[{"data":1,"prerenderedAt":868},["ShallowReactive",2],{"guide:en:system-settings":3},{"id":4,"title":5,"body":6,"description":860,"extension":861,"meta":862,"navigation":863,"path":864,"seo":865,"stem":866,"__hash__":867},"guide_en/en/user/system-settings/index.md","System Settings — Application Configuration and Security",{"type":7,"value":8,"toc":843},"minimark",[9,14,28,33,36,41,44,66,70,73,96,100,103,117,121,124,129,143,146,150,161,170,173,177,182,199,204,224,229,246,251,267,271,276,289,294,311,316,333,338,354,358,363,379,384,400,405,413,417,422,436,441,454,459,462,540,543,610,614,623,627,632,643,648,659,664,679,684,698,703,714,719,733,738,752,756,762,773,779,799,805,819,825,839],[10,11,13],"h1",{"id":12},"system-settings","System Settings",[15,16,17,18,22,23,27],"p",{},"System settings control application-wide behaviour — who can register, how long sessions last, how long deleted records are retained, and what permissions new users start with. Settings are managed at ",[19,20,21],"strong",{},"Admin → App Settings"," and require the ",[24,25,26],"code",{},"appSettingSchemasModify"," admin right.",[29,30,32],"h2",{"id":31},"security-architecture","Security Architecture",[15,34,35],{},"Aptli uses a four-layer security model with server-side rendering (SSR) enforcement:",[37,38,40],"h3",{"id":39},"layer-1-authentication","Layer 1: Authentication",[15,42,43],{},"Who you are - verifies user identity before access.",[45,46,47,51,54,57,60,63],"ul",{},[48,49,50],"li",{},"Password-based login (with complexity requirements)",[48,52,53],{},"OAuth providers (GitHub, Google)",[48,55,56],{},"Two-factor authentication (TOTP)",[48,58,59],{},"Email validation required",[48,61,62],{},"Session management with expiry",[48,64,65],{},"Hard lock after failed attempts",[37,67,69],{"id":68},"layer-2-admin-rights-permissive","Layer 2: Admin Rights (Permissive)",[15,71,72],{},"What you CAN modify - explicit permission grants.",[45,74,75,78,90,93],{},[48,76,77],{},"Create/update/delete permissions per model",[48,79,80,81,83,84,83,87],{},"Super rights: ",[24,82,26],{},", ",[24,85,86],{},"adminRightsModify",[24,88,89],{},"viewDeleted",[48,91,92],{},"Scoped to actions (can create but not delete)",[48,94,95],{},"Default: View-only access",[37,97,99],{"id":98},"layer-3-role-restrictions-restrictive","Layer 3: Role Restrictions (Restrictive)",[15,101,102],{},"What you CANNOT see - field-level data filters.",[45,104,105,108,111,114],{},[48,106,107],{},"Model + field + comparison + value filters",[48,109,110],{},"Applied server-side before database query",[48,112,113],{},"Cannot bypass via API calls, exports, or screenshots",[48,115,116],{},"Multiple restrictions combine (AND logic)",[37,118,120],{"id":119},"layer-4-server-side-enforcement","Layer 4: Server-Side Enforcement",[15,122,123],{},"Restrictions are enforced on the server — unauthorized data is never sent to your browser.",[15,125,126],{},[19,127,128],{},"Why this matters:",[45,130,131,137],{},[48,132,133,136],{},[19,134,135],{},"Client-side filtering:"," Data sent to browser, hidden with JavaScript (bypassable via dev tools)",[48,138,139,142],{},[19,140,141],{},"Server-side filtering:"," Data never sent to unauthorized users (secure)",[15,144,145],{},"Aptli enforces all filters on the server — unauthorized data never reaches the client.",[29,147,149],{"id":148},"application-settings","Application Settings",[15,151,152,157],{},[153,154],"img",{"alt":155,"src":156},"App Settings Overview","/guide/system-settings/app-settings-overview.png",[158,159,160],"em",{},"Application settings page showing configuration options and security parameters",[15,162,163,166,167,169],{},[19,164,165],{},"Access Required:"," ",[24,168,26],{}," admin right",[15,171,172],{},"Navigate to: Admin → App