Protection and Application of User Login Data

image_pdfimage_print

The given user rights regulate the access to cell data as well as to selected system operations. Jedox stores level 1 and 2 rights objects and users and their passwords in the Jedox In-Memory Database system.  For information on regulating user access to Jedox data, see Administration of User Rights. To create a special Jedox administrator account with limited access rights, see Admin User Accounts.

Requests for a Jedox database can only be made with a valid login. These logins must be adequately protected with passwords. The Jedox databases are special CSV files in the directory …\olap\data. To avoid unwanted access to these files, this directory should be protected using the existing security options of the operating system and additional encryption algorithms.

By default, the password for the admin user, as well for other users, is stored within the System database in system cube #_USER_USER_PROPERTIES. The password is stored in clear text as a normal string value. Cube #_USER_USER_PROPERTIES corresponds to file database_CUBE_0.csv. Everyone who has read/write access to these files can see/change the content. Therefore, it is necessary to protect this system database accordingly.

You can no longer retrieve user passwords from the System database via the In-Memory Database API. The API calls that retrieve the cell value of the “password” element return an access right error for anyone making the call, regardless of the user rights.

If you need password retrieval for debugging purposes, you can enable it in the palo.ini configuration file by setting the following entry: enable-password-retrieval.

Currently, Jedox users are not automatically prompted to change their password.  

Note for Jedox Web users: in the Jedox Web connection dialog, the checkbox to Use login credentials must be marked in order to consider the assigned rights. Otherwise, the rights of the user name entered for the connection would be considered. Access rights can be defined for connections in a similar way to other objects, via the “Security” dialog of a connection. For example, a connection that statically uses a user with high-level access (e.g. for usage in Jedox Integrator) can be set to be inaccessible to lower-level user groups.

Unprotected connections can be used by any given Jedox user, such as in the In-Memory Database-related dialogs (e.g. Paste View).

image_pdfimage_print