Skip to main content

FedRamp Secure Configuration Guide

  • Updated

The guide describes how to  configure and administer AMP securely, with a focus on privileged/admin account usage, security-relevant settings, and operational practices for ongoing secure use.

On this page: 

Terminology and role model 

This section introduces the core AMP terms, top level administrative and privileged accounts, and the role matrix.  and

Core AMP terms

AMP defines several structural concepts that matter for secure administration. The following table lists the basic terms. 

Term

Meaning

Organization

Top-level AMP structure containing users, assets, tests, reports, and organization-level settings.

Child organization

Secondary organization under a parent organization for large enterprises; operates independently while remaining part of the parent structure.

Asset

Grouping object representing a property, for example, website or app, that contains reports and AMP tests.

Report

Result of an AMP test, with views/dashboards and permissions.

Full more details, go to AMP key concepts.

Top-level administrative / privileged accounts in AMP terms

In this guide, top-level administrative accounts are the following AMP roles with privileged administrative capabilities:

  • Organization Administrator: Manage users, create assets/tests, modify reports within their organization, and change organization-level settings (including Organization Testing Control)

  • System Administrator: Have full AMP-wide access and can modify all organizations and system content

Role matrix

AMP includes a variety of user types based on access and licenses. Users without licenses can log in to AMP and have limited access to view and edit certain features. Licensed AMP users have full access to AMP and are divided in to users and administrators. 

AMP also distinguishes:

  • Implicit permissions:  For example., Organization Administrators can access reports/assets in their organization 

  • Explicit permissions: Direct report access assigned via the report permissions user interface. This matters for secure access review and for Access Assistant behavior.

For details, go to AMP user types and permissions.

The following table describes the user types in AMP.

User type License requires Description

Viewer

No

Viewer users can access AMP and view reports that they have access to. The Viewer type is for users that need to access system and report content but won't be addressing any issues or performing audits.

Reviewer

No

Reviewer users have the same permissions as Viewers, but they can also edit the Defect ID, Defect Status, and Defect Comment fields on instances in a report.

Evaluator

No

Evaluator users have viewer access to all non-administrator features of AMP. This type is for users that need to view all AMP features, but don't need to use them.

Note: This user type is set automatically for any user that does not have a current, valid license.

Standard User

Yes

Standard Users have access to AMP and can use all AMP features except for administrator features and settings.

Note: This user type is set automatically for any user that has a valid license and is not an Administrator type.

Organization Administrator

Yes

Organization administrators can access a variety of different organization settings, which includes the Organization Testing Control settings. They can manage users, create Assets, create AMP Tests, and modify all reports within an organization. They can perform any activities that are restricted to their organization.

System Administrator

Yes

System Administrators have full access to modify all AMP system content including best practices, test definitions and standard definitions. They can access and modify all organizations in AMP and perform functionalities available to Organization Administrators.

Note: This user type is limited to Level Access employees, partners or AMP instance Administrators.

Multi-Factor Authentication (MFA) and Single Sign-On (SSO)

Note the following guidelines: 

  • Multi-Factor Authentication (MFA) is configured by Level Access, at the organizational level. 

  • You can't complete the MFA configuration independently. Contact Support to request the MFA setup or any changes to your current MFA settings.

To use Single Sign-On (SSO), configuration is required on both sides: 

  • Setup steps within your identity provider (IdP)

  • Configuration work performed by Level Access team

Our team will guide you through the required procedures, and complete the necessary configuration on our end. Once the organization-side configuration is in place, you can finalize the IdP setup, and then validate the end-to-end sign-in flow.

Secure administration lifecycle for top-level admin accounts

This section covers secure access, secure configuration, secure operation, and secure decommissioning of privileged AMP accounts.

Secure account setup 

Configure every new administrative account following the principle of least privilege. Avoid assigning full administrative permissions unless the user genuinely requires complete system access. Instead, grant only the specific permissions necessary for the administrator’s defined responsibilities.

To create or obtain a top-level admin account:

  1. Select Administration.

  2. Choose Create User.

  3. Fill in the user's information: 

    • First name 

    • Last name 

    • Email 

  4. Choose the user's role from the dropdown. 

Note: Regardless of what is selected, any user who doesn't already have a license, will be given the  Viewer role (until a license is added). 

  1. Enter a temporary password for the user. 

    • Advise the user to reset their password once they've logged in.

  2. Confirm optional settings:

    • Automatically create license: Select this checkbox to creates a license for the user. Licensed users have the view and edit access to all non-admin functionality in AMP. Learn more about user types and licenses. You can also assign an unmapped license.

    • Grant access to all assets: This permission gives a user access to all current assets in the organization. If the user has a license, this permission grants them edit access to all assets. For users without a license, this permission grants them the ability to view all assets.

  3. Select Submit.

Secure configuration

Perform the configuration procedure after an administrative account is created.

Note: Role assignment determines the scope of the account’s administrative access. 

To assign roles through the Administration tab:

  1. Select Administration.

  2. In the User Name field, search for the user you want to edit and choose their name.

  3. Select Edit User.

  4. Choose the user's role from the dropdown (If not specified during the initial account setup).

  5. Select Submit.

Changes take effect immediately.

Secure operation

Ongoing operational practices for administrative accounts include the following activities:

  • Recurring reviews of the AMP administrative accounts: Privileged access should be revalidated regularly, especially for Organization Administrators and any users with broad cross-organization visibility. Changes in job responsibilities, reorganizations, contractor transitions, and support escalations can all create permission drift if access is not periodically reviewed.

    AMP provides administrator workflows to edit, move, delete, and reset users, and the Transaction Log allows Organization/System Admins to review user-related events such as user creation time, login times, password set/reset events, and edit timestamps. This makes the Transaction Log a key operational review artifact for privileged access monitoring and account lifecycle verification.

  • Secure handling of API tokens: The tokens are another ongoing admin concern. We recommend storing the token securely, for example in a password manager or secure file. To rotate a token, create a new token with the same permissions, update the consuming system to use the new token, and then delete the old token.

Secure decommissioning

Privileged access should be removed or downgraded as soon as it is no longer needed. AMP supports user deletion through the Administration area, and the Delete User workflow includes an option to transfer write privileges and report ownership to another user. This allows you to preserve continuity while removing access.

To delete a user:

  1. Select Administration.

  2. In the User Name field, search for the user you want to delete and choose their name.

  3. Select Delete User.

  4. Optional: Choose a user to transfer write privileges and report ownership to from the dropdown.

  5. Select Submit

4. Security settings catalog

This section presents a  catalog of security-relevant AMP settings and administrative decisions, rather than a generic feature list. It documents which controls can be configured by administrators, identifies the recommended secure values or practices, and explains the security risk introduced when weaker configurations are used.

Note: AMP customers do not have direct access to the Instance Configuration page or these underlying instance settings. These controls are managed by Level Access Root Administrators on your behalf. However, you can request that specific settings be reviewed or updated for your instance, by contacting your Level Access Success representative or Support.

Use this catalog to:

  • Understand which security-relevant instance-level controls exist for AMP

  • Identify which values are recommended for secure deployments

  • Know what to ask for when coordinating configuration changes with Level Access.

 
The following table presents the catalog  of the security-relevant instance-level controls. 
 

Key

Comments

Default value

Recommended value

TWO_FACTOR_AUTHENTICATION

Two factor authentication. Valid values are EMAIL, AUTHENTICATOR, or FALSE. Default value is FALSE.

FALSE

AUTHENTICATOR

TWO_FACTOR_REQUIRED_USER_TYPES

Users that require two factor authentication. Root Administrators and System Administrators will be required in all cases. Valid values for this instance configuration are EVALUATOR, REVIEWER, STANDARD_USER, and ORGANIZATION_ADMINISTRATOR; add a comma-delimited list for multiple values.

FALSE

FALSE

SIMPLESAML_EMAIL_WHITELIST

Only users with email addresses from the domains on the list will have accounts created when authenticating via SAML/SSO. If the value is blank then all users who authenticate via SAML/SSO will have accounts created.

Blank

 Limited scope of domains

SSO_ENABLE_USER_PROVISIONING

If set to TRUE, users who SSO into AMP will have an account created within AMP if one does not exist already.

TRUE

TRUE

ALLOWED_SSO_SP_LIST

Which hosted instances can log into helpdesk via sso.

Limited list of the instances

Limited list of the instances

PASSWORD_FORMAT_LENGTH

The minimum character length for passwords.

12

12

PASSWORD_FORMAT_UPPERCASE

If true, passwords must contain at least 1 uppercase letter. Must be set to true or false.

