Security administration

<< Click to Display Table of Contents >>

Navigation:  Automation Server > Automation Server configuration and administration guide > System maintenance and monitoring > Environment settings and administration > Management Console >

Security administration

Overview

Bizagi lets you use the Management Console to manage project security settings.

You can do this separately in each of the project's environments, and especially to perform changes on live environments (production or test environment).

 

Open the Management Console to access this configuration in the Security module:

 

MC_Security

 

Settings you can manage include the authentication type used (Authentication), access control settings (Authorization), and LDAP import settings.

 

Authentication settings

You can edit the type of authentication used by the project, and further parameters for the specific type of authentication.

 

Authentication1

 

Authentication types available are:

Bizagi Authentication: Allows Bizagi to handle authentication itself (domain, users and their passwords are stored in Bizagi).

LDAP Authentication: Uses an LDAP server (i.e Active Directory) to verify information entered in the login page (username, password and domain).

If you use authentication against an LDAP server, Bizagi does not store passwords.

Federated Authentication: Uses an identity provider that authenticates the user and facilitates Single Sign-On capabilities through federated services.

If you use federated authentication, Bizagi does not store passwords. Since authentication in Bizagi is entrusted to the Identity provider, it needs to comply with SAML 2.0.

Windows Authentication: Lets Bizagi validate users automatically against domains and Windows machines.

The Work Portal delegates authentication to the Windows machine on the client side (Bizagi does not store passwords).

You can also have Bizagi take the Windows session credentials automatically and avoid a login page.

Windows authentication does not work for mobile devices if Anonymous Authentication is disabled. When you enable the Anonymous Authentication. The Bizagi login page does not appear.

Custom Authentication: Lets an external application handle authentication.

With custom authentication, you develop your own component which overrides the methods in Bizagi's Authentication component.

The component you develop can rely on any APIs or other third-party components and connections to authenticate the user (i.e. validate against a MySQL database, XML files, a legacy system's database, etc).

Mixed Authentication: Allows using two different types of authentication for users from different domains. One of the types must be Bizagi Authentication, and the other type may be either Windows or Custom Authentication.

 

note_pin

Note these important points:

 

1. Authentication run on execution requires that any user wanting to log in to Bizagi is previously imported/created in Bizagi's database (even though, with certain authentication types, further information such as the password is not stored in Bizagi itself).

 

2. With any type of authentication, the default domain\admon system user should be kept as enabled, though this user should not be assigned to a specific end user and should not be granted rights to use Work portal menus and options.

Instead, we recommend that you define a user account as your business administrator, with privileges to run the solution's administration (i.e modify parameter entity values, and manage your users, licenses, cases, etc).

 

Further authentication parameters to modify, according to the specific authentication type are:

 

Authentication type

Option

Description

 

Bizagi

Account lockout duration

Defines the number of minutes an account remains locked out due to reaching Maximum number of failed login attempts (and having set Enable account lockout for failed login attempts), before automatically being unlocked.

This duration must be greater to or equal than Failed login attempts time-out.

E-mail for an account unlock request - Body

Defines the body of the mail to be sent to the administrator when a user requests the unlocking of an account  (when using Enable account unlock request e-mails to admin and specifying E-mail of admin).

Use with E-mail for an account unlock request - Subject.

E-mail for an account unlock request - Subject

Defines the subject of the mail to send to the administrator when a user requests unlocking of an account (when using Enable account unlock request e-mails to admin and specifying E-mail of admin).

Use with E-mail for an account unlock request - Body.

E-mail for an active account - Body

Defines the body of the mail to send to a user when the account is created and set as active.

Use with E-mail for an active account - Subject.

E-mail for an active account - Subject

Defines the subject of the mail to send to a user when the account is created and set as active.

Use with E-mail for an active account - Body.

E-mail for password reminder - Body

Defines the body of the mail to be sent when the user requests a password reminder.

Use with E-mail for password reminder - Subject.

E-mail for password reminder - Subject

Defines the subject of the mail to send when the user requests a password reminder.

Use with E-mail for password reminder - Body.

E-mail of admin

Defines the e-mail of the administrator of accounts in charge of receiving E-mail for an account unlock request (when using Enable account unlock request e-mails to admin).

Enable account lockout for failed login attempts

Sets whether accounts should be locked out when a maximum number of failed login attempts is reached (to use with Maximum number of failed login attempts).

Enable account unlock request e-mails to admin

Sets whether e-mails are sent when a user requests an account unlock.

