Session security settings are available on Enterprise plans.
- Idle session duration: How long a session can remain inactive before the user is signed out.
- Maximum session lifetime: The absolute lifetime of a session, regardless of activity. When exceeded, the user is signed out and must reauthenticate.
Configure session duration
To review or change session security settings, go to the Single Sign-On page of your dashboard.Idle session duration
The idle session duration controls how long a session can remain inactive before it expires. Any dashboard request from the user resets the idle timer. Use a shorter idle duration to reduce the risk of unattended sessions being used by someone other than the signed-in user, for example on shared or unlocked devices.Maximum session lifetime
The maximum session lifetime is the absolute cap on how long a single sign-in can last. It is measured from the moment the user signed in and is not extended by activity. When the maximum lifetime is reached, the user is signed out even if they are actively using the dashboard. Use a maximum lifetime to guarantee that users reauthenticate on a regular cadence, which can help you meet compliance requirements or revalidate access after identity provider changes.How the settings interact
The two settings apply independently. A user’s session ends at whichever limit is reached first:- If the user is inactive for longer than the idle session duration, the session ends.
- If the maximum session lifetime elapses since sign-in, the session ends even if the user is active.
Restrict dashboard access by IP
Use the IP allowlist to restrict dashboard access to a set of trusted networks. When the allowlist has one or more entries, only requests from those IPs or ranges can sign in to or use the dashboard. When the allowlist is empty, the dashboard is accessible from any IP address. To configure the allowlist, go to the Network access page of your dashboard.- Add an entry: Enter an IPv4 or IPv6 address, or a CIDR range (for example,
203.0.113.7or10.0.0.0/8), then select Add. Adding the first entry enables the allowlist. - Remove an entry: Select the × on any entry. Removing the last entry disables the allowlist.
- Check your IP: Your current IP address is shown below the entry list so you can confirm it is covered before saving changes.
Audit logging
Changes to session security settings are recorded in your organization’s audit logs under theorg category. Look for these actions to review who updated the settings and when:
org.session_security_session_duration_updatedorg.session_security_session_duration_deletedorg.session_security_max_session_lifetime_updatedorg.session_security_max_session_lifetime_deletedorg.session_security_ip_allowlist_updated