Here at Logi Analytics, one of the most frequently asked questions we hear is, “How do you handle security?” The answer is our security model is essentially your security model: We adopt whatever security our customers are already using.
We base our approach on what we call SecureKey, an adaptive security model that relies on customers’ existing user management systems. This token-based API allows you to reuse your existing authentication and authorization mechanisms to control access to your Logi-powered analytics. With SecureKey, you can leverage your existing security model to control access at the full page level, component level, or down to the row and column granularity of the data. The result is a single, flexible security model that can connect to a database, LDAP, or Active Directory.
We realize that our customers have already invested plenty of time and effort building their security models and setting up various levels of data access. If software engineers have to recreate or replicate authentication and authorization information in Logi, all the time and resources they spent setting up that original security model goes out the window. That’s why Logi applications are built to preserve all security throughout the dashboards and reports our customers build.
Here’s how Logi Security works:
Authentication: Who Is the User?
Authentication is the process of identifying the current user – the “login” or “logon” process that typically associates a user record with a password. For Logi applications, this can be accomplished by relying on operating system security features, by building a custom Logi-based authentication system, or by letting a parent application handle it.
Operating system authentication is most commonly used in intranet/extranet environments where web server or domain administrators can easily maintain the list of valid users. Custom authentication systems generally provide their own user database that can be queried to authenticate users (Logi Security provides a default login page that can be used with these systems).
And for developers who want to extend their own applications by integrating Logi analytics into them, we can do initial user authentication and establish a “single sign-on” relationship using our Logi SecureKey authentication. This technology allows the parent application to identify authenticated users to the Logi application/components by passing a security token.
Once a user is authenticated using one of the above methods, a Logi application has access to an internal username that uniquely identifies the current user and drives the authorization process.
Authorization: What Is the User Allowed to Do?
Authorization determines what an authenticated user is allowed to view and what actions they can perform. Once a user is authenticated, Logi Info authorizes them by granting security rights – either individually or as part of a user group that has already been granted a set of rights.
We give our customers complete control over all aspects of analytics reports usage, including:
- Report level: Controls access to report pages
- Element level: Controls access to portions of reports and report components as well as report navigation
- Row level: Controls access to individual data rows
- Column level: Controls access to individual data columns
When the application runs, rights are represented internally as a string of comma-separated words (for example, “AllUsers, ChicagoStaff, Executives”). When Logi Security is in use and debugging is turned on, you can view this string after the user is authenticated in the Debugger Trace Page.
Most of the elements used to create Logi applications are “security-aware,” which means they have a Security Right ID attribute that restricts their use to users with the specified rights. The example above shows a Data Table Column element that’s configured to show only to users who have the HR_Staff security right.
Using the earlier example, if a user had the Rights “AllUsers, ChicagoStaff, Executives” and the Security Right ID attribute value above was Executives, the user would be able to see the data table column. The attribute will also accept multiple values in a comma-separated list.
Integration: The SecureKey API
In scenarios where a Logi application or Logi components are integrated with or embedded into an existing application—rather than in a separate application—we use SecureKey Authentication. This supports a single sign-on environment and creates a seamless, secure experience for users. When users log in to the parent application, their security information is automatically propagated to other integrated applications.
Here’s how the SecureKey process works
1. The Parent app authenticates the user.
3. The Parent app requests a SecureKey for the user and receives it.
4. The user’s report request, with the SecureKey added to it, is redirected to the Logi app.
6. The requested report is generated and returned to the user.
7. Subsequent report navigation and display within the Logi app relies on the user’s Logi app session.
8. Subsequent report requests from the Parent app need a new SecureKey (back to step #3).
Once a SecureKey is used, it cannot be used again in a different session, and “sharing” keys across clients isn’t possible – the client browser IP address is referenced within the key when it’s created, making it valid only for the client that made the initial request.
This dynamic approach – which enables customers to show certain reports to only certain users, or even modify the reports themselves on the fly based on who is logged into the system – is just one of the many elements that make Logi Security unique.