- Zenoti Help
- Configuration
- Security configurations
- Manage security-related settings
Manage security-related settings
Configure role permissions
Required roles: Any role with access to the Administrator mode
Required permissions: None
At the organization level, click the Configurations icon.
Search for and select the Security roles setting from the Security section.
Click the name of a role.
To give or revoke permissions, select or clear the relevant checkboxes in the General tab and in the Permissions tab.
Click Save.
For more information on predefined security roles and permissions for your employees, refer to default security roles and permissions.
General settings for security roles
When you create an employee profile, you must assign a role to that employee. The employee will then have all the permissions configured for that role. Security roles determine what actions employees can perform in Zenoti.
To configure general settings for security roles, follow the instructions below.
At the organization level, click the Configuration icon and select the Security option.
To view all available roles for your business, expand the Security Roles option.
Select the required role you wish to configure from the list, for example, Therapist.
To explore all the available roles, refer to default security roles and permissions.
On the General tab of the selected role, there are multiple settings that you can configure as per your requirements. The settings are listed below:
Can access Administrator mode: To enable a specific user role to perform admin-related activities for your business, select the Can access Administrator mode checkbox.
Make two-factor authentication mandatory: To ensure specific user roles are verified by two-factor authentication via text/email/app before logging in, select the Make two-factor authentication mandatory checkbox.
Allow access to Appointment Book on: This setting enables staff to view appointments and bookings on various platforms such as the appointment book or the Zenoti mobile application. By default, providers can access their own appointments on Zenoti Mobile. For any other staff to access the appointments on the Appointment Book on Desktop or Zenoti Mobile, select the respective checkbox for Desktop and Zenoti Mobile.
A provider can see the schedule of another provider if they have the Allow access to Appointment Book on Zenoti Mobile permission. And similarly, the schedule of other providers is visible on the local system in a center, if the Desktop checkbox is enabled. When disabled, this setting prevents a provider from seeing other appointments in a day.
Can access all data outside geofence region on Zenoti Mobile and MyZen: For more information about this setting, please refer to configure access outside the geofence.
Show guest history: To enable the employee or user role to view guest history in a guest profile enable the Show guest history checkbox. The role will be able to view multiple tabs on the guest profile.
Show Service history only: To hide the Appointments tab on the guest profile, you must enable the Show guest history permission. The Appointment tab will appear if Show Service History Only is enabled. Selecting this option only displays limited service details in the guest profile. Either one of the options can be selected at once.
To display the last name of guests in mobile applications, select the Show guest last name on Zenoti Mobile and MyZen checkbox. This checkbox only appears when you select the Show Service History Only option.
After selecting the necessary options, click Save,
Configure password rules for employees
Required roles: Any role with access to the Administrator mode
Required permissions: None
At the organization level, click the Configurations icon.
Search for and select the Password rules setting from the Security section.
Enable the settings and enter details as required.
Mandatory fields are greyed out and turned on by default. See the following table for the list of password rules.
Click Save.
The table below lists the password rules for employees along with their description and usage.
