Search

Concerns: Vision/Vision Management Site/Vision Database

User: System administrator, User Management Site

Prerequisites

not applicable

Introduction

Description how to set up the security of the Management Site in order to give users only access to the pages that are relevant for them

 

Introduction

The Futurama Vision Management Site serves as control center for a large number of different processes. Therefore it's important to have a good security. Users of the Futurama Vision Management Site should only have access to the pages who are relevant for them. You can organise this in the page "Security" inside the menu "Management". Here you can assign or deny the rights to certain pages for defined users and groups.

Security mode

Futurama Vision Management Site can function in two ways : basic or advanced security. For these to work as expected you need to configure authentication and authorization as described in Installation of Vision Management site

Basic security

With basic security we apply the normal security that is enforced by Windows Internet Information Server. With basic security you can control the permissions to the website in the web.config. With basic security a user either has access to the whole website or the user has no access.

Advanced security

With advanced security you have much more control on what functionality can be used by which user.

Configuration (Futurama 18.07 and newer)

<configuration>
	<visionSettings>
		<security mode="{basic/advanced}" adminHostnames="localhost" adminPassword="testpassword" requireCredentialsForServices="{true/false}"/>
	</visionSettings>
</configuration>
adminPassword

This setting defines the password that must be entered when an upgrade is performed.

adminHostnames

This setting can contain a comma-separated list of hostnames from which the upgradepage should be accessible. The default value when omitted is “localhost”
What this means is that in the default state, the upgrade page can only be shown for users that visit them page from the same machine (so they have ‘localhost’ in the browsers url).
Should an administrator access the page through a different URL, like “http://mySite/vision”, then the “mySite” value must be included in the appsetting value, by setting it to value=”localhost;mySite”.

requireCredentialsForServices (Futurama 19.02 +)

This setting controls if authentication is required for all webservices in Futurama Vision. It applies to the service importusers.svc and visionservice.svc. For more information see this page.

Configuration (Futurama 18.06 and earlier)

You can select which mode to use by adding a key to the web.config of the Management Site:

<appSettings>
    <add value="advanced" key="Security"/>
</appSettings>

Type of users

Futurama Vision Management Site supports two types of users: locally defined users and remote directory users. At the Security Management page of the Vision Management Site these two types of users are labelled as ‘Forms Users’  and ‘Windows Users’  respectively. Locally defined users (the ‘Forms Users’ tab in the Management Site) are users that are defined within the Vision Management Site. For these users in de Management Site the username and the password is defined. These usernames and passwords are subsequently stored in the Futurama Vision Database. For remote users (the ‘Windows Users’ tab in the Management Site) these credentials are not stored and defined within the Management Site. In that situation a remote user directory is used. When you use a remote user directory the users a defined elsewhere. In Futurama you only store the user name, not the password. Also the user management is not in scope of the Futurama Management Site. For remote users you can use two types of user directories:

Windows authentication

You can use a Windows domain to authenticate your users. To be able to do that, the server that runs Futurama Vision Management Site needs to be part of a domain, and Windows authentication needs to be enabled in IIS. In the web.config of the Management Site windows authentication must be configured.

 

SAML2 authentication

With SAML2 Authentication you can use any SAML2 Identity provider to store the users. A commonly used example is Azure Active Directory. In the web.config of the Management Site forms authentication must be configured. Furthermore, to use this SAML2 authentication in the identity provider section of the web.config the configuration of the mapping with this SAML2 Identity provider has to be done.

Be aware that User authentication, and authentication of communication between management site & database are not the same thing, see Installation Futurama Vision Management Site.

Concepts

Functional groups

A functional group is a set of pages that relate to a specific task. You could for example define a functional group ‘Front office tasks’ and add all the pages that the front office employees need to be able to access.

User groups

A user group is a set of users that has access to a set of functional groups. A user group can be a list of Windows of Forms users.

Setting up advanced security

To be able to setup advanced security you need to be able to login to the site first. To do that: please follow the following steps:

  1. Start with basic security so you can access the site.
  2. Define a functional group with permission to see all pages
  3. Define a user group for security admin
  4. Define a user for security admin
  5. Assign user to security admin group.
  6. Assign security admin group to the functional group that can see all the pages.
  7. Switch to advanced security by changing the web.config.

Example

Suppose there is a department ‘Front office’ that manages all customer inquiries. They need to be able to see the accounts for the customers, reset accounts, etc.

To define the security needed for this setup perform the next steps:

  1. Create a functional group ‘Front office tasks’
  2. Add the required pages to the group
  3. Add a usergroup ‘Front office employees’
  4. Add a forms user or a windows user for each of the employees of the department.
  5. Add the usergroup ‘Front office employees’ to the functional groups that the user can use.

You have now exactly indicated which users have access to which pages. New functionality for new users are easy to add in these new structure. This will help you with protecting the access to all parts of the Futurama Vision Management Site.

Usage

You can find the page "Security" in the Futurama Management Site below the menu "Management". In this page you will see five tabs. These will be described from right to left.

Pages

Here you can see all pages who occur in the Futurama Management site.

Functional groups

Here you can create groups of pages who belong to a specific functionality in the Futurama Management site.

  1. Click on "add functional group"
  2. Enter name and description. Both fields are required
  3. The option "Unassigned pages" implies that all pages who aren't assigned to a functional group, automatically will be assigned to the functional groups that have this checkbox enabled.
  4. Click on the checkbox to add a functional group
  5. By using the edit button you are able to select the pages who belongs to this functional group. Select right the available pages and double click or click on the arrow to the left so you can move them to the selected pages.

Users groups

These are the groups of users who fill a certain position in your organisation.

  1. Click on "Add usergroup"
  2. Give a description of the users group.
  3. Click on the checkbox to add the users group
  4. By using the edit button you are able to choose the functional groups who belong to this users group.

If you use Forms Authentication

Here you can define the users who will use the Futurama Management Site by using Forms Authentication.

  1. Click on "Add new user"
  2. Enter the login name and the password. Both fields are required. You can also fill in the email address of the user. This is not required.
  3. Choose the ProductGroup for which the user is allowed to see the data. You have the possibility to select ProductGroup (empty). With this choice you will give the user the rights to consult the data of every Product Groups in the Futurama Vision.
  4. By using the edit button you are able to choose the right users group for the right user.

If you use Windows Authentication

Here you can define the users who will use the Futurama Management Site by using Windows Authentication or SAML2 authentication.

  1. Click on "Add user"
  2. Enter the users or groups name. You can choose hereby for the users or groups who are already defined in Windows.
  3. Choose the ProductGroup for which the user is allowed to see the data. You have the possibility to select ProductGroup (empty). With this choice you will give the user the rights to consult the data of every Product Groups in the Futurama Vision. (from Futurama 18.04)
  4. By using the edit button you are able to choose the right users group for the right user.

Special attention must be given when a user matches multiple entries in the Windows User list. For instance, when a user matches by username, and also by a groupname, and both entries have a restricted productgroup, then an error will be shown. This is because a user cannot be allowed to be part of multiple restricted productgroups. The exception to this rule is when a user has a matching entry that has an (empty) productgroup restriction. This gives the user the right to view all productgroups.

Permissions for the pages Menu Management

In the menu Management there are the submenus 'Manage domain tables' and 'Security'. For consulting these pages the user of the Management Site needs to have all the rights of all ProductGroups (i.e. the Productgroup (empty) is configured for the user). If this is not the case, the submenus will not be available for the user.

Feedback

If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.

Updated: 2018-07-23