Use with E-mail for an account unlock request, and E-mail of admin.

Enable authentication logging in database

Sets whether an audit log is recorded with all authentication events.

Enable multiple sessions per account

Sets whether more than one simultaneous session is allowed for the same account.

Enable quick login

Applies only to the Development and Test environments.

 

Sets whether users can login to the Work portal without inputting the passwords of accounts (a quick login through a drop-down list displaying valid login accounts).

The drop-down list shows the first 100 active users (from the 101th user, accounts need to be typed into a text field).

To use for unit tests or quick prototyping purposes (this setting is not valid for a production environment).

Enable use of a secret question

Sets whether users can establish a secret question and answer to be able to avoid an account lockout when the password is forgotten.

Require password change after the first login

Sets whether a user must change the password after the first login.

Consider using this option or setting an explicit number of days for Password minimum age.

Enforce password history

Defines the number of unique passwords an account must have before reusing an older one.

Enforce use of capital letters in passwords

Sets whether passwords must contain at least one capital letter..

Enforce use of letters in passwords

Sets whether passwords must contain at least one letter.

Consider using Enforce use of capital letters in password and Enforce use of lowercase in password instead.

Enforce use of numbers in passwords

Sets whether passwords must contain at least one number.

Enforce use of small letters in passwords

Sets whether if passwords must contain at least one lowercase small letter.

Enforce use of special characters in passwords

Sets whether passwords must contain at least one non alphanumeric characters.

Enforce validation of sequences in passwords

Sets whether passwords are allowed to contain character sequences (e.g: abc or 12).

Failed login attempts time-out

Defines the number of minutes after which failed login attempts time-out.

The counter that stores this number of attempts is reset after this time frame, provided that the Maximum number of failed login attempts is not reached.

Idle account duration before lockout

Defines the maximum number of days before an unused account is locked out (unused accounts are those which have not had activity in that time frame).

Idle sessions time-out

Defines the time in minutes after which an idle session expires; in which the user would have to authenticate their login again.

If you wish to increment this time-out to more than 60 minutes (not recommended), you need to edit the default settings for your web server (directly at the IIS).

Maximum length of passwords

Defines the maximum number of characters for passwords (use zero if a maximum length is not desired).

Maximum number of failed login attempts

Defines a maximum number of login attempts before an account is locked out.

Applies when Enable account lockout for failed login attempts is active.

Minimum length of passwords

Defines the minimum number of characters for passwords.

Consider using this option or setting an explicit number of days for Enable password change after the first login.

Password maximum age

Defines the maximum number of days during which a password can be used before it must be changed (i.e, the expiration time of passwords).

Password minimum age

Defines the minimum number of days during which a password must be used before it is available for a change.

SLA for an account unlock request

Defines the expected service time (in hours) to process an account unlock request.

LDAP

AUTHOPTIONS_LDAP_Path

The path to access the LDAP Server (using the LDAP URL format).

AUTHOPTIONS_LDAP_UseIntegration

Applies if you already have configured Bizagi to synchronize with your Active Directory users.

If this is the scenario, turn this option on, to use the same LDAP URL and settings from the LDAP synchronization settings.

Custom

Custom Authentication Component

The name of the components assembly that performs authentication. This components must be present in the Web application bin or in the GAC.

Custom Authentication Class

The name of the class that performs custom authentication within the component specified. Include the namespace of that class (set as Namespace.Class).

Mixed

Bizagi Domain

The name of the domain for users who will be authenticated using Bizagi Authentication.

Other Authentication type

Select which other type of authentication will be used (Windows or Custom).

 

Authorization settings

You can edit the authorization settings to modify restrictions on which end users can modify or view certain information and use administration options in the project.

Access rights to the different elements of the Work Portal are managed through the definition of roles and user groups.

 

Security3

 

In the Authorization component you can manage access to the following items:

 

MENU

DESCRIPTION

Analysis

 

Sets access to specific process information in the various Process Analysis Tools.

 

If access is denied for a specific process, you can access the Reports menu, but cannot view that process in the Business Activities Monitoring BAM, Sensors Analytics and Process and Task Analytics.

Applications

Sets access to applications. These permissions are granted for each application individually.

 

If permission is denied for a specific application, then you cannot create new cases for any processes that belong to that application or view cases related to such processes in your Inbox.

 

You can still be assigned to tasks of a process that belong to a restricted application, despite not having access rights to the application.  For this reason take care when implementing this restriction.

