Hotels should pay close attention to user management in their PMS to maintain system security, prevent unauthorized access, and ensure proper tracking of user activities. This is essential for protecting sensitive hotel and guest data.

It is the responsibility of hotel management to prevent any damage caused by compromised or misused login credentials. 


To support hotels in this effort, our security layer for user management can be utilized in the event of login credential breaches. This article also provides recommendations on how to prevent login credential breaches. 


Enhanced Security Logging and Related Tools in HotelTime

These tools will help you monitor and manage your users' activity:



Email Notifications

You can enable email alerts for logins from new IP addresses by simply filling out the designated field in the system settings. We strongly recommend taking this precaution. 

To activate e-mail alerts go to Settings - Application - Main system set-up where in the section General settings you may define e-mail for notifications.
 

Beware:  If the email field for notifications is not filled at the time of login from a new IP address, no notification is generated. Notifications will only be sent after the email is added and the next login from a new IP occurs (they are not sent retroactively). However, data for the Audit Trail and Login History is always recorded, regardless of whether the email notification is set up.



 

 Notification email:

 


Login History Report

This reports tracks all successful logins, including dates, times, IP addresses and Geolocations. Logins from new IP addresses are flagged. 

Login type indicates whether the user typed its credentials in the browser manually (Interactive), logged in from another application (CrossApp), logged in via safe 2FA login (Interactive 2FA) or logged when logged automatically from saved credentials in cookies (Autologin from cookie). 

You can access this report via Settings - Application - Login history.

If the IP addresse's geolocation looks suspicious you can further analyze the activity in the report Known IP Addresses overview by simply clicking on the tab next to Login history.



 

Known IP Addresses Overview

View, filter and manage the list of IP addresses users logged from. To display login history of a particular IP Address, click on the blue icon. Only users with the permission Deletion of Known IP Address can delete IP addresses from the Known IP list. 

Please note that as of the release of this feature on 16 January 2025, we will retain IP addresses used for logging into the system during the past 100 days and store them as "known" in the Known IP Addresses report. 

  

TIP: IP geolocation is based on data from your ISP or VPN provider. While country and organization details are typically accurate, city and region information can be less reliable.  Focus on country and organization data for the most dependable results.

In some cases geolocation is not present in the report (for LAN IPs for example there is no geolocation data). Hotel IT can perform an IP geolocation lookup in case of doubts.

 

  

 
Audit Trail

A detailed record of user actions within the system also shows suspicious logins (Logins from a new IP Address). Deletion of a new IP address is also logged in here. You will find this report via Front desk - Audit trail



Recommended Steps After Detecting a Suspicious Login

If you received an email alert about a login from a new IP address, follow these steps to ensure the security of your system:
 

1. Identify the User

Use the provided reports to gather information about the login, such as the number of attempts, detailed geolocation, and other relevant details.

Ask yourself:

  • Is this a new hotel employee with authorized remote access?
     
  • Is this someone who left the hotel months ago?
     
  • Is this your current employee accessing the system from an unexpected location?


2. Contact the User

Before taking any action, reach out to the user if the login seems suspicious but might belong to a current employee.

  • If the user is working remotely or from an unusual location (e.g., on vacation), the activity might be legitimate e.g. when using a VPN.
     
  • If the user is a new hire working from a recognized geolocation, it’s likely safe.
     
  • However, if the login belongs to someone no longer associated with your hotel, immediate action is required.
     

3. Delete or Deactivate the User

If you determine that login credentials have been leaked or misused:
 

  • Delete the user account: This immediately revokes access and logs the user out at their next interaction with the system. 
     
  • Deactivate the user account: This immediately revokes access and logs the user out at their next interaction with the system. Subsequent activation will allow the user account to be fully functional in the system again.  

To delete or deactivate a user account go to Settings - User rights. Find the user. Press red cross icon to delete the user. To deactivate the user, press edit icon, deactivate "Active" check box and save.



Best Practices for User Management

To maintain security, we recommend:


  1. Immediately deactivate inactive users – Remove or deactivate accounts of employees who leave the hotel or no longer need system access.
     

  2. Conduct regular user audits – Periodically review active users and their permissions to ensure only current staff and partners have access.
     

  3. Use unique login credentials – Each user should have a unique username and password to track individual activities within the system.
     

  4. Enable alerts for unusual activity – Set up e-mail notifications for logins from new IP addresses or other suspicious activities in your HotelTime application.
     

  5. Implement regular password updates – Require users to periodically change their passwords to reduce the risk of credential theft.
     

  6. Provide staff training – Ensure employees understand secure user behavior and are aware of the risks associated with leaked login credentials.
     

  7. Log and monitor user activity – HotelTime ensures that logins and key actions are logged and available for auditing purposes. See Audit trail, Login history or Known IP Addresses reports.
     

  8. Assign role-based access – HotelTime supports role configuration (user groups) so that each user has access only to the features necessary for their role.
     

  9. Restrict access from unknown locations In Hoteltime you may restrict access of each user groups to a specific IP address or addresses. To do this, go to Settings - Classification management - System user groups. You can also hide entire sections of the system that are irrelevant to a user group.


     

These steps will help minimize the risk of unauthorized access and enhance the overall security of the hotel's data.