Security settings
Turn on authentication and view Audit and Org logs.Articles
Set up Microsoft single sign-on (SSO)
You can let users sign into Kustomer using their Microsoft account. With Microsoft Single Sign On, you can use Microsoft's infrastructure (via Azure Cloud) as an authorization source and ensure that your Kustomer data is kept safe. Our security policy lets you manage sign-on requirements in settings and restrict sign in permissions to a Microsoft account only.This allows you to use Microsoft as the single main repository for user administration and authorization. If you already have an active directory, you can link it up to Azure, which makes it easier for organizations that are already integrated with Microsoft to start using Kustomer. For more information on the OpenID Connect and OAuth 2.0 protocols used by Microsoft to implement authentication and authorization, see their article.Who can access this feature?User typesAdmins can access the Security page.To turn on Microsoft Single Sign On:Go to Settings > Security > Authentication.Turn on the toggle for Microsoft Single Sign On.Once this setting is turned on, members in your organization will have the option of selecting Sign in with Microsoft on the sign in page.They will be taken directly to the Microsoft login page where they can enter their Microsoft credentials.You can also choose to only allow Microsoft Sign in by turning off the Kustomer toggle in the Authentication page. If you turn the Kustomer option off, members in your organization will only be able to sign in to Kustomer using their Microsoft account.Set up Google single-sign on (SSO)
Our Google Login uses the Sign in with Google process that you already trust to keep your customer data even safer. Our security policy lets you manage sign-on requirements in settings and restrict login permissions to Google login only.Who can access this feature?User typesAdmins can access the Security page.To configure the Google Login in your Kustomer organization, go to Settings > Security > Authentication, and turn on the Google Single Sign On option.After you turn this setting on, team members can sign in to your Kustomer organization with Google by selecting the Sign in with Google button.You can also choose to only allow google sign in, by turning the Kustomer setting off. In this case, your team members will only be able to sign in to Kustomer by clicking the Sign in with Google button.API keys
Integrations play a crucial role in utilizing Kustomer to its fullest potential. Many integrations and apps use API keys (also known as API tokens) to authorize Kustomer to send and receive data with external platforms. Your team can set the specificity of permissions on API keys used on integrations between Kustomer and third-party vendors, be they external or internal to your system.Who can access this feature?User typesAdmins can access the API keys settings page. Custom permission sets can grant Security permissions to let other users access the page.In this articleCreate an API keyBest practicesCommon API rolesCreate an API keyAdmins and other users with Security permissions can create and manage API keys from the Kustomer Settings.To create a new API key:Go to Settings > Security > API Keys. Select Add API Key.A popup will appear to edit your new API key. Start by giving the new API key a name. We always recommend using clear and illustrative names so that it's easy to know what function this API key performs if another member of your team reviews it later.Under Roles, select the roles required for your integration. You can select multiple values.In the Expires menu, select the number of days that the API key should remain valid before it expires.As an optional final step, you can enter a value in the CIDR IP Restriction box. This box restricts access to a token when outside of certain networks.Once satisfied with your selections, select Create to finish creating the new key.On the confirmation screen, you'll be shown your new key. For security reasons, this is your only chance to copy the key. Select Copy Token to copy the hash to your clipboard.You can now add the API key to your app integration.Best practicesWhen using API keys, keep the following in mind:Tokens cannot be copied from the grid, they can only be copied when created. If you'd like to reference the API Key again, please copy and paste the API Key in a secure text editor.API keys cannot be edited, only deleted.A deleted token cannot be used to make requests to and from Kustomer.It's important to be as specific as possible when naming the API key since your team may use dozens of tokens along the way.When selecting roles, be mindful of what permissions are necessary for this token. For example, if you'd like to create customers from your admin portal, you can create a token with just org.user.customer.write .When setting the days until the token expires, consider when a particular vendor or integration will need the token, such as a few days, weeks, or months. For e-commerce integrations such as Shopify, it may be necessary to set the token never to expire to avoid potential data loss if orders stop coming in due to key expiration.The CIDR IP Restriction field should primarily be used for internal integrations. This token should only be used on a protected network like an internal admin portal. If needed, please consult with your engineering team to get the address.Common API rolesHundreds of API roles (or scopes) are available in Kustomer. This