In BlueConic, all access-related functionality is grouped together under a single Access Management option through the BlueConic settings menu. When you click BlueConic settings > Access management, the following tabs appear within a horizontal bar at the top (underneath the main navigation bar):
Before you begin
Only users with the Access management role permission can open the Access management menu.
Within Access management, you only see the tabs your role grants access to. For example, a Content Manager might see the Users tab but not the Single sign-on (SSO) tab.
If your role grants access to only one tab, the menu item in BlueConic settings will show that tab’s name instead of “Access management.”
Open access management
Log into BlueConic.
From the main navigation bar, select Settings (cog-wheel icon) > Access management.
The Access management page opens, with the first available tab selected.
Manage users
The Users tab lists all people authorized to log in to BlueConic. From here you can:
View user details, including assigned roles and domain access.
Add or remove users.
Update user settings.
For more information, review the article Add, modify, and delete users.
Manage roles
The Roles tab defines which features users can access. For example, the Application Manager role grants access to AI Workbench. From here you can:
View and edit permissions per role.
Grant access to personally identifiable information (PII).
For more information, review the article Manage Roles and Permissions.
Manage external applications
The Applications tab lists third-party apps authorized through OAuth 2.0 to connect with BlueConic REST APIs. From here you can:
Add or remove applications.
Update application settings.
For more information, review the article Authorizing Applications: Granting external applications to access BlueConic.
Configure single sign-on (SSO)
The Single Sign-On (SSO) tab includes one setting to enable or disable the SSO feature giving users access to BlueConic using your organization's SSO provider. When this setting is enabled, several fields display to input information that BlueConic needs for setup from your SSO provider.
For more information, review the article Using single sign-on (SSO) with BlueConic.
Restrict access by IP address
The Access based on IP address tab lets you restrict UI and API access to specific IP ranges.
If you enable IP restrictions, be sure to include your own IP address on the IP allow list (formerly referred to as a 'whitelist').
Existing sessions outside your allowlist are blocked after saving changes.
If your site uses an IP-masking platform such as Zscaler, review our tips about automatic logouts for further information.
Note: If you set up one or more BlueConic API Access connections, these connections and the specific API access they govern are also affected by this limitation.
Allow BlueConic Support access
The BlueConic Support access tab lets you grant or deny Support employees access to your tenant. By default, no Support access is allowed. You can permit all Support staff or select individuals.
For more information, review the article Allowing BlueConic Customer Success to access your environment.
Configure inactivity settings
By default, BlueConic user accounts remain active regardless of inactivity. To improve security, tenant administrators can now configure BlueConic to automatically disable user accounts that have been inactive for a set number of days.
From the BlueConic navigation bar, choose Settings > Access management > Inactivity settings.
Customize the Automatic logout setting for BlueConic users at their site to any time between 30 (minimum) and 60 minutes (maximum) of inactivity.
In the Disable inactive accounts section, toggle the setting to On.
Enter the number of days (between 1 and 365) after which an inactive account should be disabled. The default is 90 days.
Click Save.
When enabled, BlueConic will monitor user activity. If a user takes no action within the specified number of days, including logging in, making API requests, or interacting with the platform, their account is disabled automatically.
Note: Only users with permission to manage inactivity settings can update this configuration. By default, this permission is assigned to BlueConic application managers.
What happens when an account is disabled
The user cannot log in or make API requests. An error message appears in the UI and API responses.
A user with the Users permission can manually re-enable the account.
Accounts can also be disabled manually in the Users screen.
Audit events for inactivity setting changes
Examples of user activities include clicks, page views, API calls, and saving changes to a configuration. To enhance transparency and accountability, BlueConic logs changes to inactivity settings as audit events. These include enabling or disabling the setting, adjusting the number of days, and any manual account status updates. Audit events are categorized under the object type “Privacy Setting.”
For more information, refer to the Audit events REST API documentation.
Automatic logouts and the BlueConic Chrome Extension
Using the BlueConic Chrome Extension impacts the inactivity timeout setting, because the Chrome Extension triggers a Chrome request every minute to keep track of registered channels and inject the BlueConic script. This behavior may extend the user session because of these requests, and delay or prevent an inactivity timeout.
Next steps
Regularly review your Access management settings to maintain security best practices.