MicroStrategy ONE
Restrict Multiple Sessions from Multiple Devices
Starting in MicroStrategy ONE (March 2024), you can restrict users from logging in to MicroStrategy from multiple devices. Once you turn on Restrict User Sessions to a Single Device and a user logs in from one device, they cannot log in from another device. After a user logs in from one client (such as Library), the user cannot log in to a different client (such as Workstation) on the same device.
Restrict User Sessions to a Single Device is turned off by default.
To turn the setting on in the MicroStrategy REST API:
-
Open the MicroStrategy REST API Explorer by appending
/MicroStrategyLibrary
with/api-docs/index.html?visibility=all
in your browser. -
Create a session and authenticate it. In the Authentication section, use
POST /api/auth/admin/login
. -
Click Try Out and modify the request body by providing your user name and password.
-
Click Execute.
-
In the response, find
X-MSTR-AuthToken
. -
To get the current setting status:
-
Under the Configurations section, look up
GET /api/v2/configurations/featureFlags
. -
Click Try Out.
-
Set the proper
X-MSTR-AuthToken
from step 5. You can also get this via inspecting the browser network XHR requests. -
Click Execute.
-
Search for
RestrictOnDevice
in the response body to find its status details.
-
-
Under the Configurations section, look up
PUT /api/configurations/featureFlags/{id}
. -
Click Try Out.
-
Set the proper
X-MSTR-AuthToken
from step 5. You also can get this via inspecting the browser network XHR requests. -
Set
id
to3A0A59E74DB71CBB2362EFB5F64FC160
. -
To enable this setting, set the
status
value to1
. -
Click Execute.
-
Repeat step 6 to verify that the setting is enabled.
-
Restart Intelligence server for the change to take effect.
Scope and Limitations
- The setting does not allow a user to use different applications to connect to MicroStrategy at the same time, even from the same device, such as both Library and Workstation.
- A user can be locked out for the duration of the web session idle timeout if the user clears the browser cache, the client application crashes, or a Library, Web, or Mobile server crash appears.
- A user can use the same browser or application to open a new session in MicroStrategy and use the system as normal. The lost session does not last longer than the session time-out setting, which is a default of 30 minutes.
-
If a user does not log out before closing the browser, the user cannot use other apps. For example, the user cannot use Workstation, even from the same device, until the previous session times out. To escape this lock out situation, the user can open their browser on the same device, login, then logout, or ask the administrator to remove all of their sessions.
- Administrative tools, such as Command Manager, Configuration Wizard, and so on are not be affected by this setting.
- The restriction only applies to interactive sessions. Scheduled sessions are not affected.
- This setting helps a user of the out-of-the-box platform stay compliant. It does not protect against a malicious actor that leverages advanced attacks using such means as SDK customization to work around the system and compliance policy.