TRUE

TRUE

PASSWORD_FORMAT_LOWERCASE

If true, passwords must contain at least 1 lowercase letter. Must be set to true or false.

TRUE

TRUE

PASSWORD_FORMAT_NUMBERS

If true, passwords must contain at least 1 number. Must be set to true or false.

TRUE

TRUE

PASSWORD_FORMAT_SYMBOLS

Passwords must use at least 1 of the following symbols. Leave blank to not enforce this requirement.

!@#$%^&*()

!@#$%^&*()

PASSWORD_HISTORY

When changing passwords it can not be the same as this number of past passwords.

24

24

PASSWORD_RESET_DAYS

The number of days passwords expire in and must be reset.

0

0

SESSION_TIMEOUT_SECONDS

The number of seconds a session should last for after the last user action in AMP. If the user does not interact with AMP for this amount of seconds they will be automatically logged out.

43200

900

EXPIRE_COOKIES

Should cookies expire when browser closes.

FALSE

FALSE

SECURE_COOKIES

Should cookies secure flag be set.

FALSE

FALSE

USE_DB_SESSION_STORE

"TRUE" to use the DB as a backing store for session. Generally, this should be true for all instances, but during the initial update to create the session DB store table, this must be false so that the administrator can log in first. After the table has been created, this can be set to TRUE to enable the session DB store.

TRUE

TRUE

DISABLE_INACTIVE_ACCOUNT

The number of days that must pass for a users account to be considered inactive and disabled.

90

90

ENABLE_SENSITIVE_DATA_SUPPRESSION

Enabling this will stop html and images from being saved to AMP. This includes in amp features as well as data coming from spiders, assistant, and continuum.

TRUE

TRUE

ENABLE_FEDRAMP_BANNER

Display FedRAMP Banner reminding users not to store sensitive information

TRUE

TRUE

ENABLE_FILE_UPLOADS

Whether file uploads are enabled for AMP instance.

1

1

UPLOAD_FILE_TYPES

CSV string of the file types allowed to be uploaded.

image/gif,image/pjpeg,image/jpeg,application/pdf,text/plain,text/html,application/msword,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/x-bzip,application/x-gzip,application/x-gtar,application/x-tar,application/zip,application/xml,application/xhtml+xml,text/xml,application/vnd.ms-office,application/msexcel,application/x-msexcel,application/x-ms-excel,application/x-excel,application/x-dos_ms_excel,application/xls,application/x-xls

image/gif,image/pjpeg,image/jpeg,application/pdf,text/plain,text/html,application/msword,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/x-bzip,application/x-gzip,application/x-gtar,application/x-tar,application/zip,application/xml,application/xhtml+xml,text/xml,application/vnd.ms-office,application/msexcel,application/x-msexcel,application/x-ms-excel,application/x-excel,application/x-dos_ms_excel,application/xls,application/x-xls

MAX_UPLOAD_FILE_SIZE

Specify the maximum allowed size for an uploaded file in megabytes. A maximum larger than 15MB cannot be specified in the field below. The file size can also be limited by the PHP setting upload_max_filesize and post_max_size. If either of those two settings is less than 15MB then you will not be able to setMAX_UPLOAD_FILE_SIZE higher than those.

15MB

15MB

SIMPLESAML_ADMIN_EMAIL_SHOULD_SEND

A flag that indicates whether to send an Admin email with an account is created via SAML authentication for the first time. If this is set to TRUE then the email will be send otherwise it will not.

TRUE

TRUE

SERVICES_ENDPOINT

When the Services API is being used for JAVA, this value determines where AMP forwards makes the API calls to. Ignored if SERVICES_USE_ENABLED is not TRUE

https://spider.levelaccess.us/AMPJSONServices/ServicesControllerServlet/

https://spider.levelaccess.us/AMPJSONServices/ServicesControllerServlet/

PLATFORM_API_RETRIES

Value used for controlling number of retries attempted when a Platform API call is rate limited.

5

5

UNIVERSITY_TAB_ENABLED

Is the University Tab available for SSO to University

FALSE

FALSE
 

Document details

 The following table lists document details:
 
Document metadata Details

Author

Vitalii Liashuk

Approved by

Senior Director of Information Security

Classification

Public

Revision #

1.0

Modifications

First release

Modified by

Vitalii Liashuk

Date

February 26, 2026

 

 

 
 

Related articles

Comments

0 comments

Please sign in to leave a comment.