November 24th, 2021
OL Connect Server Authorization
Starting with OL Connect 2020.2, OL Connect Server allows role-based authorization and multiple users. In this article, we explore what this looks like for this first cut on improving security for the OL Connect Server.
When working with OL Connect, many are unaware that a username and a password are required to be able to print or to automate OL Connect tasks from OL Connect Workflow. That’s because a “ol-admin” user with a preconfigured password is set up by default, and both are also preconfigured in every OL Connect Workflow configuration and in OL Connect Designer.
It’s only when you try to use the OL Connect Server from another client than OL Connect Workflow or Designer, or when trying to use some of OL Connect’s functionality through scripting, that it becomes apparent you need to specify that user name and password in order to use the OL Connect REST API.
With only one user name and password, whose default values often remain unchanged even though we all know we should really change them, there is little protecting the OL Connect Server and the data it processes…
In a security conscious environment, these things need to be handled differently.
Starting with version 2020.2, you can now configure multiple users, allowing you to better control access to the OL Connect Server. For instance, OL Connect Workflow can have its own specific credentials, while users of OL Connect Designer can each have individual credentials to allow them to print jobs.
At installation time, you are asked to set a username and password for the first user. The suggested name is “olc-user“, but you are free to choose a different name (and yes, you can still use ol-admin if you’re feeling nostalgic!). A password is required.
If you are updating an existing system from a version older than 2020.2, then the existing ol-admin user and its password are retained by default. But you should still change them!
Once installation is complete, you can go into the OL Connect Server Configuration tool and add more users.
For instance, you may want to create a user account for OL Connect Workflow, and a different one for people printing from the OL Connect Designer. But if, for example, there are 3 persons expected to be printing from Designer, then it can make sense to give each of them their own credentials.
New installations of OL Connect Designer and OL Connect Workflow no longer get a default user for connecting to the OL Connect Server. So these will need to be set manually before interaction with OL Connect Server is possible.
Note that these credentials are only needed for interacting with OL Connect Server. OL Connect Designer only needs this for printing (not for proof printing), the new “Send to Connect Server…” feature, and when data mapping PCL or AFP input. When you choose Print, you will be prompted for credentials if they have not yet been set in your preferences.
Most settings in the OL Connect Server configuration are stored in files locally on the server. The users however, are stored in the database. This is a critical piece of information, because of its implications:
Logging on with a certain username and password means the server knows who you are, but it doesn’t yet mean that you are allowed to do anything. For that, each user needs to be configured with certain roles. You can choose between three different roles:
A user can have more than one role.
This role allows a user to work with data. This includes uploading and downloading data files, retrieving field values, and updating them. Launching operations and obtaining the results of these operations is also only allowed for users with this role.
This means that this role not only controls if the user is allowed to see or change data, but also if this user can get OL Connect to produce output.
If the production data is sensitive, then be careful which user gets this role, and who knows those credentials.
OL Connect Workflow needs this role for all its main OL Connect-related functionality (Data Mapping, Content Creation, Job Creation, Output Creation), but also for many other OL Connect tasks like Retrieve Items, etc.
Users of the OL Connect Designer need this role to be able to print (but not for proof printing), and for data mapping PCL, and AFP files, which require interaction with the OL Connect Server. In most cases, however, the typical user of OL Connect Designer does not need this role.
This role is for uploading templates, data mapping configurations and print/job presets to the OL Connect Server. Working with these resources in Designer is not at all affected; this only controls whether or not they can be changed on the server side.
OL Connect Workflow needs this role for its main OL Connect-related functionality (Data Mapping, Content Creation, Job Creation, Output Creation), because OL Connect Workflow needs to be able to upload these resources to the server on demand.
Users of the OL Connect Designer only need this role if you want to allow them to use the “Send to Connect Server” option, which allows them to directly upload a resource to the OL Connect Server. This is typically not required.
This role is for viewing what’s happening on the server. It allows viewing which operations are currently running and their progress. But it’s not completely harmless as it also allows a user to cancel an operation. In addition, it grants read access to resources such as templates.
If you want to create a dashboard for viewing the activity of OL Connect Server, then logging on with this role will allow that dashboard to show what’s going on, without being able to make changes (other than cancelling an operation) or view data.
Tagged in: Credentials, Password, Restriction, Roles, Security, Users