1. Security Guide
  2. Security Features

3 Security Features

Retail Home has several security features that protect the system and its data. See the following sections for more information.

The Security Model

Retail Home's security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:

  • Authentication - Retail Home services restrict access to users that have been authenticated by the configured security provider.

  • Authorization - Retail Home uses enterprise roles to limit what features individual users can access. OAuth scopes are used to limit access from automated processes.

  • Origin Control - Retail Home services implement the Cross-Origin Resource Sharing (CORS) protocol using a domain allowlist to limit where requests may be made from.

  • Transport Security - The Retail Home client and services communicate via REST calls from the client. The services also make SOAP calls if configured to use an OBIEE instance. These communications need to be secured.

Configuring and Using Authentication and Authorization

Retail Home is deployed behind an Oracle WTSS instance configured to authenticate users against Oracle IDCS or OCI IAM. WTSS authenticates with a single sign on for all applications protected by it, which should include all RGBU applications Retail Home is configured for. WTSS and IDCS or OCI IAM configuration are covered in their respective documentation.

Retail Home checks for authorization against the same IDCS or OCI IAM instance used for authentication.

Automated processes may use OAuth scopes to access specific endpoints of the Retail Home services. The current list of supported scopes is as follows:

  • rgbu:rh:seed - Allows calling the Retail Home Seed Service to seed data for new installs

Configuring and Using the Domain Allowlist

The Retail Home REST services restrict access to clients being served by trusted hosts. This is accomplished using an allowlist of allowed domains. Domains that are not on the allowlist will result in requests being rejected and no CORS headers will be applied to responses. The domain allowlist is generated as part of the container configuration and is not configurable.

Transport Security

To ensure the security of service calls made by Retail Home, follow the following rules when configuring endpoints:

  • Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.

  • Route access through WTSS or equivalent. Make sure all URLs are to the location exposed on WTSS or will otherwise be independently authenticated.