Prognoz Platform 9 provides several authentication types. Authentication method is selected according to the required security level.
Credentials can be checked at DBMS server and/or in Prognoz Platform 9.
The desktop application provides the following basic authentication types:
Password.
Role.
Domain.
Integrated domain.
Additional authentication types:
Two-factor authentication.
Integrated authentication.
Availability of basic authentication methods depends on the DBMS in use:
| DBMS type \ Authentication type | Password |
Role |
Domain |
Integrated domain |
| Oracle | • |
— |
• |
• |
| Microsoft SQL Server 2008 | • |
• |
• |
• |
| Microsoft SQL Server 2012\2014\2016 | • |
• |
• |
• |
| Microsoft SQL Server (ODBC) | • |
• |
• |
• |
| Teradata | • |
— |
|
• |
| PostgreSQL | • |
— |
• |
• |
| SQLite | — |
— |
— |
— |
| WEB Service | • |
— |
— |
• |
Authentication is executed by means of login and password. It is available to set up password policy.
The user enters login and password in Prognoz Platform 9.
Prognoz Platform 9 addresses DBMS by means of the given login and password.
Role authentication, similarly to password authentication, is executed by means of login and password. The access to objects is determined by the roles assigned to the user at DBMS server, that match the groups in Prognoz Platform 9.
NOTE. The role authentication is available only on using Microsoft SQL Server DBMS.
The user enters login and password in Prognoz Platform 9.
Prognoz Platform 9 addresses DBMS by means of the given login and password.
DBMS returns the list of user roles. The list of roles is compared with the list of Prognoz Platform 9 groups. The user gets permissions that correspond to the groups.
On domain authentication the user is connected by means of the specified domain user data.
Domain authentication is similar to password authentication for the end user, but it simplifies user administration on using domain controllers.
The user enters domain name and password to Prognoz Platform 9.
Prognoz Platform 9 sends the specified credentials to the DBMS server.
DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Prognoz Platform 9 the permission to connect under the domain user by means of a temporary ticket.
Integrated domain authentication is similar to standard domain authentication, except the domain user, under whom the operating system is logged in, is used for authentication. Integrated domain authentication can be set up via various authentication methods.
The user enters domain user name and password on the operating system login.
Prognoz Platform 9 sends the specified credentials to the DBMS server.
DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Prognoz Platform 9 the permission to connect under the domain user by means of a temporary ticket.
The user enters domain user name and password on the operating system login.
Prognoz Platform 9 sends DBMS connection request containing user credentials.
The DBMS checks user authentication status from the domain controller. In case of successful check, the DBMS grants access the user.
Two-factor authentication is a user authentication method by means of requesting two different types of authentication data.
In Prognoz Platform 9 two-factor authentication uses any basic authentication type as the first factor, the second factor is a user certificate.
The user performs basic authentication in Prognoz Platform 9.
After the request the user gives the Prognoz Platform 9 a certificate.
If the certificate matches, Prognoz Platform 9 addresses DBMS by means of the given login and password.
On integrated authentication, DBMS data is accessed under the integrated administrator. User permissions are checked at the level of Prognoz Platform 9. Administrator user credentials are encrypted. Integrated authentication is set up via access control.
The user enters login and password in Prognoz Platform 9.
Prognoz Platform 9 checks user permissions and addresses the DBMS by means of the integrated administrator user credentials.
The web application provides all desktop application authentication types, in this case BI server is used as a desktop application.
NOTE. Domain/integrated domain authentication use requires advanced settings.
The following additional authentication types are available for the web application:
OAuth (only Twitter).
SAML;
Guest login.
OAuth authentication enables the user to authenticate via Twitter. In this case, connection to DBMS is executed under the saved, encrypted administrator user credentials.
The user enters login and password of the Twitter account.
The data provider (Twitter.com) passes user authentication confirmation to the BI server.
The BI server addresses the DBMS by means of integrated administrator user credentials.
The SAML protocol enables the user to exchange identification data between authentication provider and Prognoz Platform 9. In this case, connection to DBMS is executed under the saved, encrypted administrator user credentials.
The user enters login and password to the authentication provider.
The authentication provider passes user credentials check result to Prognoz Platform 9.
Prognoz Platform 9 addresses DBMS by using integrated administrator user credentials.
Basic principles of working with the web application can be learned by means if guest login setup. The user can log in without entering user credentials, by using a previously created guest account. If the guest login is used, it is recommended to limit guest account permissions.
The user opens the guest link.
BI server addresses DBMS by means of the previously entered guest account login and password.
Mobile application uses password authentication. On using the mobile application the user gets report copies and cannot edit them at the server.
The user enters login and password to Prognoz Platform 9 mobile application.
The mobile application passes the data to BI server for checking.
The BI server checks the data and addresses the mobile application server for available objects.