Hello community,
We have a Creatio installation on Creatio SaaS cloud with a few custom configuration services we have built. The security requirements are very stringent and we need to be able to permit access to these custom configuration services only to a few users & only to a few IPs. Pls find below questions in this regard -
- From what we understand, access to the GUI application and to the back end services are shared across the same Creatio credentials (via user setup). Can we disable GUI access to a few users and only enable access to these specific custom configuration services? Also, can we disable access to these configuration services for all other GUI users? In short - A few users only for these configuration services. A few users only for the GUI.
- We would like to permit only certain IPs access these configuration services. This can be handled in 4 layers - Network infrastructure layer (Load balancer etc), IIS Configuration on the WebServer, Explicitly verify and restrict access to certain IPs inside the configuration service logic. Which of these 3 is recommended from a feasibility & security perspective on Creatio SaaS cloud?
Thanks in advance
Like
Hello,
Here are the answers to your questions:
1) You can restrict login to the application UI in the root Web.config file. You need to find this location in the file:
<location path="0/Nui"> <system.web> <authorization> <deny users="SysPortalConnection" /> </authorization> </system.web> </location>
and add your system user to this list after the comma seprator:
<location path="0/Nui"> <system.web> <authorization> <deny users="SysPortalConnection,1" /> </authorization> </system.web> </location>
In the example above the system user with "1" login won't be able to login to the application.
As for disabling access to custom configuration service you need to find a location record for this service in the /Terrasoft.WebApp/Web.config file (just an example below):
<location path="ServiceModel/GeneratedWebFormService.svc"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
And add this denying rule to the location (it's important to add it above permitting rules):
<location path="ServiceModel/GeneratedWebFormService.svc"> <system.web> <authorization> <deny users="Supervisor" /> <allow users="*" /> </authorization> </system.web> </location>
As a result the Supervisor won't be able to get access to the GeneratedWebFormService service.
2) As for restricting access from IP-addresses - such a possibility is present to restrict login to the UI, but there is no in-built possibility to restrict access to the endpoint via IP. We don't have any recommendations on this matter and you can test all the possible approaches and choose the most suitable one.
Best regards,
Oscar
Hello,
Here are the answers to your questions:
1) You can restrict login to the application UI in the root Web.config file. You need to find this location in the file:
<location path="0/Nui"> <system.web> <authorization> <deny users="SysPortalConnection" /> </authorization> </system.web> </location>
and add your system user to this list after the comma seprator:
<location path="0/Nui"> <system.web> <authorization> <deny users="SysPortalConnection,1" /> </authorization> </system.web> </location>
In the example above the system user with "1" login won't be able to login to the application.
As for disabling access to custom configuration service you need to find a location record for this service in the /Terrasoft.WebApp/Web.config file (just an example below):
<location path="ServiceModel/GeneratedWebFormService.svc"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
And add this denying rule to the location (it's important to add it above permitting rules):
<location path="ServiceModel/GeneratedWebFormService.svc"> <system.web> <authorization> <deny users="Supervisor" /> <allow users="*" /> </authorization> </system.web> </location>
As a result the Supervisor won't be able to get access to the GeneratedWebFormService service.
2) As for restricting access from IP-addresses - such a possibility is present to restrict login to the UI, but there is no in-built possibility to restrict access to the endpoint via IP. We don't have any recommendations on this matter and you can test all the possible approaches and choose the most suitable one.
Best regards,
Oscar