Qualtrics Platform
Customer Journey Optimizer
XM Discover
Qualtrics Social Connect

Security Tab

About the Security Tab

Attention: You are now reading about a premium feature. If you do not have access and would like to purchase access or receive a demo, contact your Account Executive.

All Qualtrics data and brands are protected with the utmost care. However, sometimes you may want additional security settings, such as the ability to track which users are logged in, add more requirements to passwords, modify how many failed logins lead to an account lockout, and so much more.

If you have purchased the Enterprise Security Package, Brand Administrators can access all these settings and more by going to the Admin page and selecting Security.

Security Settings

Security Settings is the first section under the Security tab.

Allow Proxy Logins

Proxy logins allow Brand Admins or higher privileged accounts to log into different user accounts on this brand through the Users tab. By deselecting Allow Proxy Logins, you are making it so no Brand Admin can directly log into a user’s account.

Attention: Brand Admins can access content in the entire brand, but disabling the Allow Proxy Logins permission will prevent Brand Administrators from acting on behalf of another user.

Enable Two-factor Authentication

When you select Enable Two-factor Authentication, users must provide a verification code after providing their username and password in order to login. Users can set a preferred method of receiving this code – for example, through email or an authentication app on their phone.

Attention: This option is disabled for brands with SSO. If you would like to set up two-factor authentication with SSO, please reach out to your identity provider.

On next login, users will go through the enrollment process where they set up their preferred verification method.

Users will also receive an email with backup codes, which serve as a recovery option if they lose access to their verification method. If a user needs to reset their backup codes or reconfigure their two-factor authentication setup, they can do so from their User Settings.

Once the setup is complete, future logins for that user will use the two-factor authentication process.

Users can personally select from a number of authenticator apps, including Google Authenticator, Duo Mobile, and Authy.

Minimum Password Requirements

You can customize the requirements of passwords created in your brand. When you leave a field blank, that means that feature is not required in the password. The above example shows the default password requirements.

Attention: Changes made here will apply to all users in your brand. If a user’s password does not fulfill the new requirements, they will be prompted to change their password the next time they try to log in.

Qtip: There are settings for password expiration under the Organization Settings tab.

User Sessions

Minutes of inactivity until automatic logout: Determine how long someone can be in their account, not navigating pages or making edits, before they are logged out. This can be helpful so that accounts left open on idle screens cannot be accessed by passersby.
Qtip: The default session timeout is 60 minutes without user activity.
Maximum Concurrent Sessions Per User: Determine how many people can be active in one account at once. If this number is exceeded, the newest user trying to log in will not be allowed into the account.
Qtip: The default maximum number of concurrent sessions for all brands is 500.

Account Lockout

When a user repeatedly gets the username or password to an account wrong, the system will lock them out. This is a feature available on all Qualtrics brands, which ensures that strangers cannot get access to accounts that don’t belong to them.

However, with the Security tab, you can specify more about how this Account Lockout system works.

Select the number of failed login attempts.
Select the timeframe within which these login attempts occur.
Select how many minutes the account will be locked before it can be logged into again.

Qtip: If a brand does not have the Security tab feature or the Account Lockout settings have not been modified, by default an account will lock a user out for 60 minutes after 10 failed attempts to login.

Disable Inactive Accounts

Sometimes accounts will sit around in a brand for a long time without any use. It can be tedious to keep track of these accounts individually, and you may not necessarily want to set an account expiration date.

You can choose to disable accounts after a number of predetermined days. Note that disabling an account will not delete it – you, as the brand administrator, can always re-enable the account.

Attention: If you choose to disable inactive accounts, please note that Qualtrics will consistently assess all inactive accounts and automatically disable any account that meets the condition you selected.

Different conditions you can set when automatically disabling inactive accounts

Active Sessions

The Active Sessions section will show you all the users currently logged in on your brand, plus identifying information.

