Access to this feature can change based on your Quickbase plan. Learn more about feature availability and plans in Quickbase capabilities.
Quickbase provides several security policy options on the Policy page in the Admin Console. Realm admins may view and turn on these policies to help meet the security needs of their organizations.
Managing security policies for your realm
-
On the My Apps page, select Manage My Account, and then select Policies.
-
Change or edit security policies in the Security policies section of the page.
-
Select Save.
This applies your changes.
Security policies
Prevent embedding in iframes
When checked, iframes embedding Quickbase pages (such as reports, forms, home pages, and custom code pages) from this realm display as blank. This applies whether the iframe is attempting to display an embedded view of an app on the quickbase.com domain, or on an external website.
Prevent external redirects
When checked, any redirects within formula fields or links are ignored if they are pointing to locations outside the quickbase.com domain. For instance, if you have a formula field set to add a new record and then send users to example.com, this redirect would be ignored.
Review the following table for more information on which type of links are affected.
Type of link | Example URL Formula | Affected? | What will happen with the setting turned on? | Why? |
Single link on the quickbase.com domain | URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” |
No | Will work normally | This is an internal link, which does not contain a redirect |
Single link outside the quickbase.com domain | “https://www.yourcompany.com/home” |
No | Will work normally | This is an external link, but it does not contain a redirect. |
Link on the quickbase.com domain, then redirect to a second link on the quickbase.com domain | URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(URLRoot() & “db/” & [DBID_PROJECTS] & “?a=q&qid=1”) |
No | Will work normally | This link does contain a redirect, but it redirects to a page on the quickbase.com domain. |
Link on the quickbase.com domain, then redirect to a link outside the quickbase.com domain | URLRoot() & “db/” & [DBID_PROJECTS] & “?a=API_AddRecord&ticket=auth_ticket&apptoken=app_token&_fid_25=Completed” & URLEncode(“https://www.yourcompany.com/home”) |
Yes | The new record is added, then the standard XML response page is displayed. | This link contains a redirect, and the page it redirects to is external to quickbase.com |
Link outside the quickbase.com domain, then redirect to another link outside the quickbase.com domain | "https://www.yourcompany.com/home?redirect=" & URLEncode(“https://www.yourcompany.com/news”) |
Yes | The home page of yourcompany.com is displayed. |
This link contains a redirect, and the page it redirects to is external to quickbase.com |
You can also opt to prevent most redirects, but allow certain approved sites. When you select Ignore redirects to sites outside quickbase.com,an Allow redirects to these sites box appears. Enter a comma-separated list of hostnames in this box using the example.com,example.org format without including www. or http://
*Tip: Verify your hostnames when you enter them and do not enter www. or http://
Cross-realm security
By default the Allow Pipelines connections to and from other realms box is checked. Realm admins may uncheck the box to disallow any cross-realm connections via the Quickbase channel in Pipelines.
- When the box is unchecked, any existing pipelines that use the Quickbase channel to connect two different realms will stop working.
- It takes about 5 minutes for changes to go into effect.
- Cross-realm pipeline connections via the Quickbase channel are blocked if this policy is unchecked in either realm.
Realm admins may uncheck the Allow Quickbase Sync connections from other realms box to disallow outside realms from making a Quickbase Sync connection to apps in this realm.
When the box is checked, you may:
- Allow connections from only the realms you specify. Enter each realm on a separate line and use the myrealm.quickbase.com format without including https://.
- Leave the box empty to allow connections from all realms.
New apps
Choose if and how users can create apps with the two options:
-
Allow users to create apps
-
Allow users to access Quickbase Exchange
By default, both of these boxes are checked.
If you deselect Allow users to create apps, the Create new app button on the My Apps page will be hidden for all users.
If you deselect Allow users to access Quickbase Exchange, the button Explore sample apps will be hidden from the My Apps page. If users try to visit Quickbase Exchange using a different method, the will see a message that they do not have access to the page.
Note: Control new users and Access to Exchange may not be available for all customers.
Control new users
When Only account and realm admins can create new users is checked, app admins will not be able to invite users who do not already exist in the Quickbase account to their apps. App admins will need to work with realm admins to add new users to the account. For more information on adding new users, see the Adding users to a realm help article.
Disable application webhooks
Users on Business and Enterprise plans can disable native Quickbase application webhooks within the realm policies page. This ensures that the only method for sending messages out of Quickbase is through the Pipelines webhook channel, which offers increased governance, logging, and overall improved security.
Note: Disabling application webhooks stops all existing webhooks from firing and hides the ability to create new ones.
Registration Link
Use this setting to control how long a registration link should remain active after you send an invite email. The default is 7 days, but you can change that according to your security policies.
Prevent offline mobile usage
When checked, users cannot use offline features on mobile.
User Tokens
Choose how you would like to store new user tokens:
-
Encrypted but visible to owner: New user tokens will continue to be visible in the UI after initial creation
-
Hashed and permanently hidden after initial creation: User tokens will only be visible when they are created. After that, they will not be shown in the UI and will be hashed in the Quickbase database. Users who create tokens must save them and store them securely for future use.
When you create a user token, you assign it to an app. This policy allows you to enter the number of apps that can be assigned a single user token. If left blank, it defaults to 20.
Security options in apps
When checked, app admins can modify app security options found on the App properties page. These options include:
-
Allow users who are not administrators to copy
-
Allow users who are not administrators to export data
-
Hide from public application searches
-
Only "approved" users may access this application
-
Only users logged in from "approved" IP addresses may access this application
When unchecked, these security options will be inactive for app admins, and they will see the text, "App admins may not change these options. For help, please contact your realm admin."
Artificial Intelligence (AI)
This policy is checked by default. When checked, users have access to generative AI features, including AI Smart Builder.