Last updated: 31 March 2026
Security settings control how users authenticate, how long sessions last, and whether role-based access control is enforced.
Navigate to Settings > Security.
Set how long a user can be idle before the screen locks. Options: 5, 10, 15, or 30 minutes, 1 or 2 hours, or Disabled.
When locked, users must re-authenticate using one of the allowed unlock methods:
At least one unlock method must remain enabled.
Set how long before an idle user is fully signed out. Options: 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, or Disabled.
This is different from the lock screen - logout requires the user to sign in again from scratch. A warning is shown if the logout timeout is shorter than the lock timeout.
Toggle to require MFA for all users in your organisation. When enabled:
Allow SSO to bypass MFA: When enabled, you can add trusted email domains (e.g. company.com). Users signing in via Google or Microsoft from those domains skip the MFA step. Adding a domain does not grant access - users still need an invitation.
Toggle to enforce RBAC. When off, all members have full access to everything. When on, users can only perform actions allowed by their assigned roles.
A warning appears if any users have no role assigned when you enable RBAC - those users will have no permissions until a role is assigned.
Important: All security setting changes are logged in the audit log with their risk level. Review the audit log after making changes to confirm they were applied correctly.