Trusted Access
This applies to: Visual Data Discovery
Symphony provides its own security methodology that allows for machine-to-machine authorization of Symphony resources when embedded in your application (the “parent” application). This is a form of “delegated” authorization where the parent application can determine, on demand, how and when to authorize any given embedded Symphony component to an end-user logged into the parent application. This methodology is called Trusted Access.
Note: insightsoftware recommends using Trusted Access for all embed-related workflows.
Similar to "single sign-on," this arrangement allows users to log in once to the parent application and yet have their security information propagated to Symphony, creating a seamless and secure user experience. This, of course, means that users can't be allowed to "go around" the parent application and directly access Symphony. In the stateless world of web applications, this requires some special mechanisms to ensure security that are provided for applications through our SecureKey technology.
On request from the parent application, Trusted Access provides a user access token with defined authorization rules that account for user privileges, object permissions, security filters and any specific user attributes used in interpolation. This user access token can then be used in the parent application to serve any Symphony specific embedded components such as dashboards for the respective user. For information on how tokens are initiated and requested in your applications, see Embed Symphony Components Using JavaScript and Trusted Access.
Note: In environments where you use Typescript for your client side code, you can use Embed Manager as an npm package. See https://www.npmjs.com/package/logi-embed.
Trusted Access tokens are encrypted when stored in Symphony metadata. The encryption mode used can be set as described in Change the Encryption Mode.
This topic also describes:
The following additional topics provide reference information:
Trusted Access Prerequisites
Every end user must have Symphony user account defined, unless you are using LDAP autoprovisioning with Symphony. See Manage Users in Symphony.
Trusted Access is enabled by default. If it is disabled, enable Trusted Access by selecting the Trusted Access option on the Security page. See Enable Trusted Access.
Trusted Access Recommendations
For security reasons, we recommend that you use short-lived tokens. Tokens that are valid for less than 10 minutes are recommended. The validity time of a user access token is defined when you register a client with Symphony.
Register a Client
To start using Trusted Access, you first need to register your application, as Symphony refers to it, as a client.
Registering a client will generate a client ID and client secret. These credentials can then be used to generate user access tokens for any user in the Symphony platform, as needed.
To register your application as a client, POST the /api/trusted-access/clients
API endpoint. You can also patch, delete, and list Trusted Access clients using the /api/trusted-access/clients
API endpoint. See Trusted Access API Endpoints.
Generate a User's Access Token
To generate a user's access token, pass the client ID and client secret to HTTP BasicAuth. To obtain the client ID and client secret, use the /api/trusted-access/clients
API endpoint. See Trusted Access API Endpoints.
Generate a User's Access Token for Existing Symphony Users
Note: You can only generate tokens for regular users and for administrators.
Generate a User's Access Token for New Symphony Users
Note: You can only generate tokens for regular users and for administrators.
Comments
0 comments
Please sign in to leave a comment.