Settings",[37,174,176],{"id":175},"authentication-settings","Authentication Settings",[15,178,179],{},[19,180,181],{},"Allowed Domains:",[45,183,184,187,193,196],{},[48,185,186],{},"List of email domains that can register accounts",[48,188,189,190],{},"Example: ",[24,191,192],{},"[\"company.com\", \"contractor.com\"]",[48,194,195],{},"Only emails from these domains can sign up",[48,197,198],{},"Default: Your deployment domain",[15,200,201],{},[19,202,203],{},"Allow Registration:",[45,205,206,212,218],{},[48,207,208,211],{},[24,209,210],{},"true"," - Users can self-register if domain matches",[48,213,214,217],{},[24,215,216],{},"false"," - Admin must manually create accounts",[48,219,220,221,223],{},"Default: ",[24,222,216],{}," (controlled access)",[15,225,226],{},[19,227,228],{},"Active Login Methods:",[45,230,231,234,237,240,243],{},[48,232,233],{},"Username/Password (checkbox)",[48,235,236],{},"GitHub OAuth (checkbox)",[48,238,239],{},"Google OAuth (checkbox)",[48,241,242],{},"At least one method must be enabled",[48,244,245],{},"Default: Username/Password only",[15,247,248],{},[19,249,250],{},"Require Two-Factor Authentication:",[45,252,253,258,263],{},[48,254,255,257],{},[24,256,210],{}," - All users must enable 2FA (grace period configurable)",[48,259,260,262],{},[24,261,216],{}," - 2FA optional",[48,264,220,265],{},[24,266,216],{},[37,268,270],{"id":269},"session-security","Session Security",[15,272,273],{},[19,274,275],{},"Max Login Attempts:",[45,277,278,281,284],{},[48,279,280],{},"Number of failed logins before hard lock",[48,282,283],{},"Valid range: 3-10 attempts",[48,285,220,286],{},[24,287,288],{},"5",[15,290,291],{},[19,292,293],{},"Automatic Logout Time:",[45,295,296,299,302,305],{},[48,297,298],{},"Inactivity timeout in seconds",[48,300,301],{},"Reading/writing data resets countdown",[48,303,304],{},"Valid range: 1 hour - 7 days",[48,306,220,307,310],{},[24,308,309],{},"86400"," (1 day)",[15,312,313],{},[19,314,315],{},"Server Session Timeout:",[45,317,318,321,324,327],{},[48,319,320],{},"Server session timeout in minutes",[48,322,323],{},"Forces re-login regardless of activity",[48,325,326],{},"Valid range: 1 hour - 4 weeks",[48,328,220,329,332],{},[24,330,331],{},"10080"," (1 week)",[15,334,335],{},[19,336,337],{},"Session Expiry:",[45,339,340,343,346,349],{},[48,341,342],{},"Absolute maximum session duration",[48,344,345],{},"Aligns with CSRF token for single-device users",[48,347,348],{},"Multi-device users may have different expirations",[48,350,220,351,353],{},[24,352,331],{}," minutes (1 week)",[37,355,357],{"id":356},"data-retention","Data Retention",[15,359,360],{},[19,361,362],{},"Soft Delete Retention:",[45,364,365,368,371,376],{},[48,366,367],{},"How long soft-deleted records stay in database",[48,369,370],{},"Options: 30 days, 90 days, 1 year, indefinite",[48,372,220,373],{},[24,374,375],{},"90 days",[48,377,378],{},"Applies to assignments, reports, users, features (when deletedAt set)",[15,380,381],{},[19,382,383],{},"Version Compression Schedule:",[45,385,386,389,392,397],{},[48,387,388],{},"How often to compress old feature versions",[48,390,391],{},"Options: Weekly, Monthly, Quarterly",[48,393,220,394],{},[24,395,396],{},"Monthly",[48,398,399],{},"Compressed versions still reconstructible (lossless compression)",[15,401,402],{},[19,403,404],{},"Transaction History:",[45,406,407,410],{},[48,408,409],{},"Inventory transactions never deleted (immutable audit trail)",[48,411,412],{},"Can be archived to separate database (advanced configuration)",[37,414,416],{"id":415},"new-user-defaults","New User Defaults",[15,418,419],{},[19,420,421],{},"Roles for New Users:",[45,423,424,427,430],{},[48,425,426],{},"Array of role IDs auto-assigned",[48,428,429],{},"Empty array = no automatic restrictions",[48,431,220,432,435],{},[24,433,434],{},"[]"," (admin