If you see suspicious account activity or you would like to force a user to log out for any reason, select the user(s) and click End Session. Click End All Sessions to end all active sessions.

To adjust the table format, click the down arrow next to a column and select an action.

The available actions are:

Pin Column: Pin the column so it cannot be moved. This will also make the column visible while you scroll horizontally.
Unpin Column: Unpin a pinned column.
Move Column Left: Move the column 1 place to the left.
Move Column Right: Move the column 1 place to the right.

You can also hover between columns and drag the column divider to change the width of a column.

Activity Logs

Qtip: This section describes functionality that we intend to release starting July 31, 2024. Qualtrics may, in its sole discretion and without liability, change the timing of any product feature rollout, change the functionality for any in preview or in development product feature, or choose not to release a product feature or functionality for any reason or for no reason.

In the Activity Logs section, you can see actions users have taken across your Qualtrics organization.

For every entry, you’ll see a date, the username and user ID of the account the event happened to, and an event category and name.

In this section, we’ll explain how to use the Activity Log to find information on events. If you want a full list of possible events and what they mean, see Events Tracked in the Activity Log.

Event Details

To view more information about an event, click on it. This panel includes a lot of the same information in the columns, plus:

Id: An internally generated session ID.
Brand Id: Your organization ID.
Ip Address: The IP Address where this activity took place.
Timestamp: When the event started. Times are always given in the user account’s time zone.

Depending on the event type, there can be other information included about what happened.

Example: If an Admin removes a permission from a role, you’ll see the ID for the role and the name of the permission removed.

Example: If viewing a user’s login session, you’ll also see a termination timestamp, to indicate when the session ended.

Filtering Logs

You can filter your logs by time range, specific events, or search terms. The search supports user IDs, partial and whole usernames, and event types and categories.

To deselect events, click Clear selection.

Exporting Logs

Qtip: Any filters you use will apply to your exports.

Click Export.
Choose between CSV (comma-separated values) and TSV (tab-separated values) file types.
Click Export files.
You’ll be taken to Your Downloads, where you can see file status and download it once it’s ready.

Customizing and Sorting Columns

You can sort by any of the columns available. Click the arrow next to a column to move it left or right, or to pin it to the left.

Events Tracked in the Activity Log

The following is a list of event categories and event types tracked in the activity log.

Qtip: The types of events you can audit may change over time.

Qtip: Each event type may take some time before it appears in the audit log.

Admin

Account settings proxy login access: A user has given Qualtrics Support permission to proxy log into their account.
Admin reports export: A user exported Admin Reports.
Brand anonymity setting change: A user edited organization-wide anonymity settings.
EX pseudonymization: A user edited the organization-wide pseudonymization policy.
Help modal settings change: A user edited the organization-wide settings for the help window.
Organization settings change: A user has edited organization settings.
Survey approval: A user has requested approval, dismissed a request, approved a request, denied a request, or commented on a request. See more on Project Approval.
User page individual view: A Brand or Division Admin viewed a user on the Users tab.
User page main view: A user viewed the Users tab.

Brand change

Brand change: The organization has just been created or updated with new permissions. This includes changes to the brand type, base URL, expiration date, and brand description. Each change is indicated by the original value and the new value.

Dashboard settings

Update anonymity decorator: Anonymity settings have been updated in a dashboard.
Update scales decorator: The Scales settings have been updated for a dashboard.

Dashboards

Dashboard usage: A user has interacted with a dashboard. This includes dashboard editors and viewers.

Datasets

Data tab export data: A user has exported recorded responses in any format in Data & Analysis.
Data tab export responses to PDF: An individual response has been exported to PDF.
Data tab export responses in progress: A user has exported responses in progress.
Data tab manage downloads: A user tab has downloaded a file from the Manage Downloads
Data tab single response view: A user has viewed an individual response.
Data tab view: A user has viewed the Data section of Data & Analysis.

