1. Security
  2. Security Features
  3. Configuring and Using Authentication
  4. Authentication by OpenAir
  5. IP Restriction

IP Restriction

An optional feature can be used to restrict access to the OpenAir account to specific IP addresses. This includes access to your OpenAir account using the OpenAir UI, OpenAir API, or any client application utilizing the API to exchange information with your OpenAir account.

This optional feature lets you store authorized IP addresses on the employee record for each user. You can allow single IP addresses or network ranges, using an explicit range or subnet mask. The IP Restriction feature may be used to ensure users can only access your OpenAir account if they are connected to your company's physical network or VPN, for example.

You can extend the IP Restriction feature to check for IP address changes with every API request. In this case, if the IP address of the authenticated user's device changes and the new IP address is not in the IP address allowlist for this user, API requests return an error, and client applications utilizing the API can no longer exchange information with your OpenAir account.

Note:

Client applications utilizing OpenAir API include:

  • OpenAir Mobile.

  • Other add-on services supplied by OpenAir (Integration Manager, Exchange Integration Manager, Projects Connector, Outlook Connector, OffLine).

  • Any bespoke integration utilizing the REST API, SOAP API, or XML API.

If the IP address of the authenticated user's device changes and the new IP address is not in the IP address allowlist for this user, the user can continue using the OpenAir UI normally until the user signs out or the session times out. This is true whether the user is accessing the OpenAir UI as a standalone application, or within NetSuite using the Single Sign-On integration feature.

Contact OpenAir Customer Support to enable the IP Restriction feature or the IP Restriction Check for IP Change feature extension.

After the feature is enabled, you will need to create a custom field login_ip_address associated with the Employee record to store the authorized IP addresses for individual users.

To restrict access to specific IP addresses for an employee:

  1. Create a text area custom field for Employee records. See Creating and Modifying Custom Fields.

    Use the following details:

    • Add a custom field to: Employee

    • Type of field to add: Text area

    • Field name: login_ip_address

    • Display name: Authorized IP Addresses (you can use any appropriate display name )

  2. Go to Administration > Global Settings > Employee > [Select an Employee] > Demographic.

  3. Locate the Authorized IP Addresses custom field. If you used a different display name for the custom field, locate the display name on the form.

  4. Enter one or more IP address(es) separated by commas in the text field. The following address descriptions are accepted:

    • A single IP address — Example: 209.202.151.4

    • A network range using a netmask — Example: 209.202.151.0/24

    • An explicit network range — Example: 209.202.151.4 - 209.202.151.10

  5. Click Save.

Tip:

You can use the bulk employee change wizard to copy the value of the login_ip_address field to other user records in your OpenAir account.

See Making Changes to Multiple Employee Records at the Same Time.