Chat now with support
Chat with Support

On Demand Group Management Current - Security Guide

Separation of customer data

A common concern related to cloud based services is the prevention of commingling of data that belongs to different customers. On Demand Group Management has architected its solution to specifically prevent such data commingling by logically separating customer data.

Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Core that is created when the customer signs up with the application.

This identifier is used throughout the solution to ensure strict data separation of customers' data in Azure SQL database and during processing.

Network communications

All external communications are secured with HTTPS (TLS 1.2) to theOn Demand Group Management User Interface. No internal service can be accessed without a valid JWT token. See Figure 2 and Figure 3 for the communication paths using HTTPS.

  • The external HTTPS certificate for On Demand Group Management End-user self service uses a level 2 domain certificate for * by GoDaddy.
  • There are no unsecured HTTP calls within On Demand Group Management.

For authentication, the communication between a customer’s browser and the Quest Identity Broker is secured using HTTPS. The browser securely stores the access tokens and transmits the access token to the On Demand application using HTTPS when making authenticated REST calls.

The Group Management on-premises agents communicate via the Azure WCF Relay service. This service communicates via TCP using HTTPS and ports 5671 and 9532. All communications between the On-Premises management service and the agent requires a valid shared-access-signature (SAS).

Authentication of users

The customer of Azure Active Directory logs in to the End-user self-service portal by providing their own Office 365 Tenant account credentials (Microsoft OAuth 2.0 authorization code flow).

The customer logs in to the On Demand Group Management Admin Portal by providing On Demand user account credentials.

Customer login is authenticated by independent region service.

Role based access control

On Demand Group Management does provide the common authentication via Quest Identity Broker. Quest On Demand is configured with default roles that cannot be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information on role-based access control, please refer to the Quest On Demand product documentation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating