Skip to main content

Security Hardening Guide

This guide covers the security configuration controls available to Org Admins in Kazinex Workflows. Implementing all recommended controls ensures your organisation's document control system meets the security expectations of most enterprise and government project environments.

Two-Factor Authentication (2FA)

Enabling org-wide 2FA requirement

  1. Go to SettingsSecurity.
  2. Under Two-Factor Authentication, toggle Require 2FA for all members to On.
  3. Confirm the enforcement.

Effect: All members (including Org Admins) must enrol in 2FA at their next login. Members who have not enrolled are prompted to set it up before accessing any content.

Supported 2FA methods:

  • Authenticator app (TOTP — Google Authenticator, Authy, Microsoft Authenticator)
  • SMS (availability depends on your plan)
  1. Announce the 2FA requirement to all members at least 7 days in advance
  2. Provide a how-to guide for setting up an authenticator app
  3. Enable the requirement on a Tuesday or Wednesday morning (not Friday — avoid weekend lockout issues)
  4. Monitor the Members list for members who haven't enrolled after 48 hours and follow up directly
  5. Check the Audit Log under authorization event category for any failed 2FA attempts after rollout

Recovering a locked member

If a member loses access to their 2FA device, an Org Admin can reset their 2FA:

  1. Go to SettingsMembers.
  2. Find the member.
  3. Click Reset 2FA.
  4. The member can set up a new 2FA device at their next login.

File Type Restrictions

Configure allowed file types to prevent upload of potentially harmful or non-standard file formats:

  1. SettingsSecurityFile Type Restrictions
  2. Add only file types that are used in your project environment

Recommended allowlist for construction/engineering projects:

pdf, dwg, dxf, ifc, doc, docx, xls, xlsx, ppt, pptx,
txt, csv, png, jpg, jpeg, tif, tiff, zip

File types to block (never add these to the allowlist):

exe, bat, cmd, ps1, js, vbs, jar, dmg, app, msi

See File Restrictions for the full guide.

Guest Access Policy

Guest shares (token-based access without login) require careful governance:

  1. Set expiry on all guest shares: Never create guest shares without an expiry date. Maximum 30 days is recommended; 7 days for short reviews.
  2. Audit guest shares monthly: Review SettingsGuest Shares and revoke any that are no longer needed.
  3. Scope shares narrowly: Share only the specific documents or transmittals needed — do not share entire project document lists.
  4. Require guest identification: Configure the guest share form to capture the guest's name and email before allowing access.
  5. Log guest access: Guest access events appear in the Audit Log. Review them if there is a concern about data access.

See Creating Guest Shares for the full guide.

Audit Log Review Cadence

The Audit Log is your primary tool for detecting anomalous access or unauthorised actions. Recommended review schedule:

FrequencyWhat to check
WeeklyAny authorization events showing failed logins or permission denials
WeeklyNew member invitations and role changes
MonthlyGuest share creation and access events
MonthlyConfidentiality enable/revoke events on documents
QuarterlyAll management events (document locks, unlocks, deletions, restores)
QuarterlyPermission override changes

Setting up the audit review

  1. Go to the Audit Log tab.
  2. Filter by event category (e.g. authorization).
  3. Set the date range to the review period.
  4. Export to Excel for offline review or sharing with your security team.

Default Role Security

Review the default roles that new members receive:

  1. SettingsSecurityDefault Roles
  2. Recommended defaults:
SettingRecommended value
Default org role for new membersmember (not org_manager)
Default project role when added to a projectviewer (not initiator)

Starting with the least privileged role and promoting as needed is far safer than starting with broad access and restricting later.

What's next