Skip to main content

Security

The security of ProactivePack uses a system of users and groups to determine what permission users have in the product.

Users are first authenticated using one of the following mecanisms :

  • HTTP server authentication (Active Directory, htacces,…) – this is still supported but is deprecated
  • Local authentication – simple solution where users are stored in ProactivePack
  • TSPS – using the TrueSight presentation server authentication
  • SAML
  • Custom

 After users are authenticated they are assigned to one group by ProactivePack. This assignment can be done using local associations, or by integrating with a directory service or a custom mapping mechanism based on a script or a PHP function.

Groups provide permissions on modules, actions within modules, and specific options within actions.

Specific, individual user permissions can be set to override group-level permissions everywhere. This is an advanced configuration that can only be performed from a text editor.

The overall process is defined on this figure:


 

i Modifications to the file Default.ootb are not supported.

 

Authentication

ProactivePack relies on the web server for user authentication. In the simplest configurations, user authentication can be achieved using the “htaccess” feature of apache or the “basic authentication” feature of IIS. Other authentication mechanisms can of course be implemented, depending on what your web server supports and what your requirements are.

Local authentication

This is the default mechanism (note : since version 24.01) – users and passwords are stored locally in the ProactivePack software.

TrueSight authentication

If you use BMC TrueSight (10.x or 11.x), you can use TrueSight to authenticate users in ProactivePack.

To enable BMC TrueSight authentication :

1.       The parameter ExternalAuth, ExternalAuthType and ExternalLoginURL must be set in the Global Configuration. See that section for details.

2.       All other authentication mechanisms (htaccess, AD, etc) on the http server must be disabled.

 

SAML authentication

To enable SAML authentication :

1.       The parameter ExternalAuth, ExternalAuthType and ExternalLoginURL must be set in the Global Configuration. See that section for details.

2.       The SAML metadata must be imported in ProactivePack. To do so, navigate to Administration -> ProactivePack -> Global -> Then click on the 3-dots menu and select “Load a SAML XML file” :

Une image contenant texte, capture d’écran, Police, conception Description générée automatiquement

3.       All other authentication mechanisms (htaccess, AD, etc) on the http server must be disabled.

i The SAML authentication only provides for user authentication. Once authentication is done, group association is done in ProactivePack, see section below.

i For the generation of report emails and Self-ServiceMonitoring import tasks, an application user with the ability to log into TSPS must still be provided.

 

User Overwrite

It is possible to overwrite the user passed by the authentication using the “UserOverwrite” parameter of the global configuration.

The format of the UserOverwrite must be as follows :

o   UserOverwrite =custom:<php file name>:<php function name>

 

The php file must be placed under $PRODUCT_HOME/data/Global and it must contain the function <php function name>

The PHP function itself takes no argument, and must return a valid user name.

For example :

UserOverwrite =custom:GetUser.php:GetUser

 

GetUser.php :

function GetUser()

{

  $headers = apache_request_headers();

  if (isset($headers["uid"]) and ! empty($headers["uid"]))

  {

        $User = $headers["uid"];

  }

  else

  {

        $User = "guest";

  }

  return $User;

}

 

Back to top