Overview
Hive’s Enterprise Security package includes the following:
1. Full Data Erasure
By default, when you leave Hive, your non-log data (Organization data) is left in an inactive state. Oftentimes, it's important for IT Administrators to request this data be permanently erased. If full data erasure is requested, we will completely purge data for an Organization.
2. SSO Enablement
Hive is SAML-enabled, allowing your enterprise to utilize SSO through your main identity provider and track/control access from one central location. With Hive's SSO solution, you can restrict access so your team can only log in through SAML.
SAML-based single sign-on (SSO) gives users access to Hive via the identity provider (IDP) of their choice.
*NOTE: SSO is not supported for external users.
3. User permissions
You'll be able to restrict users from creating certain items in your workspace.
How to set up SSO and SAML
Hive has direct support for a few Identity Providers (IDPs). If you use one of them, follow the guides linked below:
One Login (Add the “Hive” SAML 2.0 app from One Login app store)
If you do not use one of the IDPs listed above, you can manually configure SAML by following the guide below.
Authentication Section
Step 1: Configure identity provider
To get started, you’ll need to set up a connection (or connector) for Hive with your IDP. In your respective IDP, create a new SAML app. The SAML app will need the “ACS URL” for your Hive account, which you can find by enabling the Enterprise Security app in Apps ⇒ Top right menu ⇒ "Settings" ⇒ "Enterprise Security"
Note: "Enterprise Security" tab will only be visible to Admins.
In full, you’ll want to map the following values to the SAML app with your IDP:
ACS URL: see above
Entity ID: https://app.hive.com
NameID: Should use the "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" format
Email attribute
Custom attribute mappings:
"firstName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for first/given name.
"lastName" attribute (required): Should be included. Can be mapped from whatever attribute your IdP uses for last/family/surname.
Step 2: Set up SAML SSO for Hive
Once you’ve added all of the values from the previous step and saved the new SAML app with your IDP, the IDP should provide you with the following values:
SAML SSO URL
Identity Provider Issuer (optional as not all IDPs provide this)
A X.509 certificate You’ll want to copy each of these 3 values from your SAML app and enter them into Hive:
Open Hive
Click your profile photo in the top right
Select “Settings”
Select the “Authentication” tab
Paste the SAML SSO URL into its respective field
Paste the Identity Provider Issuer into its respective field (if you have one)
Paste the text contents of the X.509 cert into the “Certificate” field
Close the screen and you should be all set
What to expect after SSO is enabled
Once you’ve set up SSO, each member of your workspace will receive an option at the time of sign in to “Sign in with SSO”. They will still have the option to log in with their Hive password, something we recommend allowing until you can verify that the setup is working.
Going forward, if you’d like to force SSO for your workspace members, you can check the “Force SSO” checkbox from the “Auth” screen. Doing this will disallow login with Hive credentials and instead force a SAML sign on.
User Permissions Section
The User Permissions Section controls what users can and cannot do in a workspace.
Note: "Enterprise Security" tab will only be visible to Admins.
Third-party integrations
Admins will be able to select which third-party apps can be integrated into the workspace. Enabled third-party apps will be available in the My Apps!
Admin permissions
Restrict label creation to admins - Enabling/disabling this setting will only allow Admins to create new labels in the workspace or allow anyone to create new labels.
Restrict Time Category permissions to admins only - Enabling/disabling this setting will only allow Admins to create a new Time Category in the workspace.
Restrict priority creation to admins - Enabling/disabling this setting will only allow Admins to create a new Priority Level in the workspace, or allow anyone to create new priority levels.
Manage users
Allow full-access users to invite external users - Enabling/disabling this setting will only allow Admins to invite External Users into the workspace or allow any Full Access members to invite External Users. Also, when the setting is disabled, your workspace members will request an invite and Admins can approve Pending invites from the Manager users tab.
Check out our External Users article to learn more about External Users!
Custom fields
Restrict custom field creation to admins - Enabling/disabling this setting will only allow Admins to create new Action Card/Project Custom Fields or allow any Full Access members to create new Action Card/Project Custom Fields.
Check out our Custom Fields article to learn more about Custom Fields!
Projects
Restrict new status creation to admins and project owners - Enabling/disabling this setting will only allow Admins to create Action Card Status or allow any Full Access project members to create new Action Card Status.
No public projects - Users will be unable to make a project Public. *Read about Project Access for more info on Public Project.
Allow admins to see all projects without being added to the project - Enabling this will allow Admins to view all projects in a workspace even without being added to the project. *Note: Admins will be able to see the project in the Project Navigator but won't be able to enter the project.