Password rule | Description |
|---|---|
Enable key-in password update at employee profile | Optional. Displays the Update Password button in the employee profile. You can use this option to update employee passwords. |
Enforce minimum password length | Turned on by default. Change the minimum length. The default is 8 characters. |
Enforce maximum password length | Turned on by default. Change the maximum length. The default is 64 characters. |
Do not use common and breached passwords | Turned on by default. Do not use common passwords such as hello123 and welcome123. |
Users cannot use the last five passwords | Turned on by default. Do not use any of your previous five passwords. |
Password must contain at least one number (0-9) | Optional. Turn on this setting if you want the password to contain at least one number. NoteThis setting applies to a guest’s password too – when a guest tries to log into Webstore. |
Password must contain at least one lowercase letter (a-z) | Optional. Turn on this setting if you want the password to contain at least one lowercase letter. |
Password must contain at least one uppercase letter (A-Z) | Optional. Turn on this setting if you want the password to contain at least one uppercase letter. |
Password must contain at least one special character (# % $ etc.) | Optional. Turn on this setting if you want the password to contain at least one special character. |
Lock account after a number of failed login attempts | Optional. Specify after how many failed login attempts, Zenoti should lock the user account. The default is 3 attempts. |
Unlock account after a specified number of minutes | Optional. Turn on this setting to unlock after x mins. The default is 30 mins. For example, a user used up all attempts to log in at 9.30 am and Zenoti locked the user account. At 10 am, Zenoti will automatically unlock the user’s login (assuming the setting is Unlock after 30 minutes). |
Unlock with text verification code | Optional. Turn on this setting if you want the user to be able to unlock her account using a text verification code. This code is sent to the user’s registered mobile number. The user can use the code to unlock her account. The verification code is valid for 10 mins. NoteThis notification uses your text credits. |
Unlock with email verification code | Optional. Turn on this setting if you want the user to be able to unlock her account using an email verification code. This code is sent to the user’s registered email address. The user can use the code to unlock her account. The verification code is valid for 10 mins. NoteThis notification uses your email credits. |
Challenge with 6-digit verification code when a new machine or browser is detected; code is sent via email | Optional. Detects login from a new machine or browser and prompts the user for a verification code. The 6-digit code is sent to the user’s registered email address. The verification code is valid for 10 mins. |
Challenge with 6-digit verification code when a new machine or browser is detected; code is sent via text | Optional. Turn on this setting if you want Zenoti to prompt the user with a verification code when it detects a new machine or a new browser during login. The 6-digit code is sent via text message to the registered mobile number. The verification code is valid for 10 mins. |
Two-factor or multi-factor authentication with the authenticator app | Optional. Turn on this setting if you want to enable two-factor authentication (2FA) or multi factor authentication (MFA) with authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. If you enable this setting, users must enter their regular credentials (username and password) and a verification code that appears in the authenticator app to log in to Zenoti. This can be customized based on roles, job titles, and employee profiles. You can enable it for employees with access to critical information and disable it for otheremployees. |
Two-factor or multi factor authentication with text verification code | Optional. Turn on this setting if you want to enable two-factor or multi-factor authentication using a text verification code. The verification code is valid for 10 mins. This notification uses your text credits. This can be customized based on roles, job titles, and employee profiles. You can enable it for employees with access to critical information and disable it for other employees. |
Two-factor or multi factor authentication with email verification code | Optional. Turn on this setting if you want to enable multi factor or two-factor authentication using an email verification code. The verification code is valid for 10 mins. This notification uses your email credits. This can be customized based on roles, job titles, and employee profiles. You can enable it for employees with access to critical information and disable it for other employees. |
Set password to expire after a specified number of days | Optional. Turn on this setting and specify the number of days after which the password will expire. The user must reset the password before the password expires. The default is 90 days. |
Remind user to change their password before password expires | Optional. Turn on this setting if you want Zenoti to remind users to change their password before the password expiry date. The default is to remind users to change their password 5 days before the date on which their password expires. ImportantThis setting works only for SSO-enabled organizations when an employee tries to log into Zenoti web. |
Enable Captcha in Forgot password page | Optional. Turn on this setting if you want Zenoti to show a captcha code in the Forgot Password page. |
Add Captcha after a specified number of failed login attempts | Optional. Add a captcha code after a specified number of failed login attempts. The default is after 3 failed attempts to log in. |
Configure country-level access restrictions
Enhance security by specifying the countries where your business operates. Zenoti's security protocols only grant employees access when they log in from these countries. This helps you control employee login based on location.
Required roles: Any role with access to the Administrator mode
Required permissions: None
At the organization level, click the Configurations icon.
Search for and select Country restrictions setting from the Security section.
Turn on Enable country restrictions.
Select the countries from where you want to allow users to access the Zenoti web application.
Click Save.
Configure other security-related settings
You can configure security settings to automatically log out inactive users after a certain amount of time or lock employee accounts and exit users out of the PIN mode after a number of failed login attempts.
At the organization level, click the Configurations icon.
Search for and select Logout inactive users after.
From the dropdown list, select time in X minutes or hours after which you want to the logout inactive users.
Click Save.
At the organization level, click the Configurations icon.
Search for and select Lock employee account and exit PIN mode after a specified number of failed login attempts.
Enable the setting.
In the Lock account and exit PIN mode after how many failed login attempts? box, enter the number failed attempts after which the account will automatically get locked.
Click Save.