Entities

Sets administration privileges for Parameter entities in the Work Portal. These permissions are granted for each entity individually.

 

The administration privileges that can be set are:

 

Full Control: Permits total administration of an entity. You can create new records of the specified entity and view and modify existing entities.

 

View Data: You can only view records of the entity.  Changes to data will not be permitted.

 

Modify: You can view and modify the records of the entity, but cannot create new records.

 

Create: You can create new records for the entity, but cannot modify the existing records.

Manage

Manages Alarms, Asynchronous Work Items, Cases, Default Users and Profiles.

New Cases

Set permission to create new cases. These permissions are granted for each process individually.

 

If permission is denied for a specific Process, you cannot create new cases of that Process; however, you may still be assigned to activities belonging to such a restricted process.

Pages

Controls access to the menu and sub-menu pages of the Work Portal.  These permissions are granted for each page individually.

 

IMPORTANT: In the Analysis menu, the permissions applied to All Reports cascade down to all sub-menus.  If access is denied in All Reports you cannot access any of its features or lower level directories (sub-menus).  

 

Policies

Sets access to policies. These permissions are granted for each policy individually.

 

If access is denied for a specific policy, the restricted policy is not visible in the Business Policies menu of the Work Portal; consequently, cannot gain access to it.

Queries

Sets access to case queries. These permissions are granted for each query individually.

 

If access is denied for a specific query, the related form of the restricted query is not visible in the Queries menu of the Work Portal.

Vocabularies

Sets access for vocabulary management. These permissions are granted for each definition individually.

 

If access is denied for a specific definition, the vocabulary definition is not visible in the Business Policies menu of the Work Portal; consequently, you cannot modify it.

 

LDAP import settings

You can edit the connection and configuration parameters for importing of users from your LDAP system.

 

MC_LDAP

 

When editing specifics on the connection to your LDAP and how the synchronization of users will be carried out (i.e scheduled for what time frame), consider these settings:

 

Setting

Description

Connection

LDAP URL

The URL path to access the LDAP server (LDAP URL format).

Domain\username

A username and its domain, to be used as the authenticated user performing the synchronization.

Password

The password for the domain's authenticated user performing the synchronization.

Synchronization hour

An hour of the day in which the Scheduler will perform the LDAP synchronization.

Allowed values for this field are 0 to 23.

Import settings

Filter

Input a filter to import only the proper accounts into your project (according to an LDAP attribute criteria).

We strongly recommend that you use and set a filtering condition to import the proper set of users (especially when testing the configuration).

View more information about filter options at LDAP attributes.

Domain

The domain name to which the users will be registered in Bizagi's user entity (WFUser).

User account identifier

The LDAP attribute which identifies in a UNIQUE manner each account. For example, sAMAccountName is the common LDAP attribute corresponding to a user's account name.

 

When editing the attribute mappings (which set how information incoming from your LDAP is updated in Bizagi users), you can add, edit or delete mapping rows under the definition of the Attribute mapping tab:

 

LDAP02

 

When editing the default values taken by some of the fields of information of users in Bizagi, you can add, edit or delete rows under the definition of the Default values tab:

 

LDAP03

 

note_pin

Do NOT specify that the enabled attribute is set to true, unless you are completely certain that your current license support the number of imported users.

If the number of active users is greater than the number of licensed users, the Work Portal will stop working.

 

You can test this configuration (i.e. especially recommended if you changed critical aspects such as the LDAP filter), and see the records found at Test results:

 

LDAP04

 

note_pin

Testing the configuration does not imply that an immediate synchronization is carried out at Bizagi's database.

This is only for testing purposes and not persisted, since the Scheduler service will be in charge of executing your final configuration.

 

Important

You can initially define the options in the Security module for the Authentication options and LDAP synchronization in your Bizagi project, by using the Development environment for the Production environment (that is, using LDAP or any other configuration related to the Work Portal's authentication method).

 

After your project is deployed to Production, these settings for that environment can no longer be edited directly in the Development environment (they must be edited from the Management Console).

For the Test environment, values can be redefined in the Development environment (through Bizagi Studio), so that a new deployment overwrites those values in the test environment.

You need to use the Management Console in the Production environment to edit defined Authentication and LDAP settings.

 

note_pin

This does not include Authorization configurations, which can be managed in Production directly through the Management Console, and are always overwritten in Production with the incoming values from Development when you execute a deployment.