Upon creating a new Atlar production organization, the email used will be given “Owner” status. By default, the owner can access the full functionality of the Atlar platform. The owner account will be used for setting up approval chains, roles, and users. To ensure the protection of Atlar credentials associated with the owner account, the following practices are recommended:
- The production organization should be set up with a non-personal email address, for example: [email protected]
- Do not share the login credentials with a wider team & consult your IT/security department to ensure you follow internal best practices for managing passwords
- Make sure that the email address can only be accessed by the intended owner(s) since the email account itself can be used to take over the account via the forgot password feature (especially if MFA is turned off!)
- Enable Multi-factor Authentication
- Do not use this account for day-to-day operations, such as checking the account balance Following the above bullets ensure that login credentials to the owner account remain protected. If the person with access to the owner account leaves the company or changes positions, you can easily rotate access as it’s tied to a non-personal email.
For human users that you invite to join the production organization, the Principle of Least privilege should be followed – a user should only be able to access the information and resources that are necessary for its purpose. The following practices are recommended:
- Even if you’re the one setting up the organization, i.e. the owner, set up a dedicated personal account with access for your day-to-day tasks
- Enable/require Multi-factor Authentication for all members
- Add Atlar to your own company’s offboarding-checklist
Like with human users, follow the Principle of Least privilege for programmatic access users. Only allow the programmatic access credentials to access exactly what you want your system to be able to access. The following practices are recommended:
- Don't share the Access Key and Secret over email, company chats, etc. Remember that these credentials, depending on what access you’ve given them, can be seen as login credentials to your bank!
- If the secret gets compromised, immediately delete the programmatic access user in the Atlar dashboard and create a new set of credentials by creating a new programmatic access user.
- Atlar support will never ask for your password or programmatic access credentials.
- Don’t click on links in emails that seem to come from Atlar, unless you were expecting such an email (e.g. when signing up, clicking “forgot password”, being invited to Atlar by a colleague, etc.). Someone could try to imitate legitimate emails coming from Atlar and lead you to a malicious site.
- MFA: Upon setting up MFA, you’re presented with a QR code and manual code. If you want to ensure that you can access your account if you happen to lose your device or the 3rd party authentication app malfunctions, you need to back up the manual code securely based on your internal IT policies. If you have not stored the code and are locked out of your account, you must contact Atlar to manually disable MFA. Note that this requires you to go through a verification process to ensure that only authorized users can access the Atlar Web app.
- Passwords: If you’ve forgotten your password, you can reset it by visiting the Forgot password page. Note that you need to have an account with a previously verified email to reset the password.
- API keys: If the secret gets compromised, immediately delete the programmatic access user in the Atlar dashboard and create a new set of credentials by creating a new programmatic access user. If you forgot to store the API secret when retrieving it, you can create a new programmatic access user in the Dashboard.
Updated 6 months ago