For Admins
Security

Security

IP restrictions

The portal supports IP-based access restrictions for sensitive sessions or roles. Review and configure IP allowlists at https://portal.cicops.ai/ip_restrictions (opens in a new tab) (deeper changes may need engineering).

Use this for high-security customers who want to limit access to their corporate network.

Captcha

Captcha is enabled on login and password reset to block automated abuse. There's no admin toggle for this — it's always on for those routes.

2FA enforcement

You can — and should — encourage every admin and supervisor to enable 2FA. The portal does not currently force-enable 2FA, but admins should self-police.

When onboarding a new admin or supervisor, walk them through 2FA setup as part of the orientation. See First-time Setup.

Doorkeeper / API tokens

External integrations authenticate with OAuth2 access tokens (not user passwords). Tokens have scoped permissions and can be revoked. Coordinate with engineering when issuing or revoking tokens.

Token lifecycle:

  1. Application registration — engineering creates an OAuth application in the portal
  2. Authorization — the integrator follows the OAuth2 authorization flow
  3. Access token — the integrator receives a token they use on every API call
  4. Revocation — engineering can revoke the token at any time

See API Reference for how integrators use the tokens.

Disabling a user's 2FA

When a user is locked out and has lost their recovery codes:

  1. Verify their identity through an out-of-band channel (don't trust the email — that may be compromised).
  2. Open their user record at Users (opens in a new tab).
  3. Use the Disable 2FA action.
  4. Inform them they should re-enable 2FA after logging in.
  5. Note this in your support records.

Session management

The portal uses standard Rails sessions. Sessions are time-limited but not infinite. Logging out invalidates the session.

If you suspect a session has been compromised:

  1. Reset the affected user's password (this invalidates current sessions)
  2. Force them to re-enroll in 2FA
  3. Review their recent audit log for unfamiliar activity

Audit and compliance

Every meaningful action in the portal is logged with attribution. See the audit trail section in Users & Impersonation.

For compliance requests (regulatory, legal hold, customer data export):

  • The audit log is queryable by engineering
  • Customer data export is available via the API and via CSV exports
  • True deletion (vs. soft delete / discard) requires engineering involvement

Cookie banners and TLS

The portal terminates TLS at the front (Cloudflare proxy + Kamal proxy with Let's Encrypt). All traffic is HTTPS-only. There's no cookie banner because the portal sets only essential authentication cookies.

Next

System OperationsOn-call Playbook