Security Best Practices

Service Accounts

For integration with other systems, we recommend creating a separate user for each system with a User Type of Service Account.

In most cases, service accounts have no additional permissions beyond secure file transfer protocol (SFTP) access since the sole purpose of this user account is to retrieve or place files on the SFTP area for data integration.

While having one service account user for all data integrations is possible, creating separate user accounts provides more secure user management by allowing the Security Administrators to disable individual accounts (such as when ending a contract with a third party) without impacting other data integration processes.

In addition, managing separate service accounts enables an institution to limit access to specific SFTP directories and ensure that an external system has access to only the data necessary for its specific integration. Refer to the next section on Path Restriction for additional details.

Path Restriction

Enabling Path Restriction is recommended since it limits access to specific folders in the SFTP area. 

For example, the following path restrictions permit the user to access only the two specified directories, preventing the user from picking up or dropping off files in other directories (such as /incoming/commonapp). This helps ensure that only the desired information is shared with the third party.

/incoming/vendor_name/
/outgoing/vendor_name/

User Account Configurations

1. Select Database in navigation bar.

2. Select User Permissions.

3. Select New User (or select an existing user, and then select Edit User).

4. Select the Roles tab.

5. Select SFTP Access.

6. Enter the following configurations:

   • Password: If password authentication is not enabled, you can skip this field, but a SSH2 Public Key will be required.

     • Select Reset Password to generate a new password. A confirmation dialog appears.

     • Enter RESET and select OK.

     • A new password is auto-generated to replace and invalidate any previously stored password.

     • Copy and save the password before saving changes because the password will not be visible once saved.

     • If password authentication has been enabled but is no longer desired, select Clear Password.

Public Key or Private Key

Generating a Certificate Key Pair

A Public/Private key pair can be generated using PuTTYgen or an SFTP client (e.g., FileZilla, WinSCP). The key pair needs to be:

• An RSA key type

• At least 2048 bits or longer

• If using PuTTYgen, the latest version should be used.

SSH2 Public Key

For extra security, a Service Account can use an SSH2 Public Key (i.e., certificate-based authentication ), which will typically begin with the comments "---- BEGIN SSH2 PUBLIC KEY ----" and end with "---- END SSH2 PUBLIC KEY ----."

SSH Private Key 

An SSH Private Key should be used when setting up a Service Account (Remote). If using PuTTYgen, use the Conversions > Export OpenSSH Key to format the newly generated Private Key correctly. You will want to save the OpenSSH Key without a passphrase by ignoring PuTTYgen's warnings.

Path Restriction

This provides an account access to only specific folders. For example, to permit access to the incoming and outgoing folders for a given third party, enter /incoming/vendor_name/ and /outgoing/vendor_name/, with each path entered on a separate line. If a path restriction is specified, the account can only read and write files and folders within those specific folders. If a path restriction is not specified, the account can read and write files and folders from all folders.

• Path restriction is a best practice for limiting access to specific folders on the SFTP server, such as granting access to a service account used by an outside user, such as an SIS system or a vendor. 

• Access to subfolders must be given manually. For example, the path restriction /incoming/vendor_name/ does not give access to /incoming/vendor_name/subfolder/. To give this access, add /incoming/vendor_name/subfolder/ on a separate line.

• Ensure that the specified folder in the Path Restriction setting exists, or the user or service account will not be able to access the SFTP site. To create the folder, manually connect to the SFTP site externally (using a client that supports the SFTP protocol), create the subfolder under /incoming/ with the Import Path/Mask setting for a Source Format's Import Automation tab, or create the subfolder under /outgoing/ via the path setting of a Scheduled Export.

Allowed Networks (required)

Enter any IP addresses or CIDR ranges here where access should be allowed. Commas should separate multiple IP addresses or ranges. Test environments need all desired IP addresses to be allowed on a production database.

• Allowed Networks currently accepts only IPv4 addresses.

• Please allow up to 60 minutes for changes to Allowed Networks to take effect because firewall rules are refreshed once per hour.