Directories

Bulk contact change: A user has uploaded many contacts or changes to existing contacts in XM Directory.
Contact export: A user has exported contacts from XM Directory.
Contact list operation: A user has viewed, made changes to, or used mailing list options on a contact list in XM Directory.
Contact list operation: A user has viewed or made changes to a contact in XM Directory.
Directory operation: A user has viewed or made changes to a directory in XM Directory.
Directory settings operation: A user has updated XM Directory settings, such as contact frequency, duplicate merging, directory messages, and more.

Distribution

Distribution: A user has created a distribution in their project.

Libraries

Library files graphics: A user has viewed or taken action in the library.

Organization

Brand settings: A user has edited organization settings, particular related to login or SSO.

Projects

EX program: A Pulse program has been created, edited, or deleted. This event includes changes to the other projects and settings in the larger program.

Public API

API access: A user in your organization has performed API calls.

Reports

Export printed report: A user has exported an Advanced-Repor This includes PDF, DOCX, PPTX, and JPG export types. Does not include EX or 360 reports.
Export view results report: A user has exported Results. This includes PDF, DOCX, PPTX, and CSV export types.

Tickets

Ticket customer activity: A user has viewed the customer activity of a ticket.
Ticket exports: A user has exported tickets.
Ticket follow-up details survey: A user created or edited a follow-up details survey. This event can also trigger when a follow-up details survey receives a response. See more on Ticket Feedback Surveys.
Ticket survey response: A user viewed the embedded data or full survey response in a ticket.

User Access Control

Employee record access control modified: Employee Record Access Control has been enabled or disabled.
Modify columns metadata tag: A data access tag has been applied to columns metadata or removed from them.
Modify data access tag: A data access tag has been created, updated, or deleted.

User Authentication

API Token Change: A user generated an API token.
Login: View regular, proxy, SSO, and Failed logins. To learn more about a login, click on a user and view the information to the right.
- Proxy Login will be true if it was a proxy login. You’ll also see additional information under “proxy details,” including the ID of the user who proxied into the account.
- Is Successful will be false for failed logins.
- You’ll also see information such as URL the user logged in from, location, how they authenticated (e.g., SAML for SSO organizations), and the platform of login (browser and operating system).
Password change: Any time a user changes their own password in the Account Settings
Password reset: Whenever a password is reset. This includes users choosing Forgot Your Password? on the login page, Brand Admins sending password resets, or the user having to change their password because the password expired or you set new minimum requirements.
Session creation: Any time an account is logged into, thus creating a new session. This is different from Logins because it doesn’t count failures or allow you to check for proxies. If you click a user, it will show when the session ended.
Session termination: Every time a session terminates, either because a user logged out or an administrator forced them to. To see which, click the termination and look at the Reason
User change: Any time a user is created or deleted. Click a user for more information. Action will show whether the user was edited, created, or deleted. You’ll also be able to see what details were edited.

User Management

Brand privilege change: Your Qualtrics organization’s permissions have been changed.
Load participants page: A user opened the Participants page in an EX project or the User Admin of a CX Dashboard. Click the event to see the product line (e.g., CX or EX).
Modify participant metadata: A participant’s metadata has been updated right on the Participants page in an EX project or the User Admin of a CX Dashboard. Click the event to see the product line.
Org hierarchy export participants: Hierarchy participants have been exported.
Org hierarchy export units: Hierarchy units have been exported.
Org hierarchy import units: Hierarchy units have been imported.
Participants management export persons: A user exported participants.
Participants management get person information: A user searched for a participant.
Participants management remove persons: Participants were removed.
Participants management update unique identifiers: Participant unique identifiers were updated.
Role change: A role was created, edited, or removed. Click the event to see the product line. Appears for both EX roles and CX roles.
Role membership change: A user was added to or removed from a role.
Role permission change: Permissions were added to, updated in, or removed from a role.
User permission change: Permissions have been created, edited, or removed for a user.