Improvements to Security and Access Control in Centerprise 8.0

By | 2019-09-06T11:07:11+00:00 May 9th, 2019|

Centerprise 8.0 includes several new features and enhancements to improve the performance, agility, and security of enterprise data management. In this blog, I will provide you an overview of the security, user authentication, and access control-related enhancements made to our next-gen, end-to-end data management platform.

Introduction

The new Centerprise 8.0 includes authorization and authentication features to secure any action performed by authenticated users against the run-time and design-time components of the solution. The security is built around three key areas:

  • User authentication via bearer-token authentication
  • Secure domain communication between the client and server over TCP/IP and HTTP protocols
  • Role-based access control via an intuitive user management and access control dashboard

These enhancements will help administrators prevent unauthorized access to data management workflows and ensure access policies for both internal and remote users.

User Authentication

In order to make access distinctions and prevent unauthorized access to datasets and dataflows, we have introduced user authentication enhancements that will help administrators authorize access requests. Centerprise 8.0 utilizes bearer-token authentication to authenticate requests to the server.

The new Centerprise 8.0 allows users to log in using the username and password provided by the administrator or the Super User. Upon signing in, a JSON Web Token (JWT) is generated and associated with the client machine. This JWT is passed along with all the subsequent calls, allowing the server to determine that the request is coming from an authenticated user.

How a JWT is generated by Centerprise Server

Figure 1 – How Centerprise uses bearer-token authentication to verify access to the application

 

Here is a sample JWT generated by Centerprise server:

Header: Algorithm and Token Type

{

"alg": "HS256",

"typ": "JWT"

}

Payload: Data

{

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "6",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "admin@astera.com",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "ADMIN",

"sub": "ADMIN",

"jti": "1dfd9eec-9389-408e-8bfe-74067fd263c7",

"iat": 1553595091,

"rol": "api_access",

"id": "6",

"nbf": 1553595090,

"exp": 1556187090

}

Signature

HMACSHA256(

base64UrlEncode(header) + "." +

base64UrlEncode(payload),

)

Secure Domain Communication

Centerprise enables communication between client machines and the server using HTTP, which is a commonly-used request and response protocol.  To connect to the server, the client machine sends a request to the server. The server, which is hosted on a particular port, receives the request and sends back a response, accepting or declining the connection request.

An SSL protocol can be easily configured on top of the communication protocol to encrypt the transmission of information between the server and the client.

To configure an SSL certificate, the user needs to access the certificate.pfx file in the Centerprise installation directory and replace it with the .pfx file provided by their SSL certificate provider. Once it has been replaced, open the new .pfx file and copy the username and password. Find another file named certificationsettings.json in the installation directory and update it with the new username and password. Reboot the server to enable the SSL protocol.

Role-Based Access Control

The client-side of Centerprise is used by a wide variety of users within an organization who have different skill sets and job responsibilities. With Centerprise 8.0, we are offering administrators the ability to restrict access to a feature/features that would be too technical for the skill level of a particular user.

This role-based access control functionality is built around Users and User Roles, to which administrators or Super Users can grant or restrict access to all possible combinations of commands and APIs.

Role Management

For administrators managing hundreds of Centerprise users, a common challenge would be to handle changes in personnel. For example, if a user changes role within the organization, the features that they no longer need must be removed. Similarly, when a new user joins, they must be assigned privileges according to their role. Performing this exercise individually for each user can be a tedious and time-consuming task.

Effective in Centerprise 8.0, administrators can create Roles to define features that a group of users will have access to. Using the user management console of Centerprise 8.0, Super Users can easily add new roles, delete an existing role, or edit role resource to manage access to different APIs and Commands.

Role management in Centerprise

Figure 2 – How to add new roles, delete an existing role, and edit role resource in Centerprise

Default User Roles

In Centerprise 8.0, there are some pre-defined roles with a pre-defined set of permissions. These roles are Super User (Admin), Developer, and Operator. Although role has access to a set of commands and APIs, new capabilities can be added and removed from each role.

Super User or Admin

Super User has the highest level of access among all default roles. It has access to all of the APIs and commands that can be assigned to a role. The Super User role cannot be edited or deleted.

Developer

This role provides access to all the commands and APIs related to workflow, dataflow, report mining, query builder and editor, XML editor, map editor, data profiling, and deployment. A user with the developer role can create, edit, and schedule their own dataflows and workflows, but they cannot edit or modify other jobs scheduled on the server.

Operator

The operator role has the least privileges and permissions among the three default roles present in Centerprise. Operators have access to commands and APIs used to view and export job trace, refresh job list, monitor and manage runtime instances of jobs, and rerun the jobs scheduled on the server.

User Management

Centerprise 8.0 features an intuitive user management interface to provide a single point of management for all user permission and access related functions. Using the drag-and-drop interface, administrators can easily register new users, assign them a role, edit user role, activate or deactivate a user account, and view the complete list of registered users, along with the roles assigned to them.

The following GIF shows the process of registering a new user, assigning user role, editing user info, and deleting a user.

User management in Centerprise

Figure 3 – How to register a new user, assign user role, edit user info, and delete a user in Centerprise

This was a quick overview of the new security and access control features in Centerprise 8.0. To get a taste of all the new features that are part of the latest release, test-drive the beta version of Centerprise 8.0 today.