We see a variety of BI security needs in the analytics field. Learn how to select the best approach for your application and how to implement a solution that meets your requirements.

1. Choosing the Best Security
Model for Your App
Steve Morecraft

2. #Logi16
Steve Morecraft
Technical Manager for Europe, Middle East and Africa
Logi Analytics
steve.morecraft@logianalytics.com
Claim to fame: Went to school with Oscar winning actor Colin Firth
ABOUT ME

3. #Logi16
1. Categorize the various security needs we experience in
the field and learn how to select the best approach for
your application
2. Learn how to implement a solution which meets
requirements
3. Hear and see detail from John Fuller of Ironclad
Technology services of two implementations to meet
specific needs
WHAT WE ARE GOING TO LEARN TODAY

4. SECURITY NEEDS
Understanding Your Requirements

5. #Logi16
Authentication – determine the user’s identity
Authorization – assign roles to the user to allow implementation of
rights in the application
Auditing or Accounting – keeping track of what happens when
an application is used
The Core Three A’s of Security

6. #Logi16
In order of simplicity of needs we experience:
• Standalone
• Integrated Authentication and Centralized SSO
• Federated Single Sign-On
• Embedded
Four Broad Authentication Requirement Categories

7. #Logi16
Standalone Authentication

8. #Logi16
• What is it?
Logi Info Server is to manage its own user credentials
• Why Would I Use It?
– When integration is not required with other systems however the Logi application
needs to include user authentication, authorization and auditing
• Considerations:
– Multiple user names and passwords for different systems
– Source of user credentials, assigned roles and rights typically stored in relational
database or directory service
– Normally prompt user for credentials
– Roles and rights to be adopted by authenticated user to be controlled in Logi Info
Standalone Authentication

9. #Logi16
Integrated Authentication & Centralized SSO

10. #Logi16
• What is it?
Logi Info Server to be integrated into an existing infrastructure so user management
and authentication can to be carried out in same way as current systems.
• Why Would I Use It?
– For an internal use case using, for example, Integrated Windows Authentication
and Active Directory group membership for roles
• Considerations:
– All user administration can be carried out using standard networking tools
– Authorization Roles can be defined in infrastructure to be used to implement
rights in Logi application
Integrated Authentication & Centralized SSO

11. #Logi16
Federated Single Sign-On

12. #Logi16
• What is it?
– Users can access multiple systems and resources following a single login to
identity provider
• Why Would I Use It?
– Scenario where Single Sign On has been deployed in an Enterprise or to support
a product
– Examples PingOne, Windows Identity Foundation
• Considerations:
– Likely need is for Logi system to be included as a target resource will require
configuration and some customization
– Roles and rights can be defined inside or outside the SSO system
Federated Single Sign-On

13. #Logi16
Embedded Authentication
Example: Embedded Security
Trusted

14. #Logi16
• What is it?
Info is contained within a web application or portal using user identity and roles
which have been assigned in the hosting application
• Why Would I Use It?
– Create embedded dashboards, reports and analytics into a commercial or
internal web application
– Allows for control over the application experience
• Considerations:
– Re-uses hosting web application’s own user and rights management system
– Requires some work upfront to set it up
– Authorization Roles and rights can be defined in the hosting web application to be
implemented in Logi
Embedded Authentication

15. #Logi16
• Audit Trail
– Mostly for security assurance
– Can provide usage confirmation
• Usage Data
– Can be used to build metrics
– Data can be used for performance tuning
Auditing

16. Our Recommendation
How Logi Tackles Each Security Model

17. #Logi16
• Logi Info Security Element allows:
– Authentication sources
– Authorization through separate User Roles and User
Rights
• Logi Info Event Logging Element allows processes to
record:
– Authenticate User, Build Report, RunSP, RunSQL
– Can also run processes to record other user activities
IMPLEMENTATION OF SECURITY

18. #Logi16
STANDALONE SECURITY
Use Logi Standard Security Mode
• Present the user with a login form based on the Logi sample
• Can use server side code behind login form or just collect
credentials
• Authenticate using a data layer such as a stored procedure, web
service, plugin etc
• Resolve roles and rights using data layer queries
• Samples on DevNet

19. #Logi16
INTEGRATED SECURITY AND CENTRALIZED SSO
Configure the web application server to authenticate using
the same settings as other web applications in the
infrastructure
• Configure web application to authenticate users
• For example - Windows Authentication
• Use AuthNT security mode for Logi Info
• Get user’s roles from directory service such as Active Directory
• Resolve user’s rights from roles

20. #Logi16
FEDERATED SINGLE SIGN-ON
Two main alternatives
• Configure the Logi Application to use the SSO system natively
- Use AuthSession Security mode
- Include SSO libraries in project, use SSO functions in custom login
page to extract user name and other important security data to set
session variables
- Or implement by Plugin
• Use embedded security SecureKey from a web application
already SSO enabled

