Follow the steps below to configure security parameters in OA.

Configure Brute-Force Attack Protection

Enable brute-force attack protection in OA and configure its parameters:

  1. Log into OA Provider Control Panel
  2. Go to Top > System > Settings > System properties
  3. Click the Edit button
  4. Enable the Password brute force attack protection option
  5. Configure the parameters for this option:
    1. Failed login attempts checking period (minutes) - specify the period in minutes, during which the system counts login failures from the user’s IP address(es)
    2. User locking period after too many authentication errors - specify the length of the temporary lock-out period in minutes
    3. Maximum authentication attempts before locking user - specify the number of sequential failed login attempts after which OA locks the user Refer to OA Provider's Guide for more details: Enabling Brute-Force Attack Protection

Configure password quality

  • Log into OA Provider Control Panel
  • Go to Top > System > Settings > Security > Setup > Password Quality

  • Set the parameter Password Quality Level for Child Accounts to the desired value:

    • None
    • Strong

    Note: if OA is integrated with BA then password quality must be set to the same level in both systems.

    Refer to OA Provider's Guide for more details: Setting Password Quality

Configure password expiration policy

  • Log into OA Provider Control Panel
  • Go to Top > System > Settings > Security > Setup > Password Expiration Policy
  • Enable/disable password expiration period in days for different types of users (belonging to Provider, Reseller and Customer accounts)

  • Optionally lock policies to prevent users from modifying them

    Refer to OA Provider's Guide for more details: Setting Password Expiration Policies

Configure system roles

Create roles for different types of staff members in OA Provider Control Panel at Top > System > Settings > Security > Roles > Staff member roles

Follow the principle of minimal privileges creating roles - include only privileges which allow staff member to perform their tasks in OA Control Panel.

Assign roles to staff members on the Roles tab in staff member properties.

Keep in mind the following notes configuring roles in OA:

  • There are 3 types of accounts in OA with own set of roles - Provider, Reseller, Customer
  • Privilege is a named permission to execute certain operations on certain objects
  • Role is a set of privileges
  • The same privilege may be included in different modes into different roles:
    • Disabled
    • View (provides read only access to managed objects)
    • Manage (allows to manage existing objects)
    • Admin (allows to manage existing objects and create new ones)
  • An account may have one or more staff members (users), it is controlled by the resource Additional Staff Members in Reseller/Customer subscriptions
  • One role may be assigned to many users and many roles may be assigned to the same user
  • The resulting set of privileges the user gets is a combination of all privileges defined by all roles assigned to the user
  • Role may be assigned not to account but to staff member of an account
  • After a user's role is modified changes take effect only upon their next login to OA Control Panel
  • There are 3 built-in roles in OA:
    • Account Administrator (separate roles for Provider, Reseller and Customer accounts)
    • Staff member defaults (all privileges are disabled in the role)
    • Pleskd role (system role, do not assign it to regular users)
  • Only the very first staff member in an account is being automatically assigned Account Administrator role
  • Staff Members eventually created for the account are automatically assigned the Staff member defaults role
  • To Manage Privileges, please refer to the section Managing Privileges

Configure OpenAPI security

Configure OpenAPI security settings in OA Provider Control Panel at Top > System > Settings > Public API:

  • SSL - click this check box to use HTTP over SSL instead of plain HTTP
  • HTTP Authentication - make a client to authenticate itself on a server using OA login/password

  • Accept connections - set it to Only From Allowed Network

    Notes:

  • SSL and HTTP Authentication require client-side support
  • Do not enable SSL and HTTP Authentication if you are not sure that important clients are able to connect properly
  • Put IP addresses of all external systems which need ability to connect to OA OpenAPI server (e.g. BA or another billing system) in the list on tab Allowed Networks Refer to OA Provider's Guide for more details: Configuring Open API Security Settings

Additional information

See the global article OA Maintenance Guide for checking other important settings.

Internal content