Tech Resource - Best Practice - Configuring a Least-Privilege Firewall User

Problem Statement

Given NXRM Firewall configuration using an “admin” user, all the applications are displayed in the CIP: Viewing Component Information in NXRM 3.x

Sample:

Solution

Define a specific user (“nxrmfirewall” in the example below) in IQ Server that has access only to a single “sandbox” or “sample” application.

Background Information & Limitations

  • Today, NXRM does not pass the user to IQ Server. Rather, it uses a pre-configured user to connect to IQ Server. So, all users of NXRM have access to the same application list in IQ Server when logged into NXRM. Connecting to IQ Server to NXRM 3.x

  • When using this solution, only the single application will be available. Users will not be able to see the specific policies that apply to their application for the component inside of NXRM.

Sample Implementation Steps

Step 1: Create a “NXRM Firewall” User in IQ Server

Step 2: Assign “Component Evaluator” Access to Repositories

Step 3: Create or Select an Application and assign “Component Evaluator”

Step 4: Update the IQ Server configuration in NXRM to use the newly created user

Step 5: Browse the Repo to Test the Application list in the CIP

Assigning Firewall Report Access to a Repository User

Not as detailed as above, but if you need to give access to the repository firewall report to a repository user (ei developer) they will need a role created and assigned to them with the following privileges.

You will need to assign this role to the LDAP group.

  • nx-blobstore-read = needed to view the repository admin details.
  • nx-iq-violation-summary-read = to see Firewall violations.
  • nx-repository-admin-maven2-maven-central-read = to view maven-central violations
  • nx-repository-admin-{ format }-{ proxy=repository-name }-read = needed for each other proxy repository that the user will need access to.

5 Likes