Introduction
This article is designed to answer some question regarding setting up security parameters for Lasernet 10, its servers and the apps to which it can connect.
User Password
How can we define security rules on passwords such as expiration date, types of characters, and minimum/maximum sizes?
You can set up both local and On-Prem AD (Active Directory), and Microsoft Entra ID users in the Configuration Server:
For local users, you cannot define any of the listed properties, because it is our goal to provide a simple user and configuration environment.
For Enterprise users, it is preferable for the IT administrator to have full control of rules and policies in their On-Prem AD. If your Security Roles contain AD groups, then they can have full control to maintain the listed policies. It is recommended to log in with an AD user in Lasernet to ensure that the IT administrator is responsible for the access and security policies.
Lasernet also provides support for authenticating users against external authentication providers such as Microsoft Entra ID. In order to manage user permissions in Lasernet, specific ‘roles’ claims must be assigned to users.
Link with AD
AD groups can be retrieved and associated with Lasernet Roles, but not AD users. If we cannot use AD users, what is the aim of using AD groups?
AD users, their rights and which groups they are members of should be maintained by IT in the Active Directory and not in the software running on different servers. If they exclude a member of a group for any reason, it should be guaranteed that the user is excluded from Lasernet as well.
If there are several AD servers, is it possible to choose the AD server to which Lasernet is connected?
Lasernet Configuration Server has access to the same AD servers as the Windows Server. The list of accessible servers are given to Lasernet by Windows and cannot be filtered.
How can you export Security parameters from one Lasernet server to another?
The Access Control settings (Security parameters) cannot be exported to another server. It is recommended to only have a single Lasernet Configuration Server for all of your development, pre-production and production servers. Otherwise, the version control and deployment system are not running in the right way, which allows you to deploy between the various environments and share revisions and history.
Is there a way to perform such exportation?
Not for local users. This is an AD feature and the IT administrator will most likely be aware, if you log in with an AD user.
Is it possible to use other authentication providers than Microsoft Entra ID?
Lasernet relies on OpenID Connect as an authentication protocol. This type of authentication has only been validated against Microsoft Entra ID, but it should be possible to use other authentication providers, instead. In order for Lasernet to work with an external authentication provider, the provider must support the OpenID Connect Implicit Flow and be able to issue ID Tokens with a customizable ‘roles’ claim.
Configuration database
Can it be moved anywhere else other than on the Lasernet server?
In Lasernet License Manager, you can set up the connection for the Lasernet Configuration Database to an SQL Server running on an external computer. It will automatically migrate the configuration, revisions, history, local users and security roles from the default embedded database to the selected SQL Server. You cannot copy a database from Lasernet, between two SQL Servers, but the SQL Server Configuration Server Management application has tools to do that.
In the case of Primary/backup servers, is it possible to share this database between the two servers?
We do not see the Lasernet Configuration Server as a production server, which must be guaranteed to run 365/24/7. We highly recommend that the system has a backup, to roll back if any problems occur.
Conclusion
We have already been in contact with other partners about how to maintain configurations, users and installations in an enterprise environment running Lasernet 10. Because needs are bespoke to all environments with regards to security rules, we cannot always offer the ideal conclusion for what is best for the customer.
Please contact Formpipe Support for technical advice.
Add a comment
Please log in or register to submit a comment.