Authentication and authorization

Authentication controls whether a user is given access to portions of the application. Once a user's identify has been authenticated, authorization ensures that users with sufficient privileges can run certain code or get to certain data.

Authentication

Authentication also provides a security control to deny attackers access to the application. The Sterling™ Order Management System Software applications use one or both of the following:
  • Application-based authentication - In the Sterling Order Management System Software applications, you define users in the Applications Manager. A user is a single person assigned with a certain task, such as Hub Administrator or Customer Service Representative, depending on what role they play in the organization. Users can be assigned to one or more user groups and teams.
  • Application server security - Application servers allow you to create users. These users could be used to control access to application server resources such as the Java™ Messaging Service (JMS) queues.

Authorization

In the Sterling Order Management System Software applications, user groups control access to code (or APIs) and teams control access to data.

User groups are a collection of users who perform a similar task or are granted similar security privileges. For example, a group of customer service representatives might be put in a Customer Service Representative user group. Users can belong to multiple user groups to which permissions are assigned. A user who belongs to multiple user groups retains the least restrictive set of permissions defined by the groups they belong to. For example, if a user belongs to a user group that permits the user to use the Application Console, and this user also belongs to a user group that permits the user to access only the Application Console and Applications Manager, the user has access to both applications.

User groups can be used to control access to application API's (such as the getOrderList API), HTML inner panels and the Interoperability Servlet.

A Team is a collection of users who have common data access requirements. Teams, for example, can have access to specific document types, Enterprises, ship nodes, and customers. Teams can be assigned to specific customers.

Creating a team is an optional process. If a user is not associated with a team, that user is considered to have the least restrictive access, or default access to customer orders and information. By defining a team, you can further restrict access to any Enterprises, document types, or participating ship nodes that are a subset of the default access list.

Recommendations

Both authentication and authorization form the cornerstone of the Sterling Order Management System Software applications security offering. You should follow industry best practices around authentication and authorization.

Removal of default Sterling user accounts

When installing the Sterling Order Management System Software applications, you must (at a minimum) load the factory default, which is a set of mandatory out-of-the-box configuration data. You can optionally load reference implementation data, which is a set of sample data containing sample organizations, sample items, and so on.

Both the factory defaults and reference implementation set up user accounts. You should not implement the optional reference implementation into your production system.