You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

The following security-related configurations ensure users have access to system data and tools according to need to know.


System Access / Authentication

Before granting access to the InfraLink resources, all users are verified with strong multi-factor authentication. Infralink supports multiple types of multifactor authentication, including:

SSO Integration

InfraLink supports MFA via third-party IdP federation services via SAML 2.0 or OIDC protocols, and automatically re-route users to their organization's IdP login page based on user attributes such as email. InfraLink integration with customer-managed enterprise SSO provides these crucial benefits:

  • Customer/Agency maintains full control over establishing and enforcing authentication policies and acceptable multi-factor authentication methods.

  • Customer/Agency maintains full control over the provisioning and termination of user accounts, including integration of account management processes with their HR and contract management functions.

  • Customer/Agency maintains the ability to monitor authentication attempts and enforce enterprise policies, such as identification of suspicious activities, blocking at-risk accounts, etc.

  • Customer/Agency may configure their InfraLink instance to automatically provision application-level user accounts with default (basic) privileges based on successful authentication by IdP, thus reducing administrative overhead and providing frictionless access.

  • User credentials are validated by the customer-owned Identity Provider (IdP) platform and are never exposed to InfraLink, thus improving credential security.

PIV/CAC

InfraLink performs CAC or PIV validation, supporting MFA via Government-issued CAC credentials. This robust MFA method eliminates usernames and passwords and can offer a streamlined end-user experience.

Note: InfraLink Mobile App does not presently support PIV/CAC authentication.

Partitioning Data

InfraLink Contracts

InfraLink provides a flexible and secure framework for managing multiple projects and/or teams using a single instance of the software. InfraLink Contracts act as security containers for partitioning work data.

Role-Based Access Control

InfraLink relies on the concept of Roles to control registered Users' access to data and tools. Each Role is a set of Permissions. The Role definitions (i.e., the list of Permissions the Role includes) are global, as they are configured at the Instance level. An authorized Instance Administrator must have global permission to create and/or modify User Role definitions. (Note: this permission is different from the Permissions to assign Roles to User Accounts).

An authorized Instance Administrator defines User Roles based on the intended use of the Instance, its User categories, security policies, and other factors. While new Roles may be created and existing Roles may be modified at any time, it is a best practice to plan and define some core User Roles prior to creating User Accounts.

Global User Roles

To ensure configuration consistency and effective management of infrastructure-related information, certain data objects defined and maintained in InfraLink are global. That is, they require global privileges (e.g., read, create, update, delete) assigned at the InfraLink instance level.
Please note, certain basic read-only permissions are provided to all users via a basic Global User Role (i.e., (G) BASIC USER (all users)). This permission set provides minimal read-only access to certain shared global objects (e.g., types, categories, definitions, etc.) without providing access to any Contract-restricted data or tools.

Contract-Level User Roles

As mentioned previously, the Contract acts as a security container that organizes and secures project-specific data objects. A Contract Administrator controls access by granting or removing User Roles at the Contract level.

Online Guidance for Managing User Roles.

Auto-Disable Inactive Accounts

To help prevent unauthorized access via active User Accounts, Infralink automatically disables user accounts that are inactive (i.e., zero logins) for a specified number of days. The default account inactivity threshold is thirty-five (35) days. This setting is on the server side and impacts all user accounts. Prior to disabling an account for inactivity, InfraLink will send daily warnings to the email address associated with the inactive account.

The default setting can be modified at the instance level only if the instance owner's information assurance (IA) personnel provide/authorize the extension. For each instance, the timeout definition is dictated by security controls.

Inactivity duration before timeout is an application-level setting and cannot be modified from the user interface. Contact your InfraLink account representative about changes.

Session Timeout for Inactivity

To help prevent unauthorized actions from an active User Account, InfraLink automatically ends active sessions that are inactive for a period of time. The inactivity duration for session timeout is a setting on server side, which impacts all users. The default inactivity setting is 20 minutes. 

The default setting can be modified at the instance level only if the instance owner's information assurance (IA) personnel provide/authorize the extension. For each instance, the timeout definition is dictated by security controls.

Inactivity duration before timeout is an application-level setting and cannot be modified from the user interface. Contact your InfraLink account representative about changes.


  • No labels