assigns manually)",[15,437,438],{},[19,439,440],{},"Admin Rights for New Users:",[45,442,443,446,449],{},[48,444,445],{},"Array of permission right strings",[48,447,448],{},"Empty array = view-only access",[48,450,220,451,453],{},[24,452,434],{}," (no write permissions)",[15,455,456],{},[19,457,458],{},"Example Configurations:",[15,460,461],{},"Field Worker Defaults:",[463,464,469],"pre",{"className":465,"code":466,"language":467,"meta":468,"style":468},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"roles\": [\"field_worker_role_id\"],\n  \"adminRights\": [\"reportsCreate\"]\n}\n","json","",[24,470,471,480,510,534],{"__ignoreMap":468},[472,473,476],"span",{"class":474,"line":475},"line",1,[472,477,479],{"class":478},"sMK4o","{\n",[472,481,483,486,490,493,496,499,501,505,507],{"class":474,"line":482},2,[472,484,485],{"class":478},"  \"",[472,487,489],{"class":488},"spNyl","roles",[472,491,492],{"class":478},"\"",[472,494,495],{"class":478},":",[472,497,498],{"class":478}," [",[472,500,492],{"class":478},[472,502,504],{"class":503},"sfazB","field_worker_role_id",[472,506,492],{"class":478},[472,508,509],{"class":478},"],\n",[472,511,513,515,518,520,522,524,526,529,531],{"class":474,"line":512},3,[472,514,485],{"class":478},[472,516,517],{"class":488},"adminRights",[472,519,492],{"class":478},[472,521,495],{"class":478},[472,523,498],{"class":478},[472,525,492],{"class":478},[472,527,528],{"class":503},"reportsCreate",[472,530,492],{"class":478},[472,532,533],{"class":478},"]\n",[472,535,537],{"class":474,"line":536},4,[472,538,539],{"class":478},"}\n",[15,541,542],{},"Office Coordinator Defaults:",[463,544,546],{"className":465,"code":545,"language":467,"meta":468,"style":468},"{\n  \"roles\": [],\n  \"adminRights\": [\"assignmentsCreate\", \"ordersCreate\", \"stockItemsView\"]\n}\n",[24,547,548,552,565,606],{"__ignoreMap":468},[472,549,550],{"class":474,"line":475},[472,551,479],{"class":478},[472,553,554,556,558,560,562],{"class":474,"line":482},[472,555,485],{"class":478},[472,557,489],{"class":488},[472,559,492],{"class":478},[472,561,495],{"class":478},[472,563,564],{"class":478}," [],\n",[472,566,567,569,571,573,575,577,579,582,584,587,590,593,595,597,599,602,604],{"class":474,"line":512},[472,568,485],{"class":478},[472,570,517],{"class":488},[472,572,492],{"class":478},[472,574,495],{"class":478},[472,576,498],{"class":478},[472,578,492],{"class":478},[472,580,581],{"class":503},"assignmentsCreate",[472,583,492],{"class":478},[472,585,586],{"class":478},",",[472,588,589],{"class":478}," \"",[472,591,592],{"class":503},"ordersCreate",[472,594,492],{"class":478},[472,596,586],{"class":478},[472,598,589],{"class":478},[472,600,601],{"class":503},"stockItemsView",[472,603,492],{"class":478},[472,605,533],{"class":478},[472,607,608],{"class":474,"line":536},[472,609,539],{"class":478},[29,611,613],{"id":612},"self-hosted-deployment","Self-Hosted Deployment",[15,615,616,617,622],{},"For self-hosted deployment instructions, see the ",[618,619,621],"a",{"href":620},"/sysadmin/deployment","System Administrator Guide",".",[29,624,626],{"id":625},"security-best-practices","Security Best Practices",[15,628,629],{},[19,630,631],{},"SSL/TLS Required:",[45,633,634,637,640],{},[48,635,636],{},"Use HTTPS in production (not HTTP)",[48,638,639],{},"Free certificates: Let's Encrypt",[48,641,642],{},"Refuse HTTP connections (redirect to HTTPS)",[15,644,645],{},[19,646,647],{},"Firewall Configuration:",[45,649,650,653,656],{},[48,651,652],{},"Allow: HTTPS (443), SSH (22)",[48,654,655],{},"Deny: database ports from the public internet",[48,657,658],{},"Restrict: Admin pages to VPN or IP allowlist",[15,660,661],{},[19,662,663],{},"Session Security:",[45,665,666,669,672],{},[48,667,668],{},"Session signing keys should be long, random, and rotated