Skip to main content
Security in Hive

An overview of Enterprise Security package & how to configure

Erin Gouveia avatar
Written by Erin Gouveia
Updated over 4 months ago

Overview

Hive’s Enterprise Security package includes the following:

1. Full Data Erasure

  • By default, when you leave Hive, your non-log data (Organization data) is left in an inactive state. Oftentimes, it's important for IT Administrators to request this data be permanently erased. If full data erasure is requested, we will completely purge data for an Organization.

2. SSO Enablement

  • Hive is SAML-enabled, allowing your enterprise to utilize SSO through your main identity provider and track/control access from one central location. With Hive's SSO solution, you can restrict access so your team can only log in through SAML.

  • SAML-based single sign-on (SSO) gives users access to Hive via the identity provider (IDP) of their choice.

*NOTE: SSO is not supported for external users.

3. User permissions

  • You'll be able to restrict users from creating certain items in your workspace.

How to set up SSO and SAML

Hive has direct support for a few Identity Providers (IDPs). If you use one of them, follow the guides linked below:

If you do not use one of the IDPs listed above, you can manually configure SAML by following the guide below.

Authentication Section

Step 1: Configure identity provider

To get started, you’ll need to set up a connection (or connector) for Hive with your IDP. In your respective IDP, create a new SAML app. The SAML app will need the “ACS URL” for your Hive account, which you can find by enabling the Enterprise Security app in Apps ⇒ Top right menu ⇒ "Settings" ⇒ "Enterprise Security"

Note: "Enterprise Security" tab will only be visible to Admins.

In full, you’ll want to map the following values to the SAML app with your IDP:

  1. ACS URL: see above

  2. NameID: Should use the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" format

  3. Email attribute

  4. Custom attribute mappings:

  • "firstName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for first/given name.

  • "lastName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for last/family/surname.

Step 2: Set up SAML SSO for Hive

Once you’ve added all of the values from the previous step and saved the new SAML app with your IDP, the IDP should provide you with the following values:

  • SAML SSO URL

  • Identity Provider Issuer (optional as not all IDPs provide this)

  • A X.509 certificate You’ll want to copy each of these 3 values from your SAML app and enter them into Hive:

  1. Open Hive

  2. Click your profile photo in the top right

  3. Select “Settings”

  4. Select the “Authentication” tab

  5. Paste the SAML SSO URL into its respective field

  6. Paste the Identity Provider Issuer into its respective field (if you have one)

  7. Paste the text contents of the X.509 cert into the “Certificate” field

  8. Close the screen and you should be all set

What to expect after SSO is enabled

Once you’ve set up SSO, each member of your workspace will receive an option at the time of sign in to “Sign in with SSO”. They will still have the option to log in with their Hive password, something we recommend allowing until you can verify that the setup is working.

Going forward, if you’d like to force SSO for your workspace members, you can check the “Force SSO” checkbox from the “Auth” screen. Doing this will disallow login with Hive credentials and instead force a SAML sign on.

User Permissions Section

The User Permissions Section controls what users can and cannot do in a workspace.

Note: "Enterprise Security" tab will only be visible to Admins.

Third-party integrations

  • Admins will be able to select which third-party apps can be integrated into the workspace. Enabled third-party apps will be available in the My Apps!

Admin permissions

  • Restrict label creation to admins - Enabling/disabling this setting will only allow Admins to create new labels in the workspace or allow anyone to create new labels.

  • Restrict Time Category permissions to admins only - Enabling/disabling this setting will only allow Admins to create a new Time Category in the workspace.

  • Restrict priority creation to admins - Enabling/disabling this setting will only allow Admins to create a new Priority Level in the workspace, or allow anyone to create new priority levels.

Manage users

  • Allow full-access users to invite external users - Enabling/disabling this setting will only allow Admins to invite External Users into the workspace or allow any Full Access members to invite External Users. Also, when the setting is disabled, your workspace members will request an invite and Admins can approve Pending invites from the Manager users tab. ​

  • Check out our External Users article to learn more about External Users!

Custom fields

  • Restrict custom field creation to admins - Enabling/disabling this setting will only allow Admins to create new Action Card/Project Custom Fields or allow any Full Access members to create new Action Card/Project Custom Fields.

  • Check out our Custom Fields article to learn more about Custom Fields!

Projects

  • Restrict new status creation to admins and project owners - Enabling/disabling this setting will only allow Admins to create Action Card Status or allow any Full Access project members to create new Action Card Status.

  • No public projects - Users will be unable to make a project Public. *Read about Project Access for more info on Public Project.

  • Allow admins to see all projects without being added to the project - Enabling this will allow Admins to view all projects in a workspace even without being added to the project. *Note: Admins will be able to see the project in the Project Navigator but won't be able to enter the project.

Did this answer your question?