21. #Logi16
Logi SecureKey provides the best approach in the majority
of scenarios especially if the hosting system is on a
different machine or different platform
• Pass parameters securely from hosting server as session
variables
• Can pass user name, roles, and rights directly from application
session
• Integrated fully with embedded reports API
• Fully documented with sample code on DevNet
EMBEDDED SECURITY

22. USING LOGI
John Fuller, Ironclad Technology
Services

23. #Logi16
John Fuller
Business Intelligence Developer
IRONCLAD TECHNOLOGY SERVICES
john.fuller@ironcladts.com
ABOUT ME

24. #Logi16
Quick Facts
• Founded in January 2008
• Consulting/Professional services for Government CFO’s,
CIO’s, Supply Chain Managers, and other Senior
Decision Makers
• Offices in Virginia Beach, VA (HQ), Tampa, FL, and
Arlington, VA
• 150+ employees in 17 states and overseas
• TS facility clearance, 91% cleared workforce
• Leveraging the Logi Analytics platform over the past 4
years to build applications for Government customers
CORPORATE SNAPSHOT
Core Competencies
 Big Data & Business Analytics
 Software Development
 Supply Chain/Logistics
 Information Assurance
 Enterprise Resource Planning
(ERP)
 Enterprise IT Support
 Intelligence Support

25. #Logi16
Two Examples
1. Standalone Security
2. Single Sign-On
IRONCLAD APPLICATION

26. #Logi16
• User level authentication
- Standard username and password login
• User level authorization on both a screen level and
individual element level
- Roles and rights defined for each user
• User auditability for user input screens
- Track user activity on a transaction level for reporting and
auditability
1. SECURITY REQUIREMENTS

27. #Logi16
• Utilize Logi’s Standard security option
– Use Logi supplied logon page or apply simple HTML code
modifications to customize the logon page
– Write simple database stored procedure to authenticate the user
and determine right/roles based on a user table
1. SECURITY SOLUTION AUTHENTICATION

28. #Logi16
• Use the roles and rights retrieved from the Standard security child
elements coupled with the database stored procedure to easily
control authorization throughout the application
• Use the Security Right ID attribute to control user authorization
- Applicable to entire Logi reports
- Applicable to specific elements on any given report
• Individual records in data table elements can also be restricted by
including the UserRoles~ and UserRights~ tokens within the SQL
queries feeding the reports
1. SECURITY SOLUTION AUTHORIZATION

29. #Logi16
• Use the @Function.UserName~ token coupled with Logi
Processes and database user stored procedures to track
user activity
1. SECURITY SOLUTION AUDITABILITY

30. #Logi16
• User level authentication
- DoD Common Access Card (CAC) login
• User level authorization on both a screen level and
individual element level
- Roles and rights defined for each user
• User auditability for user input screens
- Track user activity on a transaction level for reporting and
auditability
2. SECURITY REQUIREMENTS - SSO

31. #Logi16
• Export functionality and file management and security
for user generated files
– Populate and retain Adobe .pdf and MS Excel templates with
user input data
2. SECURITY REQUIREMENTS - SSO

32. #Logi16
• Authentication
– Build, configure and deploy custom CAC enabled login process
to feed into Logi’s AuthSession security option
• Authorization
– Use the roles and rights retrieved from the AuthSession security
child elements coupled with a database stored procedure to
easily control authorization throughout the application
2. SECURITY SOLUTION SSO

33. #Logi16
• Auditability
– Use the @Function.UserName~ token coupled with Logi
Processes and database user stored procedures to track user
activity
2. SECURITY SOLUTION SSO

34. #Logi16
• File management and Security
– Build file management system with built in Logi elements coupled
with database code
– The custom CAC enabled login process along with the
AuthSession Logi security option secures the entire Logi
application, including user generated files not associated with the
Logi software
2. SECURITY SOLUTION SSO

35. #Logi16
SSO EXAMPLE – HOW IT WORKS

36. #Logi16
 The built in Logi security options are easy to use and
provide a very high level of control
 The Standard security option requires very little
configuration and can be used for securing applications
that do not generate new files within the application
IRONCLAD: LESSONS LEARNED

37. #Logi16
 Custom built Single Sign On processes securing the
entire application folder can be plugged into Logi
applications using the AuthSession option.
 This approach is best used for applications that provide
the functionality for users to generate new files. The
custom security layer secures the entire application while
Logi handles the authentication through its built-in
elements.
IRONCLAD: LESSONS LEARNED

38. Extensible Solution
The Logi Info product provides a
flexible and extensible means to
solving your security needs for your
application

39. Questions?
Contact our Professional Services
team, Expert On-Demand or your
Logi Analytics Partner.

40. steve.morecraft@
logianalytics.com