Enforcement Policies
Enforcement policies allow Owners and Admins to define organization-wide security requirements that every member must comply with -- including Owners and Admins themselves. Policies are enforced server-side; the client UI guides users toward compliance but cannot bypass server-level checks.
Configuring Policies
Navigate to Admin Console > Policies to view and edit enforcement policies. Changes take effect immediately. Members who are not in compliance will be prompted to remediate on their next login (e.g., set up 2FA, change their master password).
Available Policies
Master Password Complexity
Control the minimum strength of master passwords across your organization.
| Setting | Default | Options |
|---|---|---|
| Minimum Length | 10 characters | 10 -- 128 characters |
| Require Uppercase | Off | On / Off |
| Require Number | Off | On / Off |
| Require Special Character | Off | On / Off |
| Minimum Strength Score | None | 0 -- 4 (zxcvbn score) |
Rather than requiring specific character classes, set a minimum length of 14+ characters and a zxcvbn strength score of 3 or 4. This encourages passphrases, which are both stronger and easier to remember than short complex passwords.
Two-Factor Authentication Enforcement
Require all members to enable at least one second factor before they can access their vault.
| Setting | Default | Options |
|---|---|---|
| Require 2FA | Off | On / Off |
| Allowed Methods | All | TOTP, WebAuthn/FIDO2, or both |
| Grace Period | 7 days | 1 -- 30 days (time for existing members to comply) |
When enabled, members without a configured second factor are redirected to the 2FA setup screen on login and cannot access vault data until they comply.
Enabling 2FA enforcement with no grace period will immediately lock out any member who has not configured a second factor. Set a reasonable grace period and notify your organization before enforcement.
IP Allowlist
Restrict access to the organization's data to a set of trusted IP addresses or CIDR ranges.
- Add individual IPs (e.g.,
203.0.113.42) or CIDR blocks (e.g.,10.0.0.0/8). - When enabled, any login attempt or API request from an IP not on the allowlist is rejected with
403 Forbidden. - The allowlist applies to all members, including Owners.
Misconfiguring the IP allowlist can lock out your entire organization. Always include your current IP address and any VPN egress IPs before enabling. SyVault support can perform an emergency reset if all Owners are locked out, after identity verification.
Session Timeout
Control how long sessions remain valid before re-authentication is required.
| Setting | Default | Options |
|---|---|---|
| Vault Timeout | 15 minutes of inactivity | 1 min -- 8 hours, or "Never" |
| Vault Timeout Action | Lock | Lock (re-enter master password) or Log Out (full re-authentication) |
| Maximum Session Duration | 24 hours | 1 -- 168 hours (absolute maximum regardless of activity) |
Sharing Restrictions
Control how and whether members can share records outside the organization.
| Setting | Default | Options |
|---|---|---|
| Allow One-Time Shares | On | On / Off |
| Max Share Expiry | 24 hours | 1 hour -- 7 days |
| Allow External Sharing | On | On / Off (restrict sharing to org members only) |
Export Restrictions
Prevent members from exporting vault data in plaintext.
| Setting | Default | Options |
|---|---|---|
| Allow Vault Export | On | On / Off |
| Export Format | Encrypted JSON | Encrypted JSON only, or allow CSV/plaintext |
When export is disabled, the Export Vault option is hidden from the UI and the API endpoint returns 403 Forbidden.
Policy Audit Trail
Every policy change is recorded in the audit log with the policy.update action, including the old value, new value, and the actor who made the change. This provides a tamper-evident record of policy evolution for compliance audits.