Security Policies

Set org-wide defaults and override per-team — re-auth windows, idle timeouts, session limits, and MFA requirements. Stricter for production, relaxed for dev.

Start Free Trial See All Features
What You Get

Org-Wide Defaults, Team-Level Overrides

Force re-authentication after configurable hours (org-wide or per-team)
Idle timeout auto-logout after inactivity (org-wide or per-team)
Limit concurrent sessions per user to prevent credential sharing
Enforce MFA for all organisation members with a single toggle
Team-level overrides — stricter policies for sensitive departments
Teams inherit org defaults unless explicitly overridden
Real-time enforcement — policy changes apply to active sessions
Full audit trail for every policy change with admin attribution
API-driven configuration for infrastructure-as-code workflows
Available on Business and Enterprise plans
Policy Engine

Security Policy Configuration

Security Policies Business+ ORGANISATION DEFAULTS Re-authentication Force re-auth every 8 hours ✓ Active — 12 users affected Idle Timeout Auto-logout after 30 min ✓ Active — applies to all sessions Max Concurrent Sessions Per-user session limit 3 ✓ Active — blocks 4th session 🔒 MFA Required Enforce for all members ✓ Enforced — 12/12 users compliant TEAM-LEVEL OVERRIDES SRE Team Stricter policies for production access Re-auth: 4h Idle: 15 min Overrides org Finance Team Uses organisation default policies Inherits org defaults AUDIT LOG 09:14:22 POLICY admin@acme.com set reauth_policy_hours=8 09:14:23 ENFORCE 12 active sessions marked for re-auth 09:15:01 OVERRIDE SRE team: reauth=4h, idle=15m 09:15:02 OK 3 SRE sessions updated with stricter policy
Deploy in Under 5 Minutes

Three Steps to Secure Access

1. Sign Up With SSO

Connect your identity provider — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider. Your team logs in with existing credentials.

2. Add Your Resources

Register servers, databases, Kubernetes clusters, and web apps. Define who can access what with role-based policies.

3. Access Securely

Your team accesses resources through the browser — identity-verified, session-recorded, and audit-logged. No VPN, no exposed ports.

Goes Well With

Related Capabilities

SSH Access Management

Stop exposing SSH ports and sharing keys. OnePAM provides identity-verified browser SSH with session recording, keystroke logging, and automatic key rotation.

Secure RDP Access Management

Shared admin accounts and exposed RDP ports are the #1 Windows attack vector. OnePAM replaces them with identity-verified RDP and session recording.

VNC Remote Desktop Access

VNC ports on the internet are a breach waiting to happen. OnePAM provides browser-based VNC with SSO, MFA, and session recording.

Try Security Policies — Free for 14 Days

From signup to your first secure session in under 5 minutes. No infrastructure changes, no credit card, no sales call.

Start Free — Deploy in 5 Minutes