Trusted Access
This applies to: Visual Data Discovery
Symphony provides its own security methodology that allows for machine-to-machine authorization of Symphony resources when embedded in your application (the “parent” application). This is a form of “delegated” authorization where the parent application can determine, on demand, how and when to authorize any given embedded Symphony component to an end-user logged into the parent application. This methodology is called Trusted Access.
Similar to "single sign-on," this arrangement allows users to log in once to the parent application and yet have their security information propagated to Symphony, creating a seamless and secure user experience. This, of course, means that users can't be allowed to "go around" the parent application and directly access Symphony. In the stateless world of web applications, this requires some special mechanisms to ensure security that are provided for applications through our SecureKey technology.
On request from the parent application, Trusted Access provides a user access token with defined authorization rules that account for user privileges, object permissions, security filters and any specific user attributes used in interpolation. This user access token can then be used in the parent application to serve any Symphony specific embedded components such as dashboards for the respective user. For information on how tokens are initiated and requested in your applications, see Embed Symphony Components Using JavaScript and Trusted Access.
Trusted Access tokens are encrypted when stored in Symphony metadata. The encryption mode used can be set as described in Change the Encryption Mode.
This topic also describes:
- Trusted Access Prerequisites
- Trusted Access Recommendations
- Register a Client
- Generate a User's Access Token
The following additional topics provide reference information:
Trusted Access Prerequisites
Every end user must have Symphony user account defined, unless you are using LDAP autoprovisioning with Symphony. See Manage User Definitions.
Trusted Access is enabled by default. If it is disabled, enable Trusted Access by selecting the Trusted Access option on the Security page. See Enable Trusted Access.
Note: If you are installing v23.4 or later, the default admin user (system administrator) can perform all functions the former supervisor user previously performed, and provide authentication for embedded use cases.
Trusted Access Recommendations
For security reasons, we recommend that you use short-lived tokens. Tokens that are valid for less than 10 minutes are recommended. The validity time of a user access token is defined when you register a client with Symphony.
Register a Client
To start using Trusted Access, you first need to register your application, as Symphony refers to it, as a client.
Registering a client will generate a client ID and client secret. These credentials can then be used to generate user access tokens for any user in the Symphony platform, as needed.
To register your application as a client, POST the /api/trusted-access/clients
API endpoint. You can also patch, delete, and list Trusted Access clients using the /api/trusted-access/clients
API endpoint. See Trusted Access API Endpoints.
Generate a User's Access Token
To generate a user's access token, pass the client ID and client secret to HTTP BasicAuth. To obtain the client ID and client secret, use the /api/trusted-access/clients
API endpoint. See Trusted Access API Endpoints.
Comments
0 comments
Please sign in to leave a comment.