Known IP Address

Known IP Address definitions.

The Known IP Address page enables you to define a global list of IP addresses from which users can access a tenant. If a user attempts to access the tenant from an IP address that is not on the list, access is denied.

From the Main Menu, go to Administration > Application Setup > Common Setup > Known IP Address. Your current IP address is listed on the left side of the page.

Depending on your requirements, you can create, edit, or delete known IP addresses from this page. You must create at least one IP address and ensure that the IP address from which you are accessing the configuration page is included. If you are working from a blocked IP address, a message appears: You must allow access to the current IP address.

Create a Known IP Address

How to create a known IP address.
  1. Click Create
  2. On the Create Known IP Address glance, enter the following information.
    Note: Your current IP address must be included as a known IP address. You cannot block your IP address.
    • Name— Enter a unique name (required). The name cannot start with a number, the maximum length is 50 characters, and you cannot use the following characters: & _ * % ? : ; = ( ) / [ ] \ | # @ < >
    • Description— Enter a description (optional). The maximum length is 250 characters.
    • FormatIPv4 .
    • Start— Enter a valid starting IP address (required). You must enter the address in the format used by your selection in the Format field. If the IP address is not in the correct format, an error displays: "Enter a valid starting IP address." You can use wildcards and shortcuts as described in Use wildcards in known IP addresses
    • End— To define a range of IP addresses, enter a valid ending IP address (optional). If you leave this field blank, the ending address is the same as the starting address. You can use wildcards here.
  3. Click Save
  4. Review the new information on the Known IP Address page, then click Save. A success message displays.

Edit a Known IP Address

How to edit a known IP address.
  1. Select a row of IP addresses and click Edit . The Edit Known IP Address page opens, with the fields populated with the current information.
  2. Edit the fields as needed:
    • Name—Change the name. The name cannot start with a number, the maximum length is 50 characters, and you cannot use the following characters: & _ * % ? : ; = ( ) / [ ] \ | # @ < >
    • Description— Change the description. The maximum length is 250 characters.
    • FormatIPv4 .
    • Start— Change the starting IP address. You must enter the address in the format used by your selection in the Format field. If the IP address is not in the correct format, an error displays: "Enter a valid starting IP address." You can use wildcards and shortcuts as described in Use wildcards in known IP addresses
    • End— To change a range of IP addresses, you can change the ending IP address. If you leave this field blank, the ending address is the same as the starting address. You can use wildcards here.
  3. Click Save
  4. Review the new information on the Known IP Address page, then click Save. A success message displays.

Delete a Known IP Address

How to delete a known IP address.
  1. Select a row of IP addresses and click Delete
  2. Review the warning and click Yes to continue or No to cancel.
  3. Click Save. A success message displays.

Bypass IP Address Restrictions

There is a global system setting called global.iprestriction.username.bypass.list used to bypass IP address restrictions at the tenant level when user and system account names are added to the setting’s comma-separated list. Names on this list will always have access to systems from unknown IP addresses regardless of whether IP restriction is enforced.

System administrators configure global.iprestriction.username.bypass.list from the Tenant Management System or from UKG Pro Workforce Management system settings page (Administration > Application Setup > System Configuration > System Settings > Global Values tab). For more information, see Global Values System Settings.

Guidelines

  • By default, global.iprestriction.username.bypass.list is blank.
  • After system administrators update and save global.iprestriction.username.bypass.list, to ensure the changes propagate throughout the system, they must republish the Known IP Address page as follows:
    • If the IP Restriction Enforcement checkbox is enabled, deselect it, select it again, then click tap Save.
    • If the IP Restriction Enforcement checkbox is not enabled, select it, deselect it, then click tap Save.
  • By default, for all system account users (those created during automated tenant provisioning), IP restrictions are alwaysautomatically bypassed.
Note: For large numbers of users and system accounts, to bypass IP address restrictions in bulk using an automation API, submit a Salesforce Service Request to UKG. This is useful when you are first implementing the system setting in your environment.

Use wildcards and shortcuts in IP addresses

When you enter a wildcard or shortcut in the Start and End fields of the Create or Edit Known IP Address glance, the full IP addresses display in the Start and End columns of the Known IP Address page.

Enter in Create/Edit Known IP Address Glance

Displays on Known IP Address Page

Start

End

Start

End

Wildcards

10.10.10.10

10.*.20.240

10.10.10.10

10.255.20.240

254.198.10.*

254.*.20.240

254.198.10.0

254.255.20.240

Shorthand

10.10.10.10/24

NA

10.10.10.0

10.10.10.255

10.10.10.10/15

NA

10.10.0.0

10.11.255.255

10.10.10.10/33

Invalid

Invalid

Invalid

User experience for blocked addresses

If a user attempts to log in to a tenant from an IP address that is blocked, an error message displays:

You are not authorized to access this tenant. See your administrator.

If a user successfully logs in from an IP address that is allowed and then moves (or "hops") to another IP address that is blocked, the user is logged out.

Note: The system does provide a reason for the logout.

If you use the IP restriction functionality in an integrated Workforce Management (WFM) and Human Capital Management (HCM) system, be aware of the following:

  • If a user logs in from an IP address that is allowed in both WFM and HCM, the user can access both WFM and HCM content.
  • If a user logs in from an IP address that is allowed in WFM but blocked in HCM, the HCM content is unavailable.
  • If a user attempts to log from to an IP address is blocked in WFM and allowed in HCM, all content is unavailable.

Audit configuration changes and blocked access

You can run the following standard reports to provide information about changes made to the configuration page and to identify users who were blocked access.

Audit Report

The Audit report can list additions, edits, and deletions made to the Known IP Address page and identify the user who made the changes. To run an Audit report that lists these changes:

    1. From the Main Menu , select Dataviews & Reports > Report Library.

    2. From the Report Library, click tap Run Report
    3. In the Select Report panel, select Audit > Audit Report and click Select.
    4. In the Audit Report panel, select the following:
      • Audit Types— Select Known IP Address.
      • Start Date and End Date— Select dates.
      • User— Enter the name of the user who made the changes.
      • Output Format— Select PDF, XLSX, Interactive, or CSV.
    5. Click Run Report.
  2. The report includes the following information:
    • Type— Known IP Address
    • Item— Not used
    • Action— Create, Modify, or Delete
    • Date— The date the change was made
    • User IP— The IP address of the user who made the change
    • User— The user who made the change
    • Attribute— IP Address/Enable IP filtering
    • Old Value— The value before the change
    • New Value— The value after the change

    Security Report

    The Security report can list the users who were denied entry to the system because of blocked IPs. To run a Security Report that lists blocked users:

    1. From the Main Menu , select Dataviews & Reports > Report Library.
    2. From the Report Library, click tap Run Report
    3. In the Select Report panel, select Audit > Security Report and click Select.
    4. In the Security Report panel, select the following:
      • Audit Types— Select Restricted IP or Restricted IP hop and click Apply.
        Note: If you select Restricted IP, the report lists each time a user attempts to access a restricted IP. If you select Restricted IP hop, the report lists each time the user "hops" to another IP address, regardless of whether the new IP address is allowed or blocked.
      • Start Date and End Date
      • User— Enter the name of the user creating the report
      • Output Format— Select PDF, XLSX, Interactive, or CSV.
    5. Click Run Report.

The report includes the following information:

  • Type— Restricted IP User Login Failed
  • Item— Not used
  • Action— Failed
  • Date— The date of the attempted login
  • User IP—The IP address of the user who attempted to log in
  • User— The name of the user who attempted to log in
  • Comment— Not used