quarterly",[48,670,671],{},"Use short session expiry in high-security environments",[48,673,674,675,678],{},"See the ",[618,676,677],{"href":620},"Deployment Guide"," for server-side session configuration",[15,680,681],{},[19,682,683],{},"Database Security:",[45,685,686,689,692,695],{},[48,687,688],{},"Database authentication enabled",[48,690,691],{},"Separate user credentials (not root)",[48,693,694],{},"Encrypted database connections",[48,696,697],{},"Regular backups (automated, tested restoration)",[15,699,700],{},[19,701,702],{},"OAuth Secrets:",[45,704,705,708,711],{},[48,706,707],{},"Store in environment variables (not in code)",[48,709,710],{},"Rotate quarterly",[48,712,713],{},"Revoke unused OAuth apps",[15,715,716],{},[19,717,718],{},"File Upload Security:",[45,720,721,724,727,730],{},[48,722,723],{},"File scanning enabled in production",[48,725,726],{},"File size limits enforced",[48,728,729],{},"Allowed file types restricted",[48,731,732],{},"Storage quarantine for suspicious files",[15,734,735],{},[19,736,737],{},"Monitoring:",[45,739,740,743,746,749],{},[48,741,742],{},"Failed login attempts (detect brute force)",[48,744,745],{},"Authorization failures (detect unauthorized access attempts)",[48,747,748],{},"Unusual API usage patterns",[48,750,751],{},"Database connection failures",[29,753,755],{"id":754},"compliance-considerations","Compliance Considerations",[15,757,758,761],{},[19,759,760],{},"Data Residency:","\nSelf-hosted mode allows control of data location:",[45,763,764,767,770],{},[48,765,766],{},"Host in specific geographic region",[48,768,769],{},"Meet regulatory requirements (GDPR, HIPAA, etc.)",[48,771,772],{},"Control data access physically",[15,774,775,778],{},[19,776,777],{},"Audit Trail:","\nAptli maintains audit trails for:",[45,780,781,784,787,790,793,796],{},[48,782,783],{},"Authentication attempts (success/failure)",[48,785,786],{},"Admin right usage (who modified what)",[48,788,789],{},"Role restriction changes",[48,791,792],{},"Transaction history (inventory movements)",[48,794,795],{},"Version history (feature changes)",[48,797,798],{},"Soft deletes (who deleted what, when)",[15,800,801,804],{},[19,802,803],{},"Data Export:","\nAll data exportable for compliance:",[45,806,807,810,813,816],{},[48,808,809],{},"CSV export for non-geo data",[48,811,812],{},"GeoJSON export for features (via the Data Transfer button on the map toolbar)",[48,814,815],{},"Transaction reports (inventory audit)",[48,817,818],{},"User access logs",[15,820,821,824],{},[19,822,823],{},"Data Retention:","\nConfigurable retention policies:",[45,826,827,830,833,836],{},[48,828,829],{},"Soft delete retention period",[48,831,832],{},"Version compression (lossless)",[48,834,835],{},"Transaction history (immutable - never deleted)",[48,837,838],{},"Audit logs (configurable archival)",[840,841,842],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":468,"searchDepth":482,"depth":482,"links":844},[845,851,857,858,859],{"id":31,"depth":482,"text":32,"children":846},[847,848,849,850],{"id":39,"depth":512,"text":40},{"id":68,"depth":512,"text":69},{"id":98,"depth":512,"text":99},{"id":119,"depth":512,"text":120},{"id":148,"depth":482,"text":149,"children":852},[853,854,855,856],{"id":175,"depth":512,"text":176},{"id":269,"depth":512,"text":270},{"id":356,"depth":512,"text":357},{"id":415,"depth":512,"text":416},{"id":612,"depth":482,"text":613},{"id":625,"depth":482,"text":626},{"id":754,"depth":482,"text":755},"Configure application-wide settings: authentication methods, session timeouts, data retention policies, new-user defaults, and security best practices for your Aptli installation.","md",{},true,"/en/user/system-settings",{"title":5,"description":860},"en/user/system-settings/index","60pVBMcOocT5dN90CiH2MpzhAlT84blohruzO8sgzeM",1776295546621]