Security
Managed Fusion uses a number of security measures:
-
Authenticating UI users – Managed Fusion authenticates users when they log in. Logging in creates a new Managed Fusion session. Managed Fusion also authenticates users when the Sessions REST API creates a session.
-
Authorizing UI users – Managed Fusion authorizes users to use specific parts of the Managed Fusion UI.
UI users must also be authorized to make API requests, because the UI makes API requests. -
Authenticating and authorizing users who make API requests
-
Password Encryption- Managed Fusion uses 128-bit AES keys to encrypt passwords and "AES/CBC/PKCS7Padding" for the cipher. The ciphertext is also signed.
-
Using session cookies
-
Using an external authentication provider (optional) - A security realm can specify use of an external authentication provider, such as LDAP, JWT, or SAML.
-
Constraining the documents that are indexed (optional)
-
Trimming the documents that are returned by queries based on authorization (optional)
Managed Fusion user login
When logging into the Managed Fusion UI, a user provides a username and password, as well as their assigned security realm. An administrator must specify these in Managed Fusion (using the native security realm) or configure Managed Fusion to use an external authentication provider (for example, LDAP or SAML). See Access control.
Managed Fusion uses roles defined by permissions to authorize Managed Fusion UI access and perform tasks in Managed Fusion, including searching. The recommended method to delegate permissions is as follows:
-
Assign each user to a role and create custom roles as needed.
-
Assign permissions on a per-app basis.
Manage users with security realms
Managed Fusion uses security realms to authenticate users of the Managed Fusion UI. Each user has an assigned security realm, which the user must select when logging in. If the user selects a different realm, authentication fails.
A security realm also provides a list of roles as follows:
-
The list always includes the role(s) that are specified in the security realm.
-
(Optional) If an external directory service (such as LDAP) is used for authentication, the list can also contain roles that are mapped from the names of the directory-service groups. That is, you can configure a security realm to return group information for users from that same directory service.
-
(Optional) The security realm can reference one or more Managed Fusion roles or, when using an external directory service provider, use group membership information from the provider to determine roles for users. Managed Fusion maps the group names to role names and adds these roles to the user’s list of roles.
Managed Fusion does not use permissions from LDAP to authorize UI access or API requests. It only obtains group names (optionally), which are used as role names or are mapped to role names. If an Active Directory Security Query Trimming Stage is used, then directory-service permissions are used for trimming. If a connector supports security trimming, then connector permissions are used for trimming. |
Per-Request Authentication
Requests to the Managed Fusion REST API must specify a security realm for per-request authentication, unless a session cookie is used (which contains information about the security realm).
Managed Fusion authorizes requested operations based on API permissions specified for the user and for the user’s role(s). Managed Fusion considers the role(s) specified in the user definition and in the security realm. Managed Fusion creates a list of roles when a session is created, that is, when a user logs in or when the Sessions REST API creates a session. Authorization based on permissions and its layering is at request time.
You can define multiple security realms for a Managed Fusion instance. A Managed Fusion instance can manage multiple security realms, which allows users from different domains to have (different levels of) access to specific Managed Fusion collections.