Mainspring 2017 Developer Conference Presentation by Adam Ellis

1. Bezlio Server Administration and
Security
Adam Ellis
SaberLogic

2. Bezlio Security Overview

3. • Imagine you have a door with a
keypad lock like this
• Codes
• Shared by all
• Per employee
• Shared by department
• Implications when somebody
moves on

4. • Now imagine the other side of the
door has a keypad as well
• For anybody to get in, the
employee and somebody on the
other side need to punch in the
same code
• This parallels the first layer of
security within Bezlio…letting
users in the door

5. How This Ties To Bezlio
1. Generate a code within
Bezlio on the Data tab:

6. Server Setup
• Now for setting up the server side
• BRDB is the “person on the other side of the door” permitting
access
• Only needs to be installed once, but needs to know all of the
codes
• Note that it can be installed multiple times for:
• Multiple private networks (i.e. different doors)
• Redundancy
• Requirements
• .Net 4.6.1
• Chrome Browser

8. Server Setup
• After installation, start the service called ‘Bezlio Remote Data
Broker’
• Now open up Chrome and navigate to http://localhost:3600
(unless you changed that during setup)

10. Server Setup
• Now they are in the door
• Next let’s determine what they are allowed to do
• Many factors:
• Which plugins were installed?
• How are these plugins configured?
• What plugin instances is this code authorized for?
• Have you permitted direct plugin access?
• Are any dynamic filters being added on the data?

11. Which Plugins Were Installed?
• During installation, check the boxes of plugins you want for our
distributed plugins
• Re-run installer at any time to change installed
• Non distributed plugins and source for all is available at
https://github.com/bezlio/bezlio-plugins
• A plugin is installed when it’s DLL (and possibly config) are
placed into the folder C:Program Files (x86)Bezlio Remote
Data BrokerPlugins and the service is restarted

12. How Are These Plugins Configured
• Since plugins are an open architecture, each may have unique
needs when it comes to configuration
• See https://github.com/bezlio/bezlio-plugins for documentation
per plugin on these configuration details
• We will use SQL Server as an example here

13. SQL Server Plugin
• Edit C:Program Files (x86)Bezlio Remote Data
BrokerPluginsSQLServer.dll.config in text editor of choice
• Two elements are defined in this file:
• Directory locations where you intend to store your query files that are
permitted by connection ID
• Connection details for each of the databases you wish to expose
• Note we only support SQL Server Authentication at this point (no Active Directory
accounts)
• Format of this file is XML with embedded JSON strings to define
values

14. 1. Directory Locations

15. SQL Server Plugin
What is in these folders:

16. 2. Connection Details

17. SQL Server Plugin
How this presents to the user (assuming direct plugin access described in a moment):

18. SQL Server Plugin - Takeaway
• Users can only run the queries you have predefined them being
able to run
• NO arbitrary SQL
• They can only run them against the databases you have
pointed to using the credentials you have specified
• Every SQL folder and connection is available for selection
within the wizards

19. What Plugin Instances Are Authorized?
• A plugin instance allows you to create a friendly name for a
plugin and pre-fill in all of the bits you don’t want users to have
to bother with
• Only the fields you leave blank will be prompted for
• These plugin instances can be locked down to specific
connection IDs
• Currently - do not use spaces or special characters in the
name. We suggest kabob-case:
• your-plugin-instance-name

21. What Plugin Instances Are Authorized?
• You do not need to
restart BRDB, but it
may take a minute
before it is fully
synced up

22. With Query Field Left Blank

23. With Connection And Query Left Blank

24. Wired Directly Up To A Single Query

25. Have You Configured Direct Plugin Access?
• By default direct plugin access is enabled
• This means users will see the plugins listed as resources and
need to “fill in all of the blanks”
• For example, when enabled all users on this BRDB server could
see all SQL folders and connections
• You could break up security with multiple BRDB servers serving
different user groups

27. Direct Plugin Access
Disabled
Direct Plugin Access
Enabled

28. Are Any Dynamic Data Filters In Place?
• Supported by any plugin that utilizes .SQL files
• Special “variables” can be used within .SQL to filter down data
• Act as a “find and replace” so can be used anywhere within
.SQL file
• Be mindful of quotes – if the data it replaces needs enclosed in single
quotes, variable does too
• Populated within parameters from Bezlio portal

29. Example Query
SELECT
CustID
FROM
Erp.Customer
WHERE
SalesRepCode = ‘{MySalesRepCode}’

30. Within Bezlio

31. Or Via Javascript…
bezl.dataService.add('Customers'
,'brdb'
,'adam-queries'
,'ExecuteQuery'
, { Connection: 'Production'
, QueryName: 'Customers'
, Parameters: [
{ Key: 'MySalesRepCode', Value: 'LANE' }
]
},0);

32. Special Values
• bezl.env.currentUser: The e-mail address of the logged in
Bezlio user
• bezl.env.currentUserName: The first and last name of the
logged in Bezlio user.
• bezl.env.currentLat: The current latitude (via GPS) of the logged
in user.
• bezl.env.currentLng: The current longitude (via GPS) of the
logged in user.

33. Bonus Tip: Arbitrary SQL
• The SQL Plugin does not by default allow arbitrary SQL
• This was a security design concept
• If you prefer otherwise, just make a plugin instance with
variables:

35. Thank You!
Website: https://bezl.io
Email: sales@bezl.io
Phone: +1 855 335 6442