Starting with OL Connect 2020.2, OL Connect Server allows role-based authorization and multiple users. In this article, we explore what this looks like for this first cut on improving security for the OL Connect Server.
Users in OL Connect
When working with OL Connect, many are unaware that a username and a password are required to be able to print or to automate OL Connect tasks from OL Connect Workflow. That’s because a “ol-admin” user with a preconfigured password is set up by default, and both are also preconfigured in every OL Connect Workflow configuration and in OL Connect Designer.
It’s only when you try to use the OL Connect Server from another client than OL Connect Workflow or Designer, or when trying to use some of OL Connect’s functionality through scripting, that it becomes apparent you need to specify that user name and password in order to use the OL Connect REST API.
With only one user name and password, whose default values often remain unchanged even though we all know we should really change them, there is little protecting the OL Connect Server and the data it processes…
In a security conscious environment, these things need to be handled differently.
Starting with version 2020.2, you can now configure multiple users, allowing you to better control access to the OL Connect Server. For instance, OL Connect Workflow can have its own specific credentials, while users of OL Connect Designer can each have individual credentials to allow them to print jobs.
At installation time, you are asked to set a username and password for the first user. The suggested name is “
olc-user“, but you are free to choose a different name (and yes, you can still use
ol-admin if you’re feeling nostalgic!). A password is required.
If you are updating an existing system from a version older than 2020.2, then the existing
ol-admin user and its password are retained by default. But you should still change them!
Once installation is complete, you can go into the OL Connect Server Configuration tool and add more users.
For instance, you may want to create a user account for OL Connect Workflow, and a different one for people printing from the OL Connect Designer. But if, for example, there are 3 persons expected to be printing from Designer, then it can make sense to give each of them their own credentials.
Users in OL Connect Designer and Workflow
New installations of OL Connect Designer and OL Connect Workflow no longer get a default user for connecting to the OL Connect Server. So these will need to be set manually before interaction with OL Connect Server is possible.
Note that these credentials are only needed for interacting with OL Connect Server. OL Connect Designer only needs this for printing (not for proof printing), the new “Send to Connect Server…” feature, and when data mapping PCL or AFP input. When you choose Print, you will be prompted for credentials if they have not yet been set in your preferences.
Users in the database
Most settings in the OL Connect Server configuration are stored in files locally on the server. The users however, are stored in the database. This is a critical piece of information, because of its implications:
- If the database is dropped, you lose all users accounts as well. So it is no longer advisable to drop the database as a quick way of “cleaning up” OL Connect.
- If the database is not available, it is not possible to edit the user list.
Logging on with a certain username and password means the server knows who you are, but it doesn’t yet mean that you are allowed to do anything. For that, each user needs to be configured with certain roles. You can choose between three different roles:
- Data Handler
- Resource Handler
A user can have more than one role.
This role allows a user to work with data. This includes uploading and downloading data files, retrieving field values, and updating them. Launching operations and obtaining the results of these operations is also only allowed for users with this role.
This means that this role not only controls if the user is allowed to see or change data, but also if this user can get OL Connect to produce output.
If the production data is sensitive, then be careful which user gets this role, and who knows those credentials.
OL Connect Workflow needs this role for all its main OL Connect-related functionality (Data Mapping, Content Creation, Job Creation, Output Creation), but also for many other OL Connect tasks like Retrieve Items, etc.
Users of the OL Connect Designer need this role to be able to print (but not for proof printing), and for data mapping PCL, and AFP files, which require interaction with the OL Connect Server. In most cases, however, the typical user of OL Connect Designer does not need this role.
This role is for uploading templates, data mapping configurations and print/job presets to the OL Connect Server. Working with these resources in Designer is not at all affected; this only controls whether or not they can be changed on the server side.
OL Connect Workflow needs this role for its main OL Connect-related functionality (Data Mapping, Content Creation, Job Creation, Output Creation), because OL Connect Workflow needs to be able to upload these resources to the server on demand.
Users of the OL Connect Designer only need this role if you want to allow them to use the “Send to Connect Server” option, which allows them to directly upload a resource to the OL Connect Server. This is typically not required.
This role is for viewing what’s happening on the server. It allows viewing which operations are currently running and their progress. But it’s not completely harmless as it also allows a user to cancel an operation. In addition, it grants read access to resources such as templates.
If you want to create a dashboard for viewing the activity of OL Connect Server, then logging on with this role will allow that dashboard to show what’s going on, without being able to make changes (other than cancelling an operation) or view data.
Roles at a glance
|Data Handler||Work with data, start operations, get results, see resources.|
|Resource Handler||Upload templates, data mapping configurations and print/job presets.|
|Monitor||See progress of operations, cancel operations, see resources.|
- What if a password is forgotten?
- There is no way to retrieve a forgotten password. But it’s easy to set a new password from the OL Connect Server Configuration tool.
- Why do I not have to enter the old password, when entering a new password in the OL Connect Server Configuration tool?
- Because the OL Connect Server Configuration is a tool used by administrators to create and maintain all users that get access to OL Connect Server. “Enter your old password” functionality it typically found in environments where each user changes their own password.
- What if I want a super user that can do everything?
- A user can have multiple roles; just assign all roles.
- What’s the point of having two separate roles for handling data and resources, if both OL Connect Workflow and OL Connect Designer require both to be able to do everything?
- The REST API can also be used from other clients. Some of our customers and resellers have their own automation tools that may work well with only the Data Handler role.
- The OL Connect Designer can be used without the Data Handler role, and could then still allow the user to send resources to OL Connect Server.
- Now that we have authentication, why is there not a login prompt when I start OL Connect Designer?
- Because the authentication is only for OL Connect Server. If you have OL Connect Designer on your desktop, you are welcome to work with it; this will not affect production.
- Does this improvement make OL Connect Server a secure product?
- It helps, and we keep working on improving security. In time, other changes will be implemented as well to make the system even more secure
- Does it integrate with Active Directory? Does it integrate with Azure AD? Does it integrate with LDAP?
- Not in the 2020.2 release of OL Connect. One of our next goals is to integrate with Azure Active Directory. Integration with the classic on-premise Active Directory, or generic LDAP, could be a next step after that.