2 Security Features

This chapter describes the available security features of the Xstore Office Cloud Service.

Security Model

Xstore Office Cloud Service integrates with Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) for Identity Management (that is, storing user information), for securing REST services using the Open Authorization (OAuth) 2.0 and Secure User Authentication via the OAuth 2.0 and OpenID Connect (OIDC) protocols.

A Reverse Proxy is in place that intercepts all incoming requests to Xstore Office Cloud Service and authorizes and/or authenticates the requests based on the Xstore Office Cloud Web Tier Policy defined in IDCS or OCI IAM.

Xstore Office Cloud Service Provisioning

During Xstore Office Provisioning, Xstore Office OAuth Clients (or Apps) are created in IDCS or OCI IAM with custom AppRoles. The Custom AppRoles are used to perform additional Application Level authorizations in addition to Application Level Privilege authorizations.

At the time of provisioning, a Customer Administration User is also created, who initially, is the sole user with access to the Xstore Office Cloud Service application. It is the responsibility of the Customer Administration User to create users with the appropriate privileges for functionality that will become available to them. It is recommended that users are granted the least level of access they require to perform their duties.

Authentication

Xadmin delegates the login to IDCS or OCI IAM. Therefore, it does not prompt the user to login and does not store any user credentials. Instead, when a user accesses Xadmin, the Reverse Proxy determines whether this user's session already exists in IDCS or OCI IAM. If so, it forwards to Xadmin. If this user's session does not exist, then the Reverse Proxy redirects to IDCS or OCI IAM prompting the user to enter their credentials. If the user successfully authenticates in IDCS or OCI IAM, then the request is forwarded to Xadmin. Once at Xadmin, additional application level authorization is performed to determine the user's role and privileges granted to the user in order to display the appropriate features that the user is authorized to access.

For details on how users are created and provisioned, see the Creation of Users section.

Multi-Factor Authentication (MFA)

IDCS or OCI IAM provides the ability to enable Multi-Factor Authentication. For more information on enabling Multi-Factor Authentication, see the Oracle Cloud Administering Oracle Identity Cloud Service Guide or the Oracle Cloud Infrastructure Documentation.

Access Control

Xcenter REST APIs are secured with OAuth 2.0 protocols and use OAuth tokens. When Xcenter REST Services are invoked, the Reverse Proxy intercepts the requests, uses the OAuth 2.0 protocol to authorize the OAuth tokens and forwards the request to Xcenter. Xcenter then examines the tokens and performs additional application level authorization by examining the tokens to see if they were requested by an OAuth Client that was granted specific AppRoles defined in IDCS or OCI IAM when Xstore Office OAuth Clients were provisioned. If the token contains the necessary AppRole Grants, Xcenter provides access to the endpoint and the appropriate response is returned.

For details on how users are created and provisioned, see the Creation of Users section.

Security Audit

User Identity (account name or IP address) is recorded in the application logs when accessing Xadmin or invoking Xcenter REST APIs. In addition, date, time, information, software or configuration changes are also recorded in the application logs.

IDCS or OCI IAM provides several reports that are detailed in the Oracle Cloud Administering Oracle Identity Cloud Service Guide or the Oracle Cloud Infrastructure Documentation.

Credential Rotation

All credentials in use within the Xstore Office Cloud Service will be rotated on a regular schedule.