Separation of customer data
A common concern related to cloud-based services is the prevention of commingling of data that belongs to different customers. Nova Reporting has architected its solution to specifically prevent such data commingling by logically separating customer data stores.
Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier that is created when the customer signs up with the application.
This identifier is used throughout the solution to ensure strict data separation of customers' data in both the MySQL and ADX storage solutions and during processing.
Network communications
The following scheme shows the communication configuration between key components of Nova Reporting.
Internal network communication for Nova reporting includes:
·Inter-service communication between Nova Reporting components
·Communication to customer Microsoft Entra/Office 365 tenants
·Communication between backend and frontend
All network communication is secured with HTTPS TLS1.2.
Inter-service communication uses OAuth authentication using a Microsoft Entra service account with the rights to access the services. Backend services of Nova Reporting can be accessed by UI with the signed-in user.
The Nova user interface uses OAuth authentication with JWT token issued to a logged in user.
There are no unsecured HTTP calls within Nova Reporting.
Authentication of users
The customer logs in to the application either via Microsoft Entra Single Sign On, or by providing Nova user account credentials.
Role based access control
Nova Reporting does provide the common authentication via Quadrotech Id. Nova is configured with default roles that can be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access role has a specific set of permissions that determines what tasks a user assigned to the role can perform.
-Account Administrator - This gives access to be able to create and manage policies in Delegation and Policy Control.
-Auth Policy Admin - This gives users the ability just to manage policies within Nova.
-Autopilot Classic - This gives access to be able to perform allowed actions against users, mailboxes, groups, contacts and Microsoft Teams. It is the role most appropriate to a delegated administrator.
-Config Policy Admin
-IT Administrator - This gives a user the ability to use Nova, but restricts them from changing the configuration or security of Nova itself.
-License Admin - This gives people the ability to create and maintain License Policies.
-Organization Unit Admin - This gives users the ability to maintain virtual organizational units.
-TMS admin
-Radar Classic - This gives access to reporting data, and the Report Center.
-Report Reader - Report Readers are assigned a view-only status for reports. They can read, print and download (.CSV or .PDF) reports, but unable to create, import, clone or edit reports.
-System Administrator - This roles gives access to the Tenant Management System, and does not give any direct access to the Nova application (unless it is combined with other roles).
-TMS License Admin