Security Policies & Priority

  • Updated on Mar 19, 2026
  • Published on Mar 19, 2026
  • 1 minute(s) read
Prev Next

In the Visma Connect ecosystem, security is managed through two layers: Who you are (Domain) and What you are accessing (Application). This document explains how these policies work together to determine when a user is prompted for 2FA.

1. The Two Security Layers

Layer 1: The Authentication Policy (Domain)

This policy is managed in the AuthenticationSettings Web tool. It applies to every user who shares a specific email domain (e.g., @company.com).

  • Purpose: To enforce a baseline security standard for all employees.

  • Impact: If enabled, every user on the domain must enroll in 2FA.

  • Read more about it here : link to Authentication Settings

Layer 2: The Application Policy (Individual App)

This is managed at the application level. Admins can choose a specific 2FA behavior for each individual tool (e.g., Payroll vs. a Public Directory).

  • Purpose: To adjust security based on how sensitive the data is within that specific app.

2. The Three Types Of 2 FA Application Policy Behaviors
Every application in Visma can be assigned one of three security "behaviors." This determines what the user sees when they click the "Login" button.

⏩ Bypass

The "Express Lane." The user is never asked for 2FA when accessing this specific app, even if they have 2FA enabled on their account.

  • Best for: Low-risk apps or public tools.

⚖️ Adaptive

The "Smart Guard." The system evaluates risk. If the user is on a known office network, they might not see a 2FA prompt. If they are at a coffee shop, they will be prompted to verify.

  • Best for: Balancing speed and security.

🛡️ Required

The "Wall." Users must use 2FA to enter. If they haven't set it up yet, they are sent directly to the enrollment wizard.

  • Best for: Sensitive data like Payroll or HR.

3. Priority Rules: "Who Wins?"

When a user signs in, Visma Connect looks at both policies. The system follows a "Highest Security Wins" rule, with one major exception: The Bypass.

Scenario

Domain Rule

App Rule

Resulting Experience

The Exception

Required

Bypass

No 2FA Prompt. (The App Bypass always wins).

Stronger Wins

Optional

Required

2FA is Required. (Security is elevated).

Domain Wins

Required

Adaptive

2FA is Required. (The Domain mandate stays).

4. High-Security Actions (Step-up / acr_values)

Even if an app is set to Bypass, certain sensitive actions (like approving a payment) may trigger a "Step-up" authentication. A 2FA prompt will appear specifically for that action to ensure the person behind the screen is authorized.


© 2026 Visma