

The period, in days, for which a signup code is valid. The signup code is issued in the email confirmation for self-signup registration.

Choices: any single digit 1–14; you can also choose Never Expire.

Default: 7 days.

Invite Unregistered Users

Determines whether unregistered users can be invited to sign up to the platform or to join platform groups.

By default, all users can be invited; unregistered users are invited to sign up and then invite the group membership invitation. If this option is disabled, an unregistered user cannot be invited to sign up to the platform or to join a platform group.

Note: If this option is disabled, the option to invite new users is removed from the Plus menu.

Default: Enabled.

Validity Period for Invitation Code (in days)

The period, in days, for which an invitation code is valid. The invitation code is issued in an email when a group/team member invites a non-platform user to join the group/team.

Choices: any single digit 1–30; you can also choose Never Expire.

Default: 7 days.

To configure user settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > Users.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I configure settings for two-factor authentication of users (2FA)?

You can configure user settings to determine whether two-factor authentication is in use in the platform, and if so, to specify values that guide the authentication process.

For information about how to implement 2FA, see How do I implement two-factor authentication for platform users?

2FA Settings
This setting... Controls this feature...
Require Two-Factor Authentication for Login Indicates whether a verification code will be required as part of the login process, in addition to user credentials such as username/password.
Validity Period for Authentication Code (in seconds) The period, in seconds, for which a verification code will be valid for login.
Maximum Attempts The maximum number of login attempts a user can make with one verification code. After that point, the user will have to request a new code.
Authentication Code Frequency Requirements The rules determining how often and under what circumstances the current two-factor authentication expires and the user must authenticate again. If login is per device or for a specified time period, specify the name of the cookie set by the two-factor authentication. For time period, specify the time in minutes. Valid values:
  • For each login (no extra values needed)
  • Once per device: specify the name of the cookie that will be used during 2FA login
  • After a specific time period: specify the name of the cookie that will be used during 2FA login and also the number of minutes before the verification code expires.
Cookie Name The name of the cookie that will be used during 2FA login.
Interval (in minutes) The number of minutes before the verification code expires.
To configure user 2FA settings:
  1. Log in as the Site Admin and go to the Admin section.
  2. Go to Settings > User 2FA.
  3. Change the settings as needed. For explanations of your choices, refer to the table above.
  4. When done, click Save.

Back to top

How do I prevent referencing external sites in developer portal content pages?

It's possible to reference an external website within an <iframe> tag in a developer portal content page, using the &doc parameter:

{protocol}://{hostname}/{tenant}/#!{sitepage}&doc={URL-encoded external URL}

The example below illustrates how this might look using the Simple Developer theme's documentation page, and referencing the external website http://www.example.com:

http://acmepaymentscorp.com/acmepaymentscorp/#!documentation&doc=http%3A%2F%2Fexample.com

However, this feature could be an insecurity, since the external site to be displayed could potentially be modified via a malicious content injection. For Site Admins who want to disable the ability to reference external sites on a developer portal content page, there is a security setting, Allow display of external content in developer portal content pages. See How do I configure settings for business security? above.

Back to top