Setting up security for multiple sources

A Security Source is a kind of connector that enables users to log into OnePart using credentials from a third-party source such as SmarTeam, SolidWorks PDM, or ActiveDirectory.

This task shows you how to:

Context:

However, if you need to secure documents coming from multiple data source types, you must configure the Multi-security source accordingly. For example, if you have both:

  • A SmarTeam and a filesystems source

OR

  • Several Files (filesystem) connectors and an SolidWorks PDM source, etc.

Since OnePart requires users to be logged in, OnePart MUST always have a security source configured even if there is no need to apply security to files. For details on the default security sources, see About Security

Sample scenario

This section will use the Files system and SolidWorks PDM connector scenario as an example. Don’t worry if you don’t use SolidWorks PDM: the process is the same for other PLM data sources such as SmarTeam or Enovia.

Context:

In our sample scenario, your documents come from two different types of connectors, each with its own security rules:

  • the first one is based on your SolidWorks PDM instance

  • the second one is based on your filesystem security (LocalWindowsSecurity or ActiveDirectory).

Decide how to authenticate & authorize

But when working with multiple security sources, you must specify whether a source is to be used for authentication or not. If not used for authentication, it will be treated as an authorization security source. If you only use one security source, it performs both authentication and authorization.

Context:

  • Authentication security source: checks if the user is who she claims to be, by validating the user name and password. You must have at least one authentication security source.

  • Authorization security source: checks if the user is allowed to access this data source, by collecting ACLs for a login. All the other, secondary, security sources can be authorization sources only. A password is optional: if the password specified fails, it's still OK. This is useful for security sources where not all users are present.

How to retrieve security tokens

OnePart multi-security source provides two ways to retrieve access tokens from authentication when you have multiple authentication sources.

Context:

  • Merge: retrieves the access tokens for all security sources where the user successfully authenticates. This is the most common configuration.

  • First: only retrieves the access tokens from the first security source where the user successfully authenticates. As a result, this user will not be able to access documents from any other data source. Typically, you’d only use this configuration when there several different systems that are mutually exclusive.

Merge

Context:

Merge will:

  • try to authenticate you on each source that has the authenticate option checked AND

  • retrieves access tokens for that user from all security sources that have the authorize option checked.

In our example, this means your users will authenticate on EPDM only, but can see all documents for which they have access in both EPDM and the File system.

First

Context:

First will authorize a user on the first security source on which authentication is successful. You will define the order of the individual security sources when you add them to the multi-security source.

In our example, you have a Local Windows Security Source and an SolidWorks PDM security source.

If you enter your Windows login and password to connect to OnePart when the local Windows security source (app_local) is the authentication source, this is considered a successful authentication. In this case, the user will not be authorized on the SolidWorks PDM security source and so will not have access to SolidWorks PDM documents.

Important: Even if a user’s login and password are identical in both Windows and SolidWorks PDM, when using First the user will only have access to documents secured by the first security source where he was authenticated.

Configure the login handler

If user logins are not the same in all the security sources, you will need to configure login handling. Out of the box, OnePart provides a login handler implementation as a plugin, based on a sample mapping file, loginHandler.csv

Context:

This csv file provides instructions for how to handle a user’s authentication login for the “non-authenticated” security sources.

Example

If you want to be able to use a different login on several sources here is a loginhandler.csv example:

Context:

ec6,EPDM,admin

Where:

  • ec6 is my login for OnePart

  • EPDM is the name of a security source

  • admin is the login used in the SolidWorks PDM security source (and in my SolidWorks PDM source)

You must modify this file for your initial set up, and each time you add a new user to OnePart.

To configure login handling

  1. Go to the \datadir\config folder of your OnePart installation.
  2. Rename loginHandlerSample.csv to loginHandler.csv
  3. Edit this loginHandler.csv configuration file with your required values. For example,
    myWindowsLogin1,EPDM,myEPDMLogin1 myWindowsLogin1,OtherSource,myOtherSourceLogin1 myWindowsLogin2,EPDM,myEPDMLogin2 myWindowsLogin2,OtherSource,myOtherSourceLogin2

    Where: myEPDMLogin(1|2) is the login users enter to log into OnePart myWindowsLogin(1|2) is the user's Windows login.

    Note:

    The Name value must be exactly the same as the target security source (here the local Windows security source).

  4. To activate this login translation you need to fill in the Login rewriter class of the LWS security source. The value is com.exalead.apps.security.sources.ConfigFileBasedLoginHandler



Configure the multi-security source

Before you begin:

This procedure assumes you have already done the following:

Context:

The OnePart multi-security source manages all your security sources so users only need to log in once.

You must specify which of these sources are for authentication. The other sources will be used for authorization only.

Important: If a source has the option Authenticate selected then access rights to documents from the associated connector will be visible only if you have entered a valid username / password for this security source in the OnePart login page.

To configure the security source

  1. Log in to the Administration Console with the Login / Password: app-admin / exalead
  2. Go to Search > Security Sources.
  3. Click app_login.
  4. For Type, specify how OnePart is to retrieve security tokens; either Merge or First. This value is case sensitive. See also How to retrieve security tokens
  5. Forced tokens are used in advanced mode. This field contains security tokens that you want to be added to all connected users.

    Note:

    However, this option can cause security problems. You may add access rights to all users on a given set of documents.

  6. To add a new item, click the Sources section and click Add item.



  7. In Item 2, configure following screen:
    1. Enter ePDM in the Name field to add the SolidWorks PDM security source.
    2. Deselect the Authenticate option.
    3. Enter com.exalead.apps.security.ConfigFileBasedLoginHandler in the Login rewriter class field.
  8. Click Apply.

If your login is the same for Windows and PDM, then you will be able to login and view documents in OnePart coming from both the Files (filesystem) connector and SolidWorks PDM connector.

In this example, the users might have different passwords in the sources: OnePart only checks the Local windows password.

If users have different logins in the different sources, you must set up a Login handler. We provide a default implementation:

com.exalead.apps.onepart.security.ConfigFileBasedLoginHandler

But if you have checked Authenticate on both SolidWorks PDM and LWS sources, you will not see documents from SolidWorks PDM source if your windows login / password is different from your SolidWorks PDM one.