Skip to main content

In-product security features

Several built-in security features allow you to configure your Jive community for the appropriate level of security for your organization.

Authentication features

Login security : By using the Admin Console, you can configure Jive to strongly discourage automated (computer-driven) registration and logins. Automated registration is usually an attempt to gain access to the application for malicious reasons. By taking steps to make registering and logging in something that only a human being can do, you help to prevent automated attacks. We recommend using the following tools, all of which are available as options in the Admin Console:

  • Login throttling: You can enable login throttling slows down the login process when a user has entered incorrect credentials more than the specified number of times. For example, if you set the number of failed attempts to five and a forced delay of ten seconds, and a user fails to log in after more than five attempts, the application would force the user to wait 10 seconds before being able to try again.

  • Login captcha: You can enable login captcha displays a captcha image on the login page. The image displays text (distorted to prevent spam registration) that the user must enter to continue with registration. This discourages registration by other computers to send spam messages.

    The login captcha setting is designed to display the captcha image when throttling begins. After the number of failed attempts specified for throttling, the captcha image is displayed and throttling begins. You cannot enable the login captcha unless login throttling is enabled. The captcha size is the number of characters that appear in the captcha image, which the user must type when logging in. A good value for this is six, which is long enough to make the image useful, but short enough to make it easy for real humans.

  • Password strength: You can enforce strong passwords by using the Admin Console. The following options are available:

    • A minimum of 6 characters of any type
    • A minimum of 7 characters including 2 different character types (uppercase, lowercase, number, punctuation, and special characters)
    • A minimum of 7 characters including 3 different character types
    • A minimum of 8 characters, including all 4 character types

    For more information, see Configuring login settings, Configuring password update settings, and Configuring self-service user registration.

  • Two-factor authentication: Two-factor authentication (2FA) adds a second step to the user authentication procedure to ensure that the person trying to gain access to the community is the actual user.

Session timeout : By default, Jive passes a token that persists the user session for 30 minutes from the last request. If you have a specific need to modify this limit (for example, if you need to make your Jive session timeout match the timeout of your identity provider when configuring SSO), you can use the auth.lifetime system property to set a new session timeout period in minutes. Note that increasing session duration increases security risks, such as session hijacking and unattended workstation tampering. You should consult your organization's security team before you modify this value.

Email validation : You can configure Jive to require email validation for all new accounts. This setting helps to prevent bots from registering with the site and then automatically posting content. When you configure email validation, Jive requires a new user to complete the registration form and retrieve an email with a click-through link to validate their registration. For more information, see Configuring self-service user registration.

Account lockout : Jive does not offer account lockout as an out-of-the-box feature. However, you can configure Jive to authenticate against a third-party SSO that performs account lockout.

SSO

: Jive includes support for SAML out of the box and can also be implemented as customization from Jive's Professional Services team, a Jive partner, or an engineer of your choice. For more information, see Getting ready to implement SAML SSO.

Delegated authentication : When delegated authentication is enabled and configured, Jive makes a web service call out to the configured server whenever a user attempts to log in. This allows administrators to control the definition of users outside of the community. For more information, see Configuring Delegated Authentication.

Authorization features

Jive includes powerful built-in user and administrator permissions matrices, as well as customizable permissions. Depending on the assigned role, users can see or not see specific places and the content posted there. In addition, administrative permissions can be used to limit the access level of administrators. Jive administrators control user and administrative permissions by using the Admin Console. For more information about permissions, see Managing permissions.

Moderation and abuse features

Moderation

: Jive administrators can enable moderation so that designated reviewers view and approve content before it is published in the community. This can be useful for places that contain sensitive information. In addition to content moderation, administrators can enable moderation for images, profile images, avatars, and user registrations. For more information, see Moderation.

Abuse reporting : Administrators can enable abuse reporting so that users can report abusive content items. For more information, see Setting up abuse reporting.

Banning users : Administrators can block a person's access to Jive so that they are no longer able to log in to the community. For example, if someone becomes abusive in their messages (or moderating their content is too time-consuming), administrators may choose to ensure that the user can no longer log in or post comments. Users can be banned through their login credentials or their IP address. For more information, see Configuring banning.

Interceptors : Interceptors can be set up to perform customizable actions on incoming requests that seek to post content. Administrators can set up interceptors to prevent specific users from posting content or to filter and moderate offensive words, anything from specific IP addresses, or the posting frequency of specific users. For more information, see Interceptors overview.

Encryption

HTTPS : HTTPS encryption is required for running Jive. Jive supports TLS 1.0 and up.

Encryption at rest

: Encryption at rest is available to North American customers as an addition.

Cookies

Jive uses HTTP cookies in several places in the application to provide a better user experience. For more information about how the application uses cookies, see Cookies in Jive communities.

More options

The Jive Professional Services team can deliver security customizations if the out-of-the-box security features do not meet the specific requirements of your organization.

Related

Jive security