Provisioning SFTP User Access

Security Best Practices

Service Accounts

For integration with other systems, we recommend creating a separate user for each system with a User Type of Service Account.

In most cases, service accounts have no additional permissions beyond secure file transfer protocol (SFTP) access, since as the sole purpose of this user account is to retrieve or place files on the SFTP area for data integration.

While it is possible to have one service account user for all data integrations, creating separate user accounts provides more secure user management by allowing the Security Administrators to disable individual accounts (such as when ending a contract with a third-party) without impacting other data integration processes.

In addition, managing separate service accounts enables an institution to limit access to specific SFTP directories and ensure that an external system has access to only the data necessary for its specific integration. Refer to the next section on Path Restriction for additional details.

Path Restriction

Enabling Path Restriction is recommended since it enables limiting access to specific folders within the SFTP area. 

For example, the following the path restrictions permit the user to access only the two specified directories, preventing the user from picking up or dropping off files in other directories (such as /incoming/commonapp). This helps ensure that only the desired information is shared with the third party.

/incoming/vendor_name/
/outgoing/vendor_name/

Important

Make sure that the specified folder in the Path Restriction setting exists, or the user or service account will not be able to access the SFTP site. To create the folder, manually connect to the SFTP site externally (using a client that supports the SFTP protocol) or create it with the Import Path/Mask setting for a Source Format's Import Automation tab.
User Account Configurations
  1. Select Database on the top navigation bar and select User Permissions.
  2. Select New User (or select an existing user, and then select Edit User).
  3. Select the Roles tab. Select SFTP Access under Permissions (Exclusive). The SFTP Access dialog opens. 
  4. Enter the following configurations:
    • Password: If password authentication is not enabled, this field can be skipped, but an SSH2 Public Key will be required.
      • Select Reset Password to generate a new password. A confirmation dialog appears.
      • Enter RESET and select OK.
      • A new password is auto-generated to replace and invalidate any previously stored  password.
      • Copy and save the password prior to saving changes, because once saved, the password will not be visible.
      • If password authentication has been enabled but no longer desired, select Clear Password.

    Important

    Authentication is required through either a username/password pair or a username/certificate pair. With certificate-based authentication, which is considerably more secure than password-based authentication, the institution must generate an SSH2 certificate pair that will be used when authenticating. Both may be used simultaneously. 
    • SSH2 Public Key: This should be an SSH2 public key, which will typically begin with "---- BEGIN SSH2 PUBLIC KEY ----" and end with "---- END SSH2 PUBLIC KEY ----." A certificate key pair can be generated using PuTTY as well as through many SFTP clients. 

    • Path Restriction: This provides an account to access to only specific folders. For example, to permit access to the incoming and outgoing folders for a given third party, enter /incoming/vendor_name/ and /outgoing/third_party/, with each path entered on a separate line. If a path restriction is specified, the account can read and write files and folders only within those allowed folders and corresponding subfolders. If a path restriction is not specified, the account can read and write files and folders from all folders.

      Path restriction is a best practice for limiting access to specific folders on the SFTP server, such as when granting access to a service account used by an outside user such as an SIS system or a vendor.

      Important

      Make sure that the specified folder in the Path Restriction setting exists, or the user or service account will not be able to access the SFTP site. To create the folder, manually connect to the SFTP site externally (using a client that supports the SFTP protocol) or create it with the Import Path/Mask setting for a Source Format's Import Automation tab.
  • Allowed Networks (required) - Enter any IP addresses or CIDR ranges here where access should be allowed. Multiple IP addresses or ranges should be separated by commas. Test environments need all desired IP addresses to be allowed on a production database as well.

    Note: Allowed Networks currently accepts only IPv4 addresses.

    Please allow up to 60 minutes for changes to Allowed Networks to take effect, because firewall rules are refreshed once per hour.
Was this article helpful?
10 out of 10 found this helpful