Program IP Restrictions

Apricot Administrators can restrict which computers or locations can be used for login by adding IP addresses to the IP Allowlist/Whitelist in Apricot Settings. Administrators can additionally restrict login access to specific records (controlled by User Record Level Access) by adding an IP address to a permission set. When Program IP Restrictions are active in your site, all programs must be assigned an IP address or they will not be granted access to the site. 

Why Use Program IP Restrictions?

Program IP restriction is best used if you have one group of users who should only be able to see the records associated with one physical location when those users are actually logging in from that physical location. For example, if you have case workers who might work in any of three locations, but should only be able to see information relevant to their work at a specific location while they are at that location; when they move to a different location, the records they can access will also change to those for the new location.

Users can belong to more than one permission set (they can also be in more than one program). Permission sets can be restricted to more than one IP address. IP addresses can be added to more than one permission set.


Do You Have Access to Program IP Restrictions?

Program IP Restrictions is a Premium Feature. To see if you have access to this feature

  1. Click the Administrator tab at the top of the page.

  2.  In the left hand menu under Workflow Station, select Apricot Settings.

  3. Scroll down to the section titled A La Carte Features and check if Program IP Restriction has been enabled.

Add IP Restriction to a Group

  1. To add Program IP Restriction to an existing program, select the Administrator tab at the top of the page.

  2. In the left hand menu under Access Control, select Sites & Programs.

  3. Click on the eye icon next to the existing program or

  4. Create a new program

Open Permission Set

  1. Click the eye icon next to the permission set to open it for editing or

  2. Create a new permission set

Note: The Permission Sets section may be at the top or bottom of the Program page depending upon the size of your screen.

  1. Expand the arrow next to Group IP Restriction.

  2. Type in the IP address you would like to restrict this program to using when users in this permission set log in.

  3. Click Add.

  4. Click Save Record.

Note: When you enter the IP address here that means that is the IP address that is allowed to access this information. This entire permission set is affected. If you have one user that should have unlimited access to the data then they will need to be under their own permission set under the same program (with Program IP not enabled).

Use with IP Allowlist (IP Whitelist)

If your Apricot site employs an IP Allowlist (IP Whitelist) to manage login locations, any IP addresses you enter on a permission set will also appear in your IP Allowlist (IP Whitelist).

  1. To access the IP Allowlist (IP Whitelist), click the Administrator tab at the top of the page.

  2. In the left hand menu under Workflow Station, select Apricot Settings.

  3. Scroll down to the section on General Configuration.

  4. IP Addresses can be added or managed under the IIP Allowlist (IP Whitelist) heading.

  5. Save Settings.

Note: When you add an IP Address to a permission set it should also appear here. Do not remove it from this list.
Logging in Under Group IP Restriction

Users logging in under a Program IP Restriction will login as usual by entering their username and password at

Once the username and password have been matched to a user belonging to at least one permission set with a Program IP Restriction, the user will be taken to a second login screen to choose which program they would like to login under.

Expand the top dropdown menu to see all available programs. The user should select the program that matches the IP address they are using to login.
Restricted login will allow the user to access any records that have been assigned to the selected group and the current IP address.
Normal login will allow the user to access any groups that they have been assigned to but that are not restricted by IP address.
All Programs Not Available with Program IP Restrictions

If a user is logged into a program that is IP restricted, the user will not be able to switch to another program by accessing the dropdown menu in the user badge.
The user will need to log out and log back in under a different program or from a different IP address to access information that has been assigned to a different program.

Note: This generally only affects users that are part of multiple programs.
Administrator Access Is Not Affected by Group IP Restrictions

Administrator access cannot be restricted by programs or permission sets. Administrators can log in from any IP address regardless of IP restrictions that have been set for a permission set and can access any information in their Apricot site.

Did this answer your question?