Administer PostmanPostman Enterprise

Account discovery and control

View as Markdown

Account discovery and control enables enterprise organizations to identify and manage Postman usage within their corporate networks. This feature provides visibility into user activity and enforcement capabilities to ensure compliance with organizational security policies.

Enterprise organizations require strong control over which Postman accounts their users can access from corporate networks and devices. Organizations use Cloud Access Security Brokers (CASBs), firewalls, and virtual private networks to manage and monitor network access, but currently lack standardized guidance for controlling Postman usage.

Common challenges with account discovery and control include:

  • Users registering for unauthorized personal accounts on corporate machines
  • Difficulty guiding users to approved corporate accounts
  • Custom, complex setups for each CASB vendor
  • Inability to enforce company policies effectively
  • Growing demand from highly regulated industries

While features like domain capture ensure users with corporate email addresses are directed to their corporate Postman instance, there’s currently no easy way to prevent users from registering with personal email addresses.

Learn more about how Postman Enterprise’s account discovery and control features can help your organization manage Postman usage and ensure compliance with security policies. Also check out the use cases to see how account discovery and control can be applied in different scenarios, such as blocking personal accounts, managing multiple teams, and considerations for firewall bypass situations.

Account discovery

Account discovery identifies Postman usage within corporate managed environments. This process:

  1. Identifies users coming from managed networks or devices, regardless of the identity they use to sign up.
  2. Determines if accounts are in a controlled environment.
  3. Records activity for compliance and reporting purposes.

Account control

Once accounts are identified in controlled environments, account control provides options to manage user access:

  • Block access to unauthorized accounts.
  • Redirect users to approved company resources.
  • Report unauthorized usage to appropriate company personnel.
  • Allow access to approved corporate accounts.

When users are blocked by account control, they see this message: “Your company enforces usage of Postman to only approved accounts.”

Implementation process

Account discovery works through an industry-standard, organization-specific header system that integrates with CASBs and network management tools. The general process is as follows:

  1. An organization requests the account discovery and control feature.
  2. Postman defines a unique header and configures its behavior to match organization-supplied rules.
  3. An organization adds this header to all network traffic going to Postman using their CASB.
  4. Postman identifies users coming from the corporate network when they access Postman.
  5. System responds based on organization-configured preferences, which consist of monitoring and blocking actions:
    • Monitor — Used for monitoring traffic with the header. Postman can provide a report on users without user impact.
    • Block — Will block any user accessing any email domain account or team other than those permitted by the account control configuration.

Technical implementation details

Organizations implement account discovery by adding a header with the following specifications to all HTTP(S) traffic to Postman domains:

  • Header name: x-pm-network-tag
  • Header value: Provided by Postman support
  • Target domains: All HTTP(S) traffic to postman.co, postman.com, and *.getpostman.com

This approach is supported by major CASB vendors and used by leading SaaS applications.

Use cases

Account discovery and control can be used in various scenarios to enhance security and compliance.

Blocking personal accounts

When a user accesses Postman from a corporate network:

  1. Free or personal sessions are identified and can be removed.
  2. Users are redirected to the authentication flow.
  3. Personal domains (like Gmail) can be blocked during sign-up or sign-in.
  4. Corporate domain sessions that match approved rules remain active.

Managing multiple teams

For organizations with multiple teams where domain capture across teams isn’t applicable, the following process can be used:

  1. Headers are configured to allow access only to predefined approved teams.
  2. Non-compliant sessions are recorded and may be removed.
  3. Users are blocked from accessing unapproved teams.
  4. Access to approved teams continues without interruption.

Firewall bypass considerations

Some organizations configure corporate laptops to always route traffic through corporate firewalls, but not all do. When users bypass firewalls, account discovery can still identify and record their activity, but enforcement may be limited. In these cases, the following considerations apply:

  • User details are still recorded and identified.
  • Past activity on managed networks is tracked.
  • Activity can be reported back to the company when the user reconnects to Postman through the company network.
  • Immediate blocking may not be possible, but recording provides valuable policy enforcement data.