One-Time Access

Post date: Sep 29, 2011 1:16:55 PM

Background

There are many use cases for providing users with access to very specific data within a QBO system. Examples include:

• • Delivering a report to a client by email,

  • Notifying an investor of documents uploaded,

  • Providing third parties access to Valuations 

The qbo.Security module includes a SecurityAccess class and table designed to accommodate such requests.

Key fields in the SecurityAccess table include:

• • Access Reason: any text description of why you are creating the row

  • Person: the user will impersonate this user's account when accessing using one-time access

  • Enabled and Expires: controls the date range around which the access is valid

  • Login duration: once accessed, this controls how long the user can be logged in

  • Login URL: the one-time access will only work when attempting to navigate to this URL; SQL pattern matching is allowed

  • IP Mask: if not null, the one-time access will only work when the user's IP address matches this mask (SQL pattenr matching is allowed)

  • GUID: this is automatically generated, and will be passed on the URL being access in a one-time manner

    • e.g. /Attachment/AttachmentView.aspx?AttachmentID=27&LoginGUID=c1712830-1cef-4e2c-95b5-9ff972224b3b

Configuration

To configure SecurityAccess, do the following:

• • Create a Login role with appropriate permissions

    • Import qbo.Core > Data Tier > qbo.Database.Security > Create Scripts > Setup.SecurityAccess.xml

  • Add a new Security Access row

    • Design > Security > One Time Access > New Item

    • Access Reason: Security Access Test

    • Person: (select an existing user that can successfully log in)

    • Enabled: (today)

    • Expires: 1/1/2020

    • Expire On Login: (unchecked)

    • Login Duration: 20 years 

    • Login URL: /Attachment/AttachmentView.aspx% (note the '%')

  • From another browser session, try it

    • navigate to {site}://Attachment/AttachmentView.aspx?AttachmentID={X}&LoginGUID={Y}

    • {X} = some valid AttachmentID that the SecurityAccess.Person has rights to view

    • {Y} = the GUID generated by the Security Access row automatically

How it Works

The /Security/Login.aspx page is designed to look for a LoginGUID on the query string. If found, at attempt to authenticate with the Security Access row matching the LoginGUID will be made.  

If authentication is successful, the user will be logged into the system, as if they had logged in as SecurityAccess.PersonID.  This means the user can do anything SecurityAccess.PersonID can do. It is critical to ensure that when granting such access, the SecurityAccess.PersonID be configured to an appropriate degree of security.  For example, assume that the goal is to allow a client (Bank of America) access to pre-run reports.  Establish this as follows:

• • Create an AttachmentTemplate to generate the report, and save the report results as an Attachment under the BofA Organization

  • Create a Person called 'bofauser@mydomain.com':

    • grant them access to the BofA Organization

    • grant them permissions to AttachmentSelect

  • Create the SecurityAccess row as above, but include the BofA IP address base as the SecurityAccess.IPMask.