Logi Info includes features, collectively called Logi Security, for securely controlling access to reports and data.
The following topics provide an explanation of the principles behind Logi Security and details of its implementation:
- Authentication - Who is the User?
- Authorization - What is the User Allowed to Do?
- Adding Security to a Logi Application
A companion topic, Working with Logi Security, provides more detailed information for developers, and another one, Logi Security Scenarios , offers step-by-step guidance for implementing security in different circumstances.
About Logi Security
Logi Security provides a flexible mechanism for integrating security features into a Logi application in almost any environment. It lets you can take advantage of the User and Role/Group identification features in Microsoft Windows operating systems, including NT Security and Active Directory domain security, and in other LDAP-based and custom-built security systems.
The Logi Security implementation utilizes the traditional concepts of user authentication and authorization, which are discussed in detail in the following sections.
Security Rights can be assigned to users and then used within a Logi application to restrict users access on these levels:
- Report-level - controls access to report pages.
- Element-level - controls access to portions of reports and report components, and controls report navigation.
- Row-level - controls access to individual data rows.
- Column-level - controls access to individual data columns.
Logi Security gives you, as the developer, complete control over all aspects of report usage.
Working with Logi Add-on Modules
Logi Info Add-on Modules deliver specialized elements and complete applications to users. All are compliant with Logi Security in general and may also have unique constants or security rights that enable access to specific features. Security requirements and settings for add-on modules are discussed in detail in their configuration documents.
Working with LDAP
The Lightweight Directory Access Protocol (LDAP), used for querying hierarchical sets of records, is commonly used to store user and role information. Microsoft's Active Directory, and Oracle's OpenDJ, and Linux OpenLDAP are all examples of LDAP implementations.
In a typical Logi application that uses Logi Security, user credentials entered via a login page are compared against an LDAP server to authenticate the user and retrieve role information. Logi Info includes specialized elements for this purpose, for use with both .NET and Java applications.
Order of Operations
When Logi Security is enabled in a Logi application and a report is browsed, one of the very first things that happens is security processing. Therefore, it's not possible to give users the option to change security-related settings, such as the login domain, at runtime. By the time you could present users with Input controls to select their domain or choose other options, security processing has already occurred.
Working with SSL
Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a browser and a web server. It ensures that all data passed between the two remains private and complete.
SSL is implemented as a web server configuration and browsers must be able to work with it. Because SSL works with the Transport layer, it does not directly interact with applications. Generally, Logi applications work well with, and are independent of, SSL implementations. No special configuration of a Logi application is required to allow it to work with SSL.
Working with Network Access Servers
Companies that implement central authentication servers using protocols such as TACACS+ and RADIUS will have no difficulty using Logi applications. These protocols, used along with network access servers, generally serve as gatekeepers for access to networks and servers at the communications level. Once access has been granted, the traffic and content from the web servers used to distribute Logi reports operate normally.
In general, security servers that maintain centralized security credentials for users may be accessible as a direct source of credentials for Logi applications. As discussed earlier in the publication, Logi security can work with custom SQL databases that contain security data.
However, the availability of access to these databases, encryption schemes used on the stored data, and other factors make it impossible to state unequivocally that Logi security can access centralized security data in all environments.
Logi Security is compatible with Federal Information Processing Standards (FIPS) security. Specifically, it will work correctly when a user's local or global security policy has its System Cryptography setting configured to "Use FIPS compliant algorithms for encryption, hashing, and signing".