Configuring MATRIXX Backoffice Customer Tool Security
MATRIXX Backoffice Customer Tool leverages the Spring Security Framework.
For information about integrating with a third-party identity and access management service, see the discussion about OAuth 2.0 identity and access management.
Default Authentication
By default, MATRIXX web applications use passwords encrypted with an MD5 algorithm to authenticate users and establish web sessions. For information about supported encoding algorithms, see the discussion about password encoding. In addition, you can use the default security context file to use existing passwords in an LDAP implementation.
The default security configuration is defined in a security context file contained in the JAR file of each app. The MATRIXX Backoffice Customer Tool security context includes two custom filters, one to handle URL requests that contain a username, password, and domain, and one to handle form-based requests in which the user enters a username, password, and domain in a form on a login page.
The following security roles for MATRIXX Backoffice Customer Tool are defined in matrixx-security-app-context.xml:
- MTX_ROLE_CSR — Enables read-only access to the MATRIXX Backoffice Customer Tool. A user must have this role to log into MATRIXX Backoffice Customer Tool.
- MTX_ROLE_CSR_MGR — Enables write access to balances and thresholds in the MATRIXX Backoffice Customer Tool.
- MTX_ROLE_ADMIN — Enables full edit access to the MATRIXX Backoffice Customer Tool except for bulk operations.
- MTX_ROLE_SIMULATE — Enables access to the MATRIXX Backoffice Customer Tool usage simulation functionality. Note: Usage simulation requires that MATRIXX Backoffice Customer Tool has the MTX_ROLE_RSG_ADMIN RS Gateway role. For more information about assigning roles, see the discussion about MATRIXX Backoffice Customer Tool roles.
- MTX_ROLE_EVENT — Enables access to viewing subscription, group, and user event data. This role is used in combination with the MTX_ROLE_CSR role.
- MTX_ROLE_BULK_OPS — Enables access to viewing a bulk operation configuration and adding and deleting a bulk operation task.
LDAP Authentication
The Spring Security Framework can be used to enable different types of authentication, including LDAP authentication. The default LDAP authentication provides two custom filters, one for URL requests and one for form requests.
Tenant Access
MTX_TNT_TenantIDWhere TenantID is the TenantID defined in the tenant
profile in My MATRIXX.
- If a MATRIXX Backoffice Customer Tool user is configured with tenant access to Company1, but the
matrixxbctuser in rsgateway-site.yaml is not configured with a tenant specifier, the MATRIXX Backoffice Customer Tool user can only access and work on data that has aTenantIdof Company1 or noTenantIdset on that data in MATRIXX Engine.For example:- matrixxbct_users.yaml
ajones: 3104edb9ac875507e128ce3d55e2739d, MTX_ROLE_CSR, MTX_TNT_Company1 - rsgateway-site.yaml
matrixxbct: '{bcrypt}xxxxxx, MTX_ROLE_RSG_CREATE, MTX_ROLE_RSG_READ, MTX_ROLE_RSG_UPDATE, MTX_ROLE_RSG_DELETE, MTX_ROLE_RSG_STD, MTX_ROLE_RSG_DEBUG'
- matrixxbct_users.yaml
- If a MATRIXX Backoffice Customer Tool user is configured with tenant access to Company1 and Company2 and the
matrixxbctuser in rsgateway-site.yaml is configured with access to Company1 and Company3, the MATRIXX Backoffice Customer Tool user can only see data with aTenantIdof Company1 or theTenantIdis not set on that data in MATRIXX Engine.For example:- matrixxbct_users.yaml
ajones: 3104edb9ac875507e128ce3d55e2739d, MTX_ROLE_CSR, MTX_TNT_Company1, MTX_TNT_Company2 - rsgateway-site.yaml
matrixxbct: '{bcrypt}xxxxxx, MTX_ROLE_RSG_CREATE, MTX_ROLE_RSG_READ, MTX_ROLE_RSG_UPDATE, MTX_ROLE_RSG_DELETE, MTX_ROLE_RSG_STD, MTX_ROLE_RSG_DEBUG, MTX_TNT_Company1, MTX_TNT_Company3'
- matrixxbct_users.yaml