PlansBuildersFor ContractorsFor HomeownersFor BuildersPricingHelpStart Free Trial

Enterprise Security Features

Audit logs, user deactivation, session invalidation, and secure file uploads for enterprise accounts

Overview

BlueClerk's enterprise security features give administrators complete control over user access, detailed audit trails of all security-related actions, and secure file handling. These features help you meet compliance requirements, protect sensitive data, and maintain accountability across your organization.

Audit Logs

What Gets Logged

The audit log automatically records security-critical events:

  • User login - Every successful login
  • User deactivation/reactivation - When team members are deactivated or reactivated
  • Permission changes - When user permissions are modified
  • Data exports - When users export customer or item data
  • File downloads - When users download files
  • Financial access - When users view invoices or financial reports

Viewing Audit Logs

  1. Go to Settings > Team
  2. Click "Audit Log" in the sidebar (requires canViewAuditLog permission)
  3. Filter logs by:
    • User - See actions by a specific team member
    • Action type - Filter by login, deactivation, export, etc.
    • Resource type - Filter by user, file, invoice, etc.
    • Date range - View logs from specific time periods
  4. Review details - Each log shows timestamp, user, action, and metadata

Who Can View Audit Logs

Only users with the Can View Audit Log permission can access audit logs. This is typically reserved for administrators and compliance officers.

User Deactivation

Deactivating a User

When you deactivate a user:

  1. Go to Settings > Team
  2. Find the user you want to deactivate
  3. Click "Deactivate" or the deactivate button
  4. Confirm deactivation when prompted

What happens:

  • User account is marked isActive: false
  • All active sessions are immediately invalidated (web and mobile)
  • User cannot log in with credentials or OAuth (Google)
  • Deactivation is logged in the audit log with timestamp

Reactivating a User

To restore access:

  1. Go to Settings > Team
  2. Find the deactivated user
  3. Click "Reactivate"
  4. Reactivation is logged in the audit log

User can immediately log in again.

Session Invalidation

Deactivation automatically bumps the user's tokenVersion, which:

  • Invalidates all JWT tokens (mobile app sessions)
  • Blocks all OAuth refresh attempts (web sessions)
  • Forces immediate logout across all devices

No manual session clearing needed - deactivation handles it automatically.

New Permissions

assignedOnly

What it does: Restricts user to only see tickets, jobs, and invoices assigned to them.

Use case: Field technicians who should only access their own work, not the entire company's records.

canViewFinancials

What it does: Controls access to invoice amounts, totals, and financial reports.

Default: true for new users (most team members need this)

Use case: Restrict financial visibility for certain roles (e.g., junior technicians).

canExportData

What it does: Allows user to export customer lists and item catalogs as CSV/Excel.

Use case: Limit data export to managers and admins only.

canManageUsers

What it does: Allows user to add, edit, and deactivate team members.

Use case: HR staff or office managers who handle team administration.

canViewAuditLog

What it does: Grants access to view the security audit log.

Use case: Compliance officers, senior management, or IT staff.

Secure File Uploads

Validation

All file uploads now include:

  • Extension allowlist - Only approved file types (images, PDFs, DWG)
  • MIME type validation - Declared content type must match extension
  • Magic byte validation - File content is verified to match declared type

Supported file types:

  • Images: JPG, JPEG, PNG, WebP, HEIC
  • Documents: PDF
  • Plans: DWG

UUID File Naming

All new uploads use randomized UUID filenames instead of original filenames:

  • Prevents path traversal attacks
  • Avoids filename collisions
  • Obscures original filenames in blob storage

Example: customer-photo.jpg becomes a3f8d9c2-4b1e-4a5c-9d3f-1e2b3c4d5e6f.jpg

Questions

Q: Can I see who deactivated a user? A: Yes - the audit log shows the user who performed the deactivation, along with timestamp and target user details.

Q: What happens to a deactivated user's assigned work? A: Their tickets, jobs, and invoices remain assigned to them. You can reassign work manually if needed.

Q: How long are audit logs kept? A: Audit logs are retained indefinitely for compliance purposes.

Q: Can deactivated users still receive email notifications? A: No - deactivated users are excluded from all system-generated notifications.

Q: Does file validation slow down uploads? A: Magic byte validation adds negligible overhead (~10ms per file) and runs automatically in the background.

Was this article helpful?

Still need help?

Contact Support →

Getting Started