Encryption for UF
Not plannedI hope Boyum can think of a way to encrypt the UF so that only authorized user is able to view and make modification. We hope to stop end user/customer from changing it.
-
Official comment
This topic has come up many times over the years.
It is our belief however that it is not possible to make a 100% secure system as long as someone has full access to the underlying database (Similar to it is technically possible to change the manager password in test databases to anything you like by manipulating SQL directly).
So in our opinions, this is false security (granted many would not know how to do it in SQL but still).
So in your case, why not instead just set up that only permitted user has access to the UF Config screen via normal Authorizations
-
Thank you for your request.
The development team have now added it to our internal planning-system for evaluation.
[Internal Id: 10899] -
Excellent and thank you.
-
Hi Rasmus,
I believe that this challenge is going to come up again and again in near future and this part is getting critical while more and more consultants/customers are using B1UP. In fact, I am facing this challenge a while back but hesitate to put this request forward as I have same thought as you that it is difficult to make it 100% secure if you are familiar with SQL. We have been using B1Up for many of our customers more than before and it is getting critical for us to think seriously about this issue. Using the system normal authorization is not the solution as customer will have full access as well. We would like to completely stop customer from editing the UF or view it.
We would like to protect the setup that was done by partner and no one can change or, copy it when we have a large scale of setup.
We can break the manager password easily but with the release of version 9.xx it is very difficult.
I am sure with your expertise you are able to find a way to deal with it.
Thank you.
-
@Timothy, This suggestion raises many questions. If such encryption were deployed:
- What happens if the partner does not give the password to the customer, and later the partner and customer stop working together?
- What if a developer employed / contracted by the customer encrypts B1UP definitions and never gives the password to the customer?
- Will Boyum have a way to unencrypt the definition? If so how will it determine who 'owns' the encrypted definitions?
I use the current B1UP security controls along with B1 Authorizations to control user access to the B1UIP definitions. If encryption was a concern then I'd look using UFs that run compiling code (.DLL, .EXE, etc.) instead of direct coding in a UF.
These comments are my unsolicited opinion as a B1UP user.
-
Dave brings up some good points. It is my belief that if we somehow find a way to do this it should be to the level of not even Boyum being able to get the information and if the password is lost the data is lost (anything below that really is only false security like the manager password in scenarios with full access to the database)
So in earlier brainstorms on this, the only real solution is to offer some sort of Boyum (or to be 100% secure) or self-hosted web-storage where the data is stored (it cannot be in the database). But will customers live with features that can't run if no internet connection?
As for breaking 9.3 passwords (for test scenarios), it is still very easy (you just need to replace the record instead of just the password value)
-
This feature request has been evaluated and based on our current roadmap/number of votes we are sorry to say that this request is not planned for the product.
Please sign in to leave a comment.
Comments
7 comments