Overview
By default, there are two users delivered in each of your cloud environments. The first user is known as the domain\admon user, which is employed by the Bizagi projects as an internal system. The second user is delivered specifically to you as a customer so that you have a default admin user that can log into the Work Portal to get started with your cloud environment. This second user will be referred to as the "blank environment" user, and its purpose is to enable you to log into the Work Portal initially if needed. This "blank environment" user should no longer be needed once you have rolled out your processes to production and have your full set of real users registered in there.
There are important configuration recommendations for these two users described below, for you to consider in a Production environment and follow the best security practices.
General authentication recommendation
As a general recommendation, Bizagi strongly suggests customers use integrated authentication (with your corporate Identity Provider). In addition from being a best practice for user management, it also covers up a first basic recommendation which is disabling the Work Portal access for these two users. This is accomplished by configuring your project to use integrated authentication, with this both users (the domain\admon and the "blank environment" users) lose access to the Work Portal (given that these are not defined at your Identity Provider).
If you are not going to use integrated authentication and want to use these users (not recommended), then an explicitly strong password should be in place, along with all regular security policies applicable for accounts (such as not sharing the account, the password is only known by one user, changing it periodically, etc).
Users configuration recommendations
Regardless of using integrated authentication or not, there are still recommendations to work best with these users:
Regarding the domain\admon user:
1.Access rights or overall access for this user to the Work Portal should be restricted. For instance, log in access for this user should be disabled (locked account) and authorization entries should deny this user from working on processes as well.
2.The domain\admon user should be always enabled in Bizagi (set as active).
Regarding the "blank environment" user:
1.Access rights or overall access for this user to the Work Portal should be restricted. For instance, log in access for this user should be disabled (locked account) and authorization entries should deny this user from working on processes as well.
2.The "blank environment" user should be disabled in Bizagi (not set as active) once you have other users registered at the Work Portal.
How to achieve these recommendations?
Carry out the following steps to ensure you applied the recommendations mentioned.
|
The following configurations may change or are ignored when the authentication is done with an external Identity Provider (integrated authentication). |
1. Grant access rights to options and processes to the appropriate user profiles
You may do this in Bizagi Studio in the Development environment. However, what is important is that you can manage and review these settings for your Production environment (through the Management Console).
Configure the items in the Authorization module (Security section) by making sure you explicitly authorize only the appropriate user profiles (either by role or user group definition):
Click OK to save the changes made.
Notice that though you should configure and review all of these, the most important items to configure are: Applications, Pages, New cases, and Queries. Ideally, both the domain\admon and "blank environment" users should be left out of being authorized for admin tasks or to work on processes overall.
|
Make sure that there is at least one user active and authorized to manage users within the Work Portal. |
2. Enforce strong passwords and secure account policies
Only in the event that you use Bizagi's authentication instead of an integrated authentication, and only if you would want to use these two default users to log into the Work Portal (not recommended), then configure the parameters that enforce account and password secure policies (as dictated by security best practices).
The initial authentication configuration is as follows:
•Maximum number of log in attempts (before account lockout): 4.
•Account lockout duration: 30 minutes.
•Password expiration date: 14 days.
•Idle account lockout: 30 days.
•Idle session timeout: 20 minutes.
Password policies:
•Must have at least 1 letter.
•Must have at least 1 number.
•Must not have sequences.
•Must not be less than 8 characters.
•Must not exceed 12 characters.
We recommend reviewing the default values and explicitly defining these settings:
•Explicitly enforce password change after first log in (ON).
•Enable multi-factor authentication (ON).
•Enforce use of capital letters in passwords (ON).
•Enforce use of small letters in passwords (ON).
•Enforce use of numbers in passwords (ON).
•Enforce use of special characters in passwords (ON).
•Idle sessions time-out (5-10 minutes).
•Minimum length of passwords (8 characters).
•Maximum number of failed log in attempts (3-4 failed attempts).
Ensure you save each of the values you modified.
3. Disable access to the Work Portal and others
Do this directly at the Work Portal (this should be done at least in the Production environment). From the Users section in the User management menu, consider the following settings for the two default users:
First, ensure you set a strong password for these users and check the Locked Account checkbox.
Then, in the Organizations tab, make sure these users do not have the Administrator position.
Finally, in the User configuration tab, ensure that these users have appointed the adequate roles or skills according to your authorization configuration (this usually implies that they do not have any roles or skills).
For the domain\admon user, it is very important that is marked as Active (the "blank environment" user can be set as inactive as soon as you have other users).
Remember to save your changes before closing the window.
After this, you can check that the domain\admon user cannot log into your Work Portal, but timers and other automatic tasks are carried out by Bizagi.
|
Make sure that there is at least one user active and authorized to manage users within the Work Portal. |
Last Updated 7/18/2023 9:43:06 AM