立即与支持人员聊天
与支持团队交流

Nova Current - Delegation and Policy Control Security Guide

Separation of customer data

Nova Delegation & Policy control is architected to prevent data commingling by separating customer data to customer exclusive resources. Customer data are differentiated by using unique customer alias, which is assigned during provisioning process. This alias is used to tie together customer specific service URLs, Azure Key Vault and Azure SQL Database resources.

 

Customer data is further separated as customer related services are isolated from any other OS process by the

Microsoft Service Fabric exclusive process model. See https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-hosting-model#exclusive-process-model for more information.

 

 

Network communications

The following scheme shows the communication configuration between key components of Nova Delegation and Policy Control.

 

Internal

NetworkCommsInternal

 

External

NetworkCommsExternal

 

 

The network communication is secured with HTTPS and is not visible to the external public internet.
 

Inter-service communication uses OAuth authentication using a Microsoft Entra service account with the rights to access the services. No backend services of Nova Delegation and Policy Control can be used by end-users.
 

Nova Delegation and Policy Control Services accepts the following network communication from outside Azure:

·Access to Nova Delegation and Policy Control web UI.

·Connection from On-Premise Agent

All external communication is secured with HTTPS TLS 1.2.
 

The Nova Delegation and Policy Control user interface uses OAuth authentication with JWT token issued to a logged in user.

Authentication of users

The customer logs in to the application either via Microsoft Entra Single Sign On, or by providing Nova user account credentials.

 

Role based access control

Nova Delegation & Policy Control does provide the common authentication via Quadrotech Id. Nova is configured with default roles that can be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access role has a specific set of permissions that determines what tasks a user assigned to the role can perform.

 

-Account Administrator - This gives access to be able to create and manage policies in Delegation and Policy Control.

-Auth Policy Admin - This gives users the ability just to manage policies within Nova.

-Autopilot Classic - This gives access to be able to perform allowed actions against users, mailboxes, groups, contacts and Microsoft Teams. It is the role most appropriate to a delegated administrator.

-Config Policy Admin

-IT Administrator - This gives a user the ability to use Nova, but restricts them from changing the configuration or security of Nova itself.

-License Admin - This gives people the ability to create and maintain License Policies.

-Organization Unit Admin - This gives users the ability to maintain virtual organizational units.

-TMS admin

-Radar Classic - This gives access to reporting data, and the Report Center.

-Report Reader - Report Readers are assigned a view-only status for reports. They can read, print and download (.CSV or .PDF) reports, but unable to create, import, clone or edit reports.

-System Administrator - This roles gives access to the Tenant Management System, and does not give any direct access to the Nova application (unless it is combined with other roles).

-TMS License Admin

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级