table contains a partial list of some of the most commonly used roles for API keys and app integrations.API rolesDescriptionorg.user.setting.readView settings for users.org.admin.setting.writeUpdate organization-wide settings.org.permission.setting.readView settings for users.org.permission.setting.updateUpdate settings for users.org.permission.customer.readView customers.org.permission.customer.createCreate customers.org.permission.customer.updateUpdate customers.org.permission.message.readView messages.org.permission.message.createCreate messages.org.permission.message.updateUpdate messages.org.permission.conversation.readView conversations.org.permission.conversation.createCreate conversations.org.permission.conversation.updateUpdate conversations.org.permission.team.readView teams.org.permission.team.createCreate teams.org.permission.team.updateUpdate teams.org.permission.user.readView users.org.permission.user.createCreate users.org.permission.user.updateUpdate users.org.permission.kobject.readView KObjects/custom objects.orb.permission.kobject.createCreate KObjects/custom objects.Audit logs
The audit log is designed to help organizations track changes made by users and system automations across their customers. The level of detail provided can help triage changes that may have happened, such as conversation assignment changes. The logs also store previous attribute data, so if something is mistakenly updated, you can see the previous data entry and reenter it.The audit logs will help developers identify which workflows, business rules, or API requests made updates. They will also track when a user signs in and when one of those sign-ins might have failed. This helps identify suspicious activity that may prompt you to reset passwords.The audit log also tracks any changes made to your Search or Shortcut settings, allowing you to troubleshoot sudden, unexpected behavior in either area. Who can access this feature?User typesAdmins can access full audit log features. Users can access Customer and Conversation logs.In this articleUnderstand the audit logWhat is tracked in the audit log?Understand the audit logThe audit log provides a way to track user activity within your organization and can be accessed in various ways.The audit log consists of the following columns:Performed ByShows the User or System Automation which took the action. System Automations are workflows, business rules, queue router, or APIs. DateThe date and time the event took place.EventThe type of change tracked, such as Update, Create, or Login.SectionThe standard object or setting that was updated.PropertyThe specific attribute that was changed. For example, this could be Assigned Users, Status, Name, Email Address, or Tags.Before & AfterThe specific attribute information that changed on an object. For example, these columns could show that a conversation status went from Open to Done.Note: You can see more details about what was changed in the criteria or action by hovering over the Before and After columns.What is tracked in the audit log?The audit log tracks various areas throughout Kustomer's platform. For more information on how long your data is stored, see Audit log storage limits.AreaWhat is trackedConversationsWhen a conversation is created or deleted.Any updates made to the following attributes in an existing conversation:NameThe reason a conversation was endedTagsAssigned Teams and UsersDefault LanguageAssistantStatus, including SnoozePriorityAny custom attributesIf a conversation was merged and includes the name of the conversation that it was merged into.If a conversation's SLA is breached.CustomersWhen a customer is created or deleted.Any updates made to the following attributes in an existing customer:Name and user nameAvatarEmail addresses and phone numbersURLsLocation and timezoneBirthday and genderTagsDefault languageCompany External IDWhen they signed upSocial media and Facebook IDAny custom attributesCompaniesWhen a company is created.Any updates made to the following attributes in an existing company:OrgNameExternal IDCompany avatarEmails, phone numbers, and social mediaURLsLocation and domainEmployee countTagsDeletions and importsDefault LanguageAny custom attributesKustomer VoiceIf a voice recording was deletedIf a conversation contacts a voice recordingMessagesWhen a message is created or updated.If and when a message is redacted.Business rulesIf a business rule is turned on or off.Editing a business rule's name or description.Changing the trigger or criteria.Setting the actions a business rule takes.When business rules are created or deleted.RoutingWhen an agent goes offline/online.The status an agent switches to.If an agent switches to a status that allows them to get routed conversations.An agent's remaining capacity.When an item enters a queue.Who accepted the conversation.The user or team that's assigned a conversation.The queue a conversation is in.The queue rule was applied to that conversation.If a conversation is a voice conversation (noted as IVR).SatisfactionWhen a survey was scheduled, offered, rated, and commented on.ShortcutsWhen a shortcut applies an action in a conversationWhen a shortcut is used to create a new message in a conversationShortcut settings pageWhen a shortcut is created.Edits made to a shortcut's name or message.Changing its share access and any shared users or teams.Setting any actions the shortcut takes on a conversation.If a shortcut is deleted.Saved SearchesChanges to its criteria.Search settings pageUpdates to a searches name.Turning on a badge or changing its color.Changing its icon.Changes to that searches default, user, or team visibility.Adding or removing a column.Team PulseIf an admin changes an agent's status in the Team Pulse chart.User loginsIf a user's log in attempt was successful or failed.If a user has been locked out of the platform.WorkflowsWhen a workflow is created.Editing a workflow's name or description.Changing its triggers or any variables it contains.Turning a workflow on or off.Org Logging
While it is important to understand when your system is healthy, it's just as important to understand when it is not. Org Logging is a tool that notifies you of errors in your Kustomer organization and recommends next steps on how to fix them.This feature currently monitors the following app integrations:FacebookGmailTwitterWhatsApp by TwilioIf you have any of these integrations configured and do not see the Org Logging dashboard, please contact us at support@kustomer.com.Who can access this feature?User typesAdmins can access this feature.In this articleThe Org Logging dashboardConfigure notification recipientsOrg Logging email notificationsThe Org Logging dashboardThe Org Logging dashboard contains a list of your organization's most recent org logging notifications. Errors are ordered chronologically from newest to oldest. You can use the Search and Date Range fields as filters to narrow the list of errors.When applicable, a logged error may contain a link to open the relevant app settings page where you can resolve the issue. Select the red link icon to jump to the app to take further action.Configure notification recipientsOrg Logging will send notifications to up to 5 email addresses which you can specify in the Org Logging settings.Note: The Org Owner will receive the notifications if you don't specify any email addresses. Adding at least one email address to the recipient's list will notify the specified individuals instead.To add notification recipients:In Kustomer, go to Settings > Security > Org Logging.Select the Notifications tab.Enter the email addresses of those who will receive error notifications.Select Save Changes.Org Logging email notificationsIf an error occurs, the notification recipients will receive an email alert. The email contains the alert's name, what we think may have caused it, and a link to the Org Logging dashboard in Kustomer, where you can take further action.Access your audit logs
The audit log tracks changes in the Kustomer platform done by users and system automations. You can access an audit log for a specific customer, conversation, or for the workspace as a whole. To learn more about what is being tracked, please see Audit Logs.Who can access this feature?User typesAdmins can access full audit log features. Agents can access Customer and Conversation logs.In this articleView a specific customer's audit logView a conversation's audit logView the workspace audit logFilter the audit logView a specific customer's audit logAccessing the audit log from the customer will show all events that have occurred on that specific customer.To view the audit log for a specific customer:Navigate to their timeline.Select Customer Optionsand then select View Audit Log.View a conversation's audit logAccessing the audit log from a conversation will show all events that have occurred on that specific conversation and includes CSAT events such as, how a survey was answered.To view the audit log for a specific conversation:Navigate to the conversation.Select Conversation Optionsand then select View Audit Log.View the workspace audit logAccessing the audit log for your workspace allows you to view and search events across all customer and conversations objects, as well as any changes that were made to your search, Shortcut settings, or business rules.To view your workspace audit log, go to Settings > Security > Audit Log.Filter the audit logYou can view audit log results for a desired date range, or filter them by event type.To filter the audit log:Select Filter .Select the Event Type from the drop-down menu. Your options are:All EventsAuthorizationBillingConversationCustomerSettingsWork SessionNext, select the specific criteria you are filtering on. Available options depend on the Event Type you selected in Step 1.Event TypeRequiredDescriptionAll EventsUserThe user in your organization. Results will display all actions done by them.AuthorizationUserThe user that performed that authorization.BillingUserThe user makes changes to the Manage Payment or Manage Subscription page.ConversationConversationThe ID of the conversation. Optionally, you can select a specific user.CustomerCustomerThe name of the customer. Optionally, you can select a specific user.SettingsSectionThe platform area you want to filter on. Available options are Searches, Shortcuts, Business Rules, or Kustomer Access. Optionally, you can select a different user.Work SessionUserThe user's history when using queues and routing.Select Apply Filters.Set up SAML authentication and SSO login
