Security and Network

Owned by Karen Hogan (Unlicensed)
Last updated: Oct 14, 2022
6 min read

Security Configuration

Password Expires After Day(s): The amount of time a user’s Dashboard password can remain the same before they are forced to change it.

Minimum Password Length: The minimum length that a user’s password can be set to. If a user tries to set a password shorter than this it will be rejected and they will need to set a new one.

Prevent Users From Using Last Password(s): If this is set to 15 for example, users cannot create a new password which is the same as any of their last 15 passwords.

Prevent Users From Using Compromised Passwords: This prevents the user from creating a new password which has been compromised. Compromised status is ascertained by reference to the haveibeenpwned API ( https://haveibeenpwned.com/API/v3 )

Prevent Users From Using Weak Passwords: This prevents the user from creating a new password which our password strength estimation algorithm considers ‘weak’.

Max Failed Logins: The number of times a user can attempt to log in with an incorrect username or password before their account is locked.

Captcha At Failed Logins: The number of failed login attempts by a user before a captcha image is displayed.

User Sessions Timeout After Minutes Of Inactivity: The amount of time a dashboard session will remain active if it is not being used.

JWT Auth Public Key: If you are using JWT Authentication this is where you enter (as one line, no spaces) the Base 64 String Version of your public key. See ‘Authentication’ for more information.

Enable concurrent log ins for a single user: This will allow multiple browser sessions to connect using the same piDashboard username, if the licence you are using also supports this. If this is not enabled (and/or the licence doesn’t support it) then subsequent logins will succeed, but they will automatically log out prior sessions.

Logging Settings

Setting the log level

Setting the log level of an application decides the amount of content to be saved to log files. It means we are interested in the current and above levels.

  • Severity from high to low: Fatal, Error, Warn, Info, Debug, Trace

  • e.g. Setting it to Warn, means

    • Fatal, Error, Warn logs (current and above levels) are output into log files,

    • Info, Debug, Trace logs (lower than this level) are ignored, these events don’t output content to log files

Error is the least granular/least verbose and debug is the most. These settings should be left to ‘Error’ unless you’re trying to investigate an issue.

Debug can be very intensive so should only be used on a temporary basis.

Log Levels and their meaning

When an application outputs logs to log files, the content is marked with a log level. The log level indicates the severity of an event.

  • Fatal - A log message at Fatal level indicates a system down event

  • Error - A log message at Error level indicates something is broken, while the system is still running (We log 500 level errors as Error)

  • Warn - A log message at Warn level is an unintended event that can be recovered (We log 400 level errors as Warn)

  • Info - Info level message captures a system event e.g. service start/stop, configuration assumptions, etc

  • Debug - Debug messages contain information that is diagnostically helpful, typically it has data values related to certain events

  • Trace - Trace level logs provide verbose content for events in a system. (We don’t log Trace level logs in our system)

Error Codes

  • 500 level - A 500 level error is a system error, which is not recoverable from the user’s perspective

  • 400 level - A 400 level error is a user error. The system doesn’t have any problem, and the user is doing something unintended. For example

    • 400 - bad data is submitted, e.g. text is too long, number is too low, data format is incorrect

    • 401 - user fails to log in, e.g. username password don’t match

    • 403 - user is logged in but doesn’t have permission to perform a task, e.g. non-admin tries to delete a user

    • 404 - page doesn’t exist

Features and Performance

Overall display limit for list of values - controls the max amount of data can be displayed on a list or tree list. This change is only implemented in the following areas:

  • Users screen

  • Every tab on the User Access screen, including ‘Sync User Access’

  • The User selection screen in Scheduler

Display limit for sub list values - when it's a tree list, this is the max number allowed for displaying the sub list. When it's over the limit, a message will be displayed

Tree Structure:

  • The tree structure can be collapsed or expanded - if the data is less than the overall limit (X), it expands everything initially, otherwise everything is collapsed

  • The filter feature only includes expanded content - this is why everything is expanded initially if possible

  • When sub list is over the sub list limit (Y), the system suggests using the filter to reduce the numbers so that the list can be displayed with less items

  • When expanded items can potentially show more than the overall limit (X), the system stops expanding the list (the expanding button turns red)

Flat Structure:

  • When items are over the display limit (X), it creates pagination

  • If the pagination is more than 5 pages, users can enter a number to paginate

  • If the pagination is no more than 5 pages, users can click the pages to paginate

  • The filter filters all the data, it doesn't have the same constraints as the tree structure

Enable Variables on Object Labels - this option allows the use of Variables in the Object label field in Dashboard Configuration>Data Connections. Please refer to this page for more information.

Network Configuration

Load Balancer Settings: If you have configured load balancing (Load Balancing) and wish to utilise it click this button.

AWS IAM Credentials

Please refer to this section in our documentation on AWS Cloudformation Deployment for further information.

Server Settings

SMTP Server Instructions: for the dashboard to connect to your email server. The example shown is for Office365. SSL and TLS refer to the encryption configuration for your SMTP mail server

By default, the ‘Allow Unverified Security Certificates’ box will be unticked which will allow for the security checks to be carried out for the certificates used.

This functionality will affect the certificates used for forgotten password emails and scheduler emails.

Time Zone Location Settings

The Scheduler was previously locked to UTC and this could cause problems when the clocks changed due to Daylight Savings. With effect from the October 2022 release of the Dashboard, we’ve introduced a ‘Time Zone Location Setting’, which will allow users to define a custom time zone that will be used in Scheduler. Click the drop-down list to select the relevant time zone.