Oracle® Retail Predictive Application Server and Applications Cloud Edition Security Guide Release 19.0 F25911-13 |
|
![]() Previous |
![]() Next |
This chapter discusses security for the RPASCE Client.
The factors affecting security are Authentication, Authorization, and Auditing.
It is a requirement that user names and passwords for RPASCE users must be created in an Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) instance. RPASCE Client uses perimeter authentication. The Oracle software product, Web Tier Security Service (WTSS), is used to field all HTTP requests. WTSS redirects the browser to an IDCS or OCI IAM login page if a request lacks the IDCS or OCI IAM session cookie.
Figure 3-1 shows the complete deployment topology of RPASCE, including the authentication enforcement point.
As can be seen in Figure 3-1, RPASCE is deployed as a stack of Docker containers. The deployment process is controlled by some configured properties and other files such as credential-bearing mkstore wallets.
User groups that are set up in the IDCS or OCI IAM are authorized to access the RPASCE Client during the deployment process. The rpasce.properties file has entries that control which user group(s) can access the RPASCE client UI and web services.
Users can be added through the IDCS or OCI IAM Admin Console, and can be added in bulk using a CSV file. For more information on using IDCS or OCI IAM, see the Oracle Identity Cloud Service online help at https://docs.oracle.com/en/cloud/paas/identity-cloud/index.html">>https://docs.oracle.com/en/cloud/paas/identity-cloud/index.html
or Oracle Cloud Infrastructure Identity and Access Management at https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm">>https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm
.
When working with the optional Atomic User Management feature, user accounts will be automatically created and deleted from RPASCE in response to changes in IDCS or OCI IAM.
When not working with Atomic User Management, you must separately add users to RPASCE. This can be done through the RPASCE Client UI or using an XML file that must be uploaded and executed through the sftp interface, as described in the "System Administration" chapter of the Oracle Retail Predictive Application Server Cloud Edition Administration Guide. You must also delete users from RPASCE when deleting them from IDCS or OCI IAM.
RPASCE authenticates web services using OAUTH2.0 via IDCS or OCI IAM. The user acquires an OAuth 2.0 access token from IDCS or OCI IAM first, using a combination of IDCS or OCI IAM client credentials and the user's own userid/password credentials. The token is then used to invoke the RPASCE web service.
Authorization refers to the selective provisioning of data and the functional access to different classes of users.
No external configuration is available for this. Authorization data is managed within RPASCE. To administer authorizations, the customer must use the RPASCE Client UI itself.
Two authorization roles are available in RPASCE: admin and non-admin. After the server installation, a bootstrap admin user can be added to the RPASCE domain. Once this occurs, other users (admin and non-admin) can be added through the RPASCE Client UI. It is also possible to add users to RPASCE in bulk using a command line utility.
Note that the user groups in IDCS or OCI IAM have nothing to do with authorization (as defined above), except in the limited sense that, to access the RPASCE UI, the user must be a member of an authorized group in rpasce.properties.
Users must be a member of the IDCS or OCI IAM group called "PDS_SERVICES". Cloud Engineering will create this group and other groups that have been defined for the specific RPASCE solution.
For each RPASCE solution, there is a Retail Home configuration file. This file defines the metadata for the Retail Home metric tiles, including the assignment of IDCS or OCI IAM user groups to tiles.
The visible metric tiles in the Retail Home dashboard are the ones assigned to the user's groups.
The customer administrator user can define password complexity and rotation rules. All application user maintenance is performed by Customer Administrators via IDCS or OCI IAM.
The following guidelines are useful.
Automatic lock out occurs after a certain number of failed login attempts.
Password expiration may be enabled.
The password reuse time can be set.
Note the following:
Update the browser when new versions are released; they often include new security features.
Check the browser for built-in safety features.
Others may try to access an unattended workstation while the user is still logged into the system. Users must never leave their workstation unattended while logged into the system because it makes the system accessible to others. Organizations must set a corporate policy for handling unattended PC sessions. Users must use the password-locked screen savers feature on all PCs.