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider) through an exchange of digitally signed XML documents.Kustomer supports various SAML providers. The following is an example of one such integration using Okta, but these steps can be adapted to any other SAML provider.Who can access this feature?User typesAdmins or custom roles with Security access enabled can access this feature.In this articlePrerequisitesConfigure SAML in OktaConfigure SAML in KustomerAdvanced settingsPrerequisitesBefore following these steps in this guide, ensure that the SAML provider you are looking to hook into describes itself as an identity provider that performs SSO authentication. If the provider you are looking to integrate with is only an identity aggregator, you would need to make the configurations explained below in the application you are using for SSO authentication.Configure SAML in OktaLog into your Okta account as an Administrator, and then follow the steps below to complete the Kustomer App creation.Select Applications in the toolbar, then select Add Application.Select Create New App.A dialog labeled Create a New Application Integration will appear. In the Platform drop-down menu, select Web, and select SAML 2.0 as the Sign on method. Then, select Create.Enter Kustomer as your app name. You can download the Kustomer logo from our Brand Assets page for the App logo field. Select Next to proceed.A form titled SAML Settings will appear. Fill out the fields as follows, replacing [orgname] with the subdomain your organization uses for your Kustomer site:Single sign on URL: https://[orgname].api.kustomerapp.com/auth/saml/callbackAudience URI (SP Entity ID): https://[orgname].api.kustomerapp.com/auth/saml/metadataAll other fields can be left blank.Click Next at the bottom, then Finish on the following page.You will see the Settings for your Kustomer app. In the Sign On tab click View Setup Instructions.The page that appears contains an Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate. Leave this tab open while you access the Kustomer settings in another browser window.Configure SAML in KustomerTo finish configuring SAML, open Kustomer in another browser window so you can copy and paste the certificate details from the Okta site into Kustomer. Sign in to Kustomer as an admin, then navigate to Settings > Security > Authentication.Turn on the SAML Single Sign On setting.Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate strings from the Okta settings into the corresponding fields in the Kustomer settings.Note: The user email address in Kustomer must match the one specified in your SSO settings.Once you finish the configuration, we recommend you log out of Kustomer and log back in via SAML to test that the configuration was set up correctly. Once confirmed, you can choose only to allow users to log in via SAML by going back to Settings > Security > Authentication and turning off the Kustomer setting. Turning this setting off means members in your organization will only be able to sign in to Kustomer using their SAML credentials.Advanced settingsYou can click Show advanced settings in the SAML Single Sign On settings to access additional configuration options.Force Authentication: Disabled by default. Enabling this requires the user to re-enter their Okta/SSO login credentials each time they want to access Kustomer. Re-authentication is required even if the user still has an active Single Sign On session with Okta or the identity provider.Sign Authentication Requests: Disabled by default. Enabling this will require Kustomer to send additional authorization keys to confirm access with Okta, and requires you to upload the Kustomer public certificate to your identity provider.Allow Unencrypted Assertions: Enabled by default. This determines whether or not the SAML assertion is encrypted. If you choose to disable this setting, you will then need to upload the Kustomer public certificate to Okta or the identity provider.Manage Kustomer Access settings
Manage and monitor access to your Kustomer organization with Kustomer Access settings. Kustomer Access settings allow you to:Create and set allowed IP ranges and to secure platform access for agents and team members (available on Ultimate plans).Monitor Kustomer Access events and IP address access in the audit logs for your organization (available on Ultimate plans).Grant the Kustomer Support team access to your Kustomer platform for more efficient technical support (available on all plans).Who can access this feature?User typesAdmins can access the Kustomer Access page.In this articleIntroduction to Kustomer Access settingsManage Kustomer Technical Support AccessManage User AccessCIDR notationAdd an IP address rangeDelete or edit an IP address rangeKustomer Access events in the Audit LogUpdates to Kustomer Org Access settingsIP addresses for user login eventsIntroduction to Kustomer Access settingsTo access the Kustomer Access settings for a brand, go to Settings and select Security > Kustomer Access. Kustomer Access is a part of the Security settings for your Kustomer organization.Learn more about your organization's Security settings in Kustomer.From the Kustomer Access page, you can configure the Technical Support Access and User Access settings for your Kustomer organization.Learn more about Kustomer's Security options in our help center under Security Settings.Manage Kustomer Technical Support AccessYou can grant the Kustomer Support team access to your organization for more efficient technical support. Technical Support Access allows our Kustomer Support team to log in like a user of your team to observe any issues directly, and offer assistance directly in your Kustomer instance.Technical Support Access is turned on by default for new Kustomer organizations in order to allow the Kustomer Support team to help you configure, troubleshoot, and solve support requests related to your initial onboarding