Default users configuration

<< Click to Display Table of Contents >>

Navigation:  Getting started with Bizagi Automation > Cloud portals first steps > Configuring your test and production environments for the first time >

Default users configuration

Overview

By default, there are two users delivered in each of your cloud environments. The first user is known as the domain\admon user, which is employed by the Bizagi projects as an internal system. The second user is delivered specifically to you as a customer so that you have a default admin user that can log into the Work portal to get started with your cloud environment. This second user will be referred to as the "blank environment" user, and its purpose is to enable you to log into the Work portal initially if needed. This "blank environment" user should no longer be needed once you have rolled out your processes to production and have your full set of real users registered in there.

 

There are important configuration recommendations for these two users described below for you to consider in a production environment to follow the best security practices.

 

General authentication recommendation

As a general recommendation, Bizagi strongly suggests customers use integrated authentication (with your corporate Identity provider). In addition from being a best practice for user management, it also covers up a first basic recommendation which is disabling the Work portal access for these two users. This is accomplished by configuring your project to use integrated authentication, with this both users (the domain\admon user and the "blank environment" user) lose access to the Work portal (given that these are not defined at your Identity provider).

 

If you are not going to use integrated authentication and want to use these users (not recommended), then an explicitly strong password should be in place, along with all regular security policies applicable for accounts (such as not sharing the account, the password is only known by one user, changing it periodically, etc).

 

Users configuration recommendations

Regardless of using integrated authentication or not, there are still recommendations to work best with these users:

 

Regarding the domain\admon user:

1.Access rights or overall access for this user to the Work portal should be restricted. For instance, log in access for this user should be disabled (locked account) and authorization entries should deny this user from working on processes as well.

2.The domain\admon user should be always enabled in Bizagi (set as active).

 

Regarding the "blank environment" user:

1.Access rights or overall access for this user to the Work portal should be restricted. For instance, log in access for this user should be disabled (locked account) and authorization entries should deny this user from working on processes as well.

2.The "blank environment" user should be disabled in Bizagi (not set as active) once you have other users registered at the Work portal.

 

How to achieve these recommendations?

Carry out the following steps to ensure you applied the recommendations mentioned.

 

note_pin

The following configurations may change or are ignored when the authentication is done with an external Identity Provider (integrated authentication).

 

1. Grant access rights to options and processes to the appropriate user profiles.

You may do this in Bizagi Studio in the development environment, however, what is important is that you can manage and review these settings for your production environment (through the Management Console).

 

Configure the items at the Authorization module (at the Security section) by making sure you explicitly authorize only the appropriate user profiles (either by role or user group definition):

 

defaultUserConfig

 

Click Ok to save changes made.

 

Notice that though you should configure and review all of these, the most important items to configure are: Applications, Pages, New cases, and Queries. Ideally, both domain\admon and the "blank environment" users should be left out of being authorized for admin tasks or to work on processes overall.

 

note_pin

Make sure that there is at least one user active and authorized to manage users within the work portal.

 

2. Enforce strong passwords and secure account policies.

Only in the event that you use Bizagi's authentication instead of an integrated authentication, and only if you would want to use these two default users to log into the Work portal (not recommended), then configure the parameters that enforce account and password secure policies (as dictated by security best practices).

 

defaultUserConfig01

 

The initial authentication configuration is as follows:

 

Maximum number of log in attempts (before account lockout): 4.

Account lockout duration: 30 minutes.

Password expiration date: 14 days.

Idle account lockout: 30 days.

Idle session timeout: 20 minutes.

Password policies:

Must have at least 1 letter.

Must have at least 1 number.

Must not have sequences.

Must not be less than 8 characters.

Must not exceed 12 characters.

 

We recommend reviewing the default values and explicitly defining these settings        :

 

Explicitly enforce password change after first log in (ON)

Enable multi-factor authentication (ON)

Enforce use of capital letters in passwords (ON)

Enforce use of small letters in passwords (ON)

Enforce use of numbers in passwords (ON)

Enforce use of special characters in passwords (ON)

Idle sessions time-out (5-10 minutes)

Minimum length of passwords (8 characters)

Maximum number of failed log in attempts (3-4 failed attempts).

 

Ensure you save each of the values you modified.

 

3. Disable access to the Work portal and others.

Do this directly at the Work portal (this should be done at least in the production environment). From the Users section in the User management menu, consider the following settings for the two default users:

First, ensure you set a strong password for these users and tick the Locked Account checkbox.

 

defaultUserConfig02

 

Then, in the Organizations tab, make sure these users do not have the Administrator position.

 

defaultUserConfig03

 

Finally, in the User configuration tab, ensure that these users have appointed the adequate roles or skills according to your authorization configuration (this usually implies that they do not have any roles or skills).

 

For the domain\admon user, it is very important that is marked as Active (the "blank environment" user can be set as inactive as soon as you have other users).

 

defaultUserConfig04

 

Remember to save your changes before closing the window.

After this, you can check that the domain\admon user cannot log into your Work portal, but timers and other automatic tasks are carried out by Bizagi.

 

note_pin

Make sure that there is at least one user active and authorized to manage users within the work portal.