Known IP Address

The Known IP Address page enables you to define a global list of IP addresses from which users can access a tenant. If a user attempts to access the tenant from an IP address that is not on the list, access is denied.

From the Main Menu, go to Administration > Application Setup > Common SetupKnown IP Address. Your current IP address is listed on the left side of the page.

Depending on your requirements, you can create, edit, or delete known IP addresses from this page. You must create at least one IP address and ensure that the IP address from which you are accessing the configuration page is included. If you are working from a blocked IP address, a message appears: You must allow access to the current IP address.

  1. Click Create
  2. On the Create Known IP Address glance (also known as a contextual callout) Provides information and actions in a dialog box for an item on the screen when the user right-clicks or taps the item., enter the following information.
  3. Note: Your current IP address must be included as a known IP address. You cannot block your IP address.
    • Name — Enter a unique name (required). The name cannot start with a number, the maximum length is 50 characters, and you cannot use the following characters: & _ * % ? : ; = ( ) / [ ] \ | # @ < >
    • Description — Enter a description (optional). The maximum length is 250 characters.
    • FormatIPv4.
    • Start — Enter a valid starting IP address (required). You must enter the address in the format used by your selection in the Format field. If the IP address is not in the correct format, an error displays: "Enter a valid starting IP address." You can use wildcards and shortcuts as described in Use wildcards in known IP addresses
    • End — To define a range of IP addresses, enter a valid ending IP address (optional). If you leave this field blank, the ending address is the same as the starting address. You can use wildcards here.
  5. Click Save
  6. Review the new information on the Known IP Address page, then click Save. A success message displays.
  1. Select a row of IP addresses and click Edit . The Edit Known IP Address page opens, with the fields populated with the current information.
  2. Edit the fields as needed:
    • Name —Change the name. The name cannot start with a number, the maximum length is 50 characters, and you cannot use the following characters: & _ * % ? : ; = ( ) / [ ] \ | # @ < >
    • Description — Change the description. The maximum length is 250 characters.
    • FormatIPv4.
    • Start — Change the starting IP address. You must enter the address in the format used by your selection in the Format field. If the IP address is not in the correct format, an error displays: "Enter a valid starting IP address." You can use wildcards and shortcuts as described in Use wildcards in known IP addresses
    • End — To change a range of IP addresses, you can change the ending IP address. If you leave this field blank, the ending address is the same as the starting address. You can use wildcards here.
  4. Click Save
  5. Review the new information on the Known IP Address page, then click Save. A success message displays.
  1. Select a row of IP addresses and click Delete
  2. Review the warning and click Yes to continue or No to cancel.
  3. Click Save. A success message displays.

There is a global system setting called global.iprestriction.username.bypass.list used to bypass IP address restrictions at the tenant level when user and system account names are added to the setting’s comma-separated list. Names on this list will always have access to systems from unknown IP addresses regardless of whether IP restriction is enforced.

System administrators configure global.iprestriction.username.bypass.list from the Tenant Management System or from UKG Pro Workforce Management system settings page (Administration > Application Setup > System Configuration > System Settings > Global Values tab). For more information, see Global Values System Settings.

Guidelines

  • By default, global.iprestriction.username.bypass.list is blank.
  • After system administrators update and save global.iprestriction.username.bypass.list, to ensure the changes propagate throughout the system, they must republish the Known IP Address page as follows:
    • If the IP Restriction Enforcement checkbox is enabled, deselect it, select it again, then click tap Save.
    • If the IP Restriction Enforcement checkbox is not enabled, select it, deselect it, then click tap Save.
  • By default, for all system account users (those created during automated tenant provisioning), IP restrictions are always automatically bypassed.

Note: For large numbers of users and system accounts, to bypass IP address restrictions in bulk using an automation API, submit a Salesforce Service Request to UKG. This is useful when you are first implementing the system setting in your environment.

When you enter a wildcard or shortcut in the Start and End fields of the Create or Edit Known IP Address glance, the full IP addresses display in the Start and End columns of the Known IP Address page.

Enter in Create/Edit Known IP Address Glance Displays on Known IP Address Page
Start End Start End
Wildcards
10.10.10.10 10.*.20.240 10.10.10.10 10.255.20.240
254.198.10.* 254.*.20.240 254.198.10.0 254.255.20.240
Shorthand
10.10.10.10/24 NA 10.10.10.0 10.10.10.255
10.10.10.10/15 NA 10.10.0.0 10.11.255.255
10.10.10.10/33 Invalid Invalid Invalid

If a user attempts to log in to a tenant from an IP address that is blocked, an error message displays:

You are not authorized to access this tenant. See your administrator.

If a user successfully logs in from an IP address that is allowed and then moves (or "hops") to another IP address that is blocked, the user is logged out.

Note: The system does provide a reason for the logout.

If you use the IP restriction functionality in an integrated Workforce Management (WFM) and Human Capital Management (HCM) system, be aware of the following:

  • If a user logs in from an IP address that is allowed in both WFM and HCM, the user can access both WFM and HCM content.
  • If a user logs in from an IP address that is allowed in WFM but blocked in HCM, the HCM content is unavailable.
  • If a user attempts to log from to an IP address is blocked in WFM and allowed in HCM, all content is unavailable.

You can run the following standard reports to provide information about changes made to the configuration page and to identify users who were blocked access.

Audit Report

The Audit report can list additions, edits, and deletions made to the Known IP Address page and identify the user who made the changes. To run an Audit report that lists these changes:

  1. From the Main Menu , select Dataviews A configurable tool for analyzing data and taking actions on a group of employees or an organization. & Reports > Report Library.

  2. From the Report Library, click tapRun Report
  3. In the Select Report panel, select Audit > Audit Report and click Select.
  4. In the Audit Report panel, select the following:
    • Audit Types — Select Known IP Address.
    • Start  Date and End Date — Select dates.
    • User — Enter the name of the user who made the changes.
    • Output Format — Select PDFXLSX, Interactive, or CSV.
  5. Click Run Report.

The report includes the following information:

  • Type — Known IP Address
  • Item — Not used
  • Action — Create, Modify, or Delete
  • Date — The date the change was made
  • User IP — The IP address of the user who made the change
  • User — The user who made the change
  • Attribute — IP Address/Enable IP filtering
  • Old Value — The value before the change
  • New Value — The value after the change

Security Report

The Security report can list the users who were denied entry to the system because of blocked IPs. To run a Security Report that lists blocked users:

  1. From the Main Menu , select Dataviews & Reports > Report Library.
  2. From the Report Library, click tapRun Report
  3. In the Select Report panel, select Audit > Security Report and click Select.
  4. In the Security Report panel, select the following:
    • Audit Types — Select Restricted IP or Restricted IP hop and click Apply.
    • Note: If you select Restricted IP, the report lists each time a user attempts to access a restricted IP. If you select Restricted IP hop, the report lists each time the user "hops" to another IP address, regardless of whether the new IP address is allowed or blocked.
    • Start  Date and End Date
    • User — Enter the name of the user creating the report
    • Output Format — Select PDFXLSX, Interactive, or CSV.
  5. Click Run Report.

The report includes the following information:

  • Type — Restricted IP User Login Failed
  • Item — Not used
  • Action — Failed
  • Date — The date of the attempted login
  • User IP —The IP address of the user who attempted to log in
  • User — The name of the user who attempted to log in
  • Comment — Not used