Network authentication

Configure network authentication to restrict access to your organization's data to trusted domains or IP addresses.

A user with the Organization Administrator role can configure network authentication in the following ways:
Restrict engine access by domains
Specify trusted domains that engine workstations can use to send requests to your Control Hub organization.
All organizations can configure trusted domains for engine workstations.
Restrict access by IP addresses
Define network access rules that limit browser, API, SDK for Python, and engine requests to specific IP ranges.
Only approved organizations can define network access rules.

Restricting engine access by domains

Engines send requests to Control Hub. To further secure your organization’s data, you can restrict these requests to trusted domains.

When you configure trusted domains, Control Hub verifies that each request from an engine originates from an allowed domain.

By default, engines can belong to any domain.

Enter a comma-separated list of domains or host names using the following format:
.<domain name1>.com,.<domain name2>.com,<host name1>,<host name2>

Control Hub treats any value that begins with a dot (.) as a domain name. Control Hub treats all other values as a host name.

For example, to allow all hosts within the domain named mycompany, enter the following value:
.mycompany.com
To allow specific host machines, enter the following value:
host1,host2

To restrict engine access by domains:

  1. In the Navigation panel, click Manage > My Organization.
  2. In the Valid Domains property, enter the allowed domains and host names.

    The default asterisk wildcard (*) allows engine workstations from any domain.

Restricting access by IP addresses

Define network access rules to enforce IP-based access control for your Control Hub organization.

When you define network access rules, browser, API, SDK for Python, and engine requests to your organization are allowed only from specified IP ranges. All other requests are blocked.

Use network access rules to:
  • Restrict access to trusted corporate IP ranges
  • Limit external integrations to approved IP addresses
For each network access rule, you specify the following information:
  • IP address range
  • Bit mask or 32-bit value that defines the network portion of the IP range

Prerequisites

Before an organization administrator defines network access rules, ensure that the following prerequisites are met based on your IBM StreamSets offering:

IBM StreamSets as a Service
Your organization must have an account agreement that includes network access rules. For details about your agreement, contact your IBM StreamSets account team.
IBM StreamSets as client-managed software
A system administrator must enable network access rules for your organization. For instructions, see Enabling network access rules for an organization.

Adding a network access rule

An organization administrator can add a network access rule in the organization properties.

  1. In the Navigation panel, click Manage > My Organization.
  2. Click Advanced.
  3. Under Network Access Rules, click Add Rule.
  4. Enter the IP address range, bit mask, and an optional comment.
  5. Click Save.
  6. To activate the rule, select Enable Network Access Rules.

    Changes can take up to 5 minutes to take effect.

Enabling or disabling all rules

An organization administrator can enable or disable all network access rules.

  1. In the Navigation panel, click Manage > My Organization.
  2. Click Advanced.
  3. Under Network Access Rules, select or clear Enable Network Access Rules.