Hi Charubhashini

I don't think it is correct that only an admin or super admin can delete the IP address as you mentioned above. Every user, after logging in, can go to the "accounts.zoho.com" by typing that url in the browser location field and add / remove their own ip address restrictions. In fact, I just saw there was another topic on this same subject with the heading "Restricting Access to location or IP address" in which your colleague Raja clarified that your company is planning to come out with the feature to control the access to the ip address restrictions based on roles some time in December. Please check and confirm.

Also, one more question related to the roles you mentioned above. Though there is a feature to assign either Admin or User role to a user in my organization on Control Panel, I tried my best to view the current role of a user but could not succeed. Can you clarify how to view the current role of a user?

Thanks`

Dear Raja

Thanks for the clarifications. The philosophy behind Zoho's business model, to my understanding, appears to be virtualization of all applications and services that until now were tied to a piece of desktop hardware. That strategy very well ties with the increasing globalization of businesses. In this scenario, organizations bound to have their suppliers, customers and employees dispersed across the world. Since information security is of paramount importance to the businesses from both regulatory compliance and business points of view, it is essential that businesses have fine and flexible granular control on how to restrict the access to their information sources. If zoho intends to provide the access to configuration of IP restrictions only by role, it may still fall short of the organizations' needs for the following reasons.

Since the number and types of roles are fixed and Zoho defined, it is not possible for the organizations to define specific business related roles for different individuals that peform different business functions. Add to this another variable of their location in the world. Now we have multiple combinations of access control requirements!.

My recommendation is to provide ip based access configuration at user and group levels. This allows us the flexibility to define and configure different groups of users that could access the organization's information through different pre-defined ip addresses. If any exceptions have to be made to the group's restrictions, that could be done at a user level. A user's access level will always be a union of all ip addresses that are defined for him and the ip addresses of the groups that he belongs to.

Also, there is "Allowed IPs"  configuration option at Mail policy level. Consider enhancing this feature on the same lines as above. By the way, why only mail app should have this specific security feature?. All apps use some or the other organization's data. Why not provide a comprehensive screen that allows to set restrictions in a user, group, application, ip address matrix?. Just a thought for a long term enhancement!

Thanks