process. This access can be turned off at any time once your team is fully up and running in Kustomer, or at any point where you no longer have an active technical support concern you'd like to troubleshoot with us.Use the Technical Support Access toggle to grant or revoke Technical Support Access as needed for your organization.Manage User AccessConfigure User Access to limit organization access for a selection of IP address ranges based on team locations or different VPN addresses. This means that team members in your Kustomer organization will be able to use and log in to Kustomer only if their IP address belongs to one of the allowed ranges. Notes:You can add up to 50 IP address ranges.Allowed IP address range updates take effect when a user’s token expires.This feature is available for organizations on Ultimate plans.The User Access setting displays your current IP address and also shows you the allowed range that includes your current IP address. You will be unable to modify or delete this range unless there is another allowed range that includes your IP address.Team members who try to access or use your Kustomer organization on an IP address outside of an allowed range will get an allowed IP range error message during login. The error message displays their current IP address and directs the team member to contact an administrator for their organization.CIDR notationTo learn more about CIDR notation for IP addresses, consult with a member of your security or IT team, or visit these external resources:"What is CIDR?" from the KeyCDN Support SiteCIDR Notation Converter from IPAddressGuide.comAdd an IP address rangeTo add a new IP address range to your allowed ranges, select + Add Range. Enter a descriptive name for the range (for example, the name of an office location or VPN network for a team) and a valid IP range in CIDR notation. You can quickly create a range in CIDR notation using this conversion tool.Select Save Changes to add and list the new IP range under Allowed Ranges.Delete or edit an IP address rangeTo delete or to edit an existing allowed IP address range, select the respective delete or edit icon for the range in the Allowed Ranges list.Note: To delete a range that includes your current IP address, your IP address must be included it at least one other existing allowed range.You can edit the name of the IP range and the IP range in CIDR notation. Select Save Changes to add and list the edited IP range under Allowed Ranges.Kustomer Access events in the Audit LogMonitor and search any updates to your Kustomer Access settings in the audit logs for your organization. Updates to Kustomer Access settingsThe audit logs display any changes to your Kustomer Access IP address rules. This means you can view when an administrator added, edited, or deleted an IP address range in the Allowed Ranges list. The audit logs also show the range name and the before and after values for any new, edited, or deleted IP address ranges.IP addresses for user login eventsThe audit logs also display the IP addresses for successful login events. Each successful login event shows the user name, the date of the event, and the IP address for the user login.Audit log storage limits
Kustomer audit logs are optimized to store your organization's most important data. Logs are stored for certain periods depending on the type of audit log.To learn more about the available logs, see Audit logs and Access the audit log.Who can access this feature?User typesAdmins can access full audit log features. Agents can access Customer and Conversation logs.In this articleShort-term event storageLong-term event storageReview events over 12 months oldShort-term event storageEvents stored for a short term are more frequent and tend to include more time-sensitive data, such as conversation updates and user sign-ins. Storing these events for a shorter term results in more time-sensitive data being logged. The following events are stored for up to 90 days in the audit log:AreaWhat is storedConversationsA conversation update.CustomerA customer's profile is updated.MessageA message is updated.RoutingA conversation is created that will be routed.A queued conversation's status changes from routed to assigned.An agent switches to a status that allows them to get routed conversations.An agent's status changes from available to unavailable.ShopifyAn order refund is calculated.A retrieved order.An item's retrieved image.An order refund is submitted.An order is canceled.UsersA user successfully signs in to Kustomer.A user fails to sign in to Kustomer.A user is locked out of Kustomer for too many failed sign ins.A user's auth token is destroyed, for example, from signing out.Long-term event storageEvents stored for the long term do not change as frequently. The following events are stored for up to 12 months in the audit log:AreaWhat is storedBillingThe number of user seats has increased.Business rulesA business rule is created, updated, or deleted.CompaniesA company is updated.ConversationsA conversation is deletedA conversation is moved to another timeline.A conversation is merged.An SLA is breached.CustomerA customer's profile is merged with another profile.Email (Postmark & Gmail)An email is forwarded. MessageA message is created for a conversation.SearchOne of your saved searches is updated.ShortcutA shortcut is updated.Review events over a year oldIf you need to review event data older than a year old, please contact Kustomer Support.
Still need help? Contact Us