Hi There, 

I have the below request for an on-prem setup and could someone help.

How to lock down some of the features (example: monitoring capabilities & analytics capabilities) of ServiceCenter/LifeTime to only be accessible via internal network; and lock down some of the features (example: User Management, DevOps capabilities) of ServiceCenter/LifeTime to only be accessible via Management Zone network.


Thank you

Hi Vadivelan,

From your diagram, I don't really understand what is your "Internal Network". In OutSystems, the Internal Network name is used to represent the set of IPs that are allowed through for protected applications like Service Center and LifeTime.

As far as I'm aware, currently those permissions are "all or nothing", so if you setup the Internal Network you can only access any protected application through those IPs. Finer grained control would be done via IT users' governance.

I reached out to colleagues for any other network-level access control options, as this is not a requirement I usually have to deal with, hopefully will hear from them here.

Hi,

I believe on top of jorge suggestion you will have to setup permission in lifetime such that users cannot access user management. check the documentation https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Manage_IT_Users/Create_and_Assign_Roles specifically on infrastructure-wide permissions for restricting user management access

Regards.

Jorge Martins & Prasad Rao wrote:

Thank you for your reply.

The "Internal Network" represents the set of IPs allowed zone. 

It is understood that the OutSystems capability around Roles/Permissions and IP configuration (Internal Network) for the Zonal access restrictions for applications. However, the above query is within restricted IP's (Internal Network) can the capabilities of Service Center & LifeTime be limited only to monitoring, performance analysis & analytics?

My understanding is also as "all or nothing". Please let me know if any further details/inputs required.


Hi Vadivelan,

From your diagram, I don't really understand what is your "Internal Network". In OutSystems, the Internal Network name is used to represent the set of IPs that are allowed through for protected applications like Service Center and LifeTime.

As far as I'm aware, currently those permissions are "all or nothing", so if you setup the Internal Network you can only access any protected application through those IPs. Finer grained control would be done via IT users' governance.

I reached out to colleagues for any other network-level access control options, as this is not a requirement I usually have to deal with, hopefully will hear from them here.



Hi Vadivelan Rajendiran,

It is understood that the OutSystems capability around Roles/Permissions and IP configuration (Internal Network) for the Zonal access restrictions for applications. However, the above query is within restricted IP's (Internal Network) can the capabilities of Service Center & LifeTime be limited only to monitoring, performance analysis & analytics?

Like I mentioned earlier, you can use the LifeTime User governance features to determine what your IT users can do on ServiceCenter/LifeTime. This is coarse-grained but there is a possibility of only giving access to monitoring. Check the documentation on it here for the different levels of access that you can assign your IT Users.

Hope this helps!

Sorry the above message gives wrong intrepretation. Let me rephrase,

The intension of the query by the security guys are to restrict the DevOps, deployment capabilities only to the Management Zone (separate network zone where LifeTime is installed).

And allow, monitoring & other analytical capabilities to the Internal Network where Users can view/monitor.

Meaning, if the restriction is at the user role / permissions then it will become a choice of the guy who has the rights can still access at internal network as his role is still accessible - which policy is not in favour.