All resourcesGuidesCoursesTips

10 min read

How admins can securely setup Coda

Enterprise admin best practices for controlling and enhancing security across your company.

Most features mentioned are only available on an Enterprise plan.

Customized security to fit your needs.

 We understand that the security of your data and your users is of utmost importance, and we are committed to partnering with you to ensure that you are always in control. Instead of simply applying restrictions (which is possible), we recommend a granular approach, so you can make sure sharing and access within your Coda workspace is customized for your needs and standards.
What you’ll get:
  • Security settings within your Enterprise plan
  • Coda's approach to security
  • Recommendations for your settings
buttons
What you'll use:
  • Org admin settings (Enterprise only)
  • Workspace settings
  • Admin API (Enterprise only)

A note about compliance.

 Coda adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations. We are SOC 2 Type 2, GDPR, HIPAA and CCPA compliant. Learn more.

A walkthrough from our Customer Success Team

1. Your options, our recommendations.

Member authentication and provisioning

Authentication & signing in with SSO

SSO, or “single sign-on”, allows users to access multiple applications or websites via a single authentication source with enhanced security or user provisioning requirements. Enterprise customers can enable SAML 2.0 SSO for all managed domains in their organization. Coda also offers alternative authentication options. Authentication Options: SSO (SAML), Google, Microsoft, Apple, magic link, and email. Recommendation: While any authentication is better than none, we recommend setting up SAML SSO and disabling all other authentication mechanisms for your employees. SSO will not only help to secure your workspace but will also make Coda more easily accessible to your employees. Learn more.

Provisioning with SCIM

SCIM (System for Cross-domain Identity Management) is a set of protocols that allow a third-party identity provider to manage users inside Coda for your organization. This enables your identity provider to automatically provision and de-provision users and groups in Coda, based on their roles and application assignments within your identity provider. Recommendation: Setting up SCIM makes onboarding and off-boarding users easier. With SCIM, you won’t have to worry about removing access to docs from former employees. SCIM also allows you to push groups defined by your identity provider to Coda, which gives your users easy access to share docs and folders with groups rather than having to share with each individual. Learn more. Note: If your organization uses Google Groups to organize users and Okta to provision access, you can perform a one-time sync of Google Groups to Okta to get an initial import of Google groups to Coda. Though our recommendation is to use SCIM. Learn more.

Workspace set up

Admins

To manage your Coda instance, Coda has two admin roles: Organization Admin and Workspace Admin. You can learn about each role and what they can do here. Recommendation: We recommend you assign at least two Org Admins and two Workspace Admins (per workspace) to ensure coverage if another Admin is out of office.

Workspace creation

By default, Org Admins are the only role who can create workspaces within the organization. From here they can assign Workspace Admins to help manage the workspace. The majority of our customers work out of one central workspace for easy collaboration, though some larger organizations might require separate workspaces for security reasons. Recommendation: Keep the toggle that allows users to create new workspaces turned off to prevent widespread creation of individual workspaces.

Workspace membership assignment

There are two ways you can set rules for how members are assigned to workspaces within your organization:
  1. Manage in Coda (default)
  2. Manage via SAML assertions

Recommendation: Most organizations Manage in Coda. If you have more than one workspace, you might explore Manage via SAML assertions.
  • If you choose Manage in Coda, we recommend you enable auto-join for the workspace you want all team members to join. Learn more.
  • If you change to Manage via SAML assertions, this will override any existing auto-join rules. Learn more.

Set a default workspace (if appropriate)

The default workspace is designed to streamline and centralize org member access within your Coda workspace(s). Establishing a default workspace will help you prevent the accidental creation of individual workspaces and ensure new and returning users are correctly placed. Recommendation: The default workspace is designed as a catch-all. It is suitable for the majority of Coda’s enterprise customers, where there is one workspace that everyone should join. However, some organizations might have more complex workspace structures and membership requirements where the default might not be suitable. Learn more and assess if it’s right for you here.

Enterprise advanced access control

Sharing of Docs, Packs, and Forms

Control how docs, Packs, and forms can be shared outside the organization. As an Org Admin, you can update your advanced sharing rules at any time from the organization settings console. You have three options to choose from:
  1. Unrestricted.
  2. Invite-only external access.
  3. No external access.

Recommendation: We recommend choosing invite-only external access if you need to collaborate with users from external companies. If you do not need to collaborate with external users, and only need to collaborate with employees within your company then we recommend choosing no external access. Learn more.

Doc transfers

All docs on Coda require an owner. When a user is deactivated, their docs will become read-only after 7 days or until transferred to another Doc Maker. Org Admins have the options to:
  1. Require Doc Makers to request a doc for admin approval before transfer (this is the default setting).
  2. Allow Doc Makers to self-claim a doc if they have edit access.
Recommendation: This setting varies by organization based on their security requirements. Some prefer self-serve as this saves time for both Admins and Doc Makers and reduces workflow friction. Others require a higher degree of control over who owns which doc.

Pack security

Packs are powerful building blocks that connect your Coda doc to the apps you use everyday—the tools you and your team communicate, code, and design in. Because Packs connect to third-party apps and tools, most require additional authentication (read more about the security of Packs here). Org Admins for teams on Coda’s Enterprise plan can either:
  1. Allow all packs to be used by all members (default state).
  2. Require admin approval and policies before installation.
Recommendation: Instead of simply enabling/disabling Packs (which is possible — learn more), we recommend a granular approach so you can customize access to your specific security requirements. Coda gives simple approval controls to advanced controls that allow you to define who can use Pack, what data can be brought in from a Pack, and how docs with Packs can be shared. Learn more.

2. Admin features to enhance your control.

Audit log

 For org admins on Coda’s Enterprise plan, the audit events dashboard is a powerful tool designed to help easily monitor and analyze all activity in your organization. This dashboard provides a centralized view of actions users have taken within Coda. Org admins can use this information to identify potential security risks, such as unexpected access attempts, and to help ensure compliance with your organization's policies. Learn more. Enterprise accounts can also integrate Coda audit events into their SIEM (Security Information and Event Management) systems using Coda Audit API.

Doc access

 See which docs in your workspaces have been shared with the public and change permissions or lock down access directly from the “Org doc” dashboard in their org settings. From this dashboard, you can update permissions on behalf of users at your organization. Learn more.

Coda Admin API

 The Coda Admin API is a RESTful API that allows programmatic access to administrative reports and capabilities within Coda. Enterprise admins can use the Admin API to view and modify policies, integrate with a DLP or e-discovery tool your company may use, view audit logs, and more. While you can find most usage information in your Members & Groups dashboard, the API allows you to dive deeper into what actions those users are taking within the workspace. We recommend using the Admin Pack - a UI layer to the Admin API that gives admins real-time information on users, docs, folders, Packs, and activity in their organization. The Pack allows you to view all of this info and make changes - right from a Coda doc. Learn more.

Advanced Security Settings

 Several other policies can be configured for Enterprise customers either via your admin panel or Coda support. You can reach out to our support team by clicking on the question mark in the bottom right of your doc or workspace.
  • Manage in your admin panel: data export policy, and idle session timeout.
  • Contact support: inbound sharing policy, publishing policy, shared folder creation policy, and file uploads policy.
Learn more.

3. Additional resources to dive deeper.

  • Coda's security whitepaper
    • Detailed insights into our security approach, the security features we offer, and our internal security processes, policies, and practices that are in place to safeguard your data.
    • See it here.

  • Enterprise security feature roadmap
    • Reach out to support to see our current and upcoming Enterprise security features and improvements.
    • *Your account must have an NDA on file with us.

Was this helpful?

YesNo