[Progress News] [Progress OpenEdge ABL] Securing Data Practices with Sitefinity User Groups

Status
Not open for further replies.
M

MeiLani Dumont

Guest
The Progress Sitefinity DX User Group feature helps business meet security and privacy regulations.

The toughest and most stringent security law in the world is the GDPR (General Data Protection Regulation). GDPR involves the right to privacy for the people of the EU (European Union). Standards and regulation discussions around data protection and data privacy began in 2016 and became law in 2018. Although it is a regulation made in the EU, it applies to ANY organization that collects data, offers goods or services to people in the EU. Violations to GDPR result in fines and penalties at a level that would be detrimental to any organization. 

There are currently 7 data protection principles that organizations must abide by if they do business with anyone in the EU to meet regulations. As outlined on the GDPR.EU website, they are:

  1. 1. Lawfulness, fairness and transparency — Processing must be lawful, fair and transparent to the data subject.
  2. 2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. 3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. 4. Accuracy — You must keep personal data accurate and up to date.
  5. 5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. 6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity and confidentiality (e.g., by using encryption).
  7. 7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Per GDPR terminology, any employee who makes decisions or handles the personal data being collected, such as a Digital Marketing Manager or a Lead Generation Manager, is considered a data controller. And per principle #7 above, the data controllers must ensure compliance. 

(Note: This blog post is not intended to fully explain security and privacy laws and regulations. Please visit both GDPR and CCPA (California Consumer Privacy Act) website for more detailed information.)

What are Sitefinity User Groups?​


So, what do Sitefinity User Groups have to do with any of this? Well, for any EU-based or global businesses managing multiple sites (have you seen Sitefinity’s multisite capabilities?), it is probably very relevant. The Sitefinity DX User Groups feature helps you meet security and privacy regulations by mandating "that a minimal amount of people should have access to customer information."

Businesses often have different teams for different business regions under the same management group. For example, a Global Marketing team may consist of many regional teams. The APAC Lead Generation team would be responsible for managing form submission data on the APAC website, and the EMEA Lead Generation team is responsible for the EMEA region. With user groups (a feature only included with the DX Enterprise Package at the time of this writing), you can ensure that your marketing team members only have access to the data they are responsible for.

User Groups Set Up​


User groups allow you to group different Sitefinity backend user accounts so they can manage content only on a single or group of sites that are relevant to their job. User groups “govern what sites a particular user account can work with, while the permissions govern which resources are available within these sites,” as stated in the Progress Sitefinity documentation.

Configuration for a site’s user group is done via the Configure modules option, found in the Actions menu for each site.

securing-data-practices-with-sitefinity-user-groups_body-image-1.png


However, user groups are not enabled by default for your Sitefinity instance.

securing-data-practices-with-sitefinity-user-groups_body-image-2.png


Enabling user groups is done at the whole Sitefinity instance level, and thus requires backend administrator privileges. The first step is to enable it in the Users per Site menu option under the Security section from the Advanced Settings Menu.

securing-data-practices-with-sitefinity-user-groups_body-image-3.png


Please be aware that enabling this feature requires an application restart. Once enabled, you will be able to create a new user group or select an existing one.

securing-data-practices-with-sitefinity-user-groups_body-image-4.png
securing-data-practices-with-sitefinity-user-groups_body-image-5.png


Once you have your user groups defined, the one responsible for managing user accounts will follow the same procedures for creating users, assigning roles and setting permissions to create users for that group. Pay special attention to where the users are created. In the following screenshot, notice that if you create the user in the Default user group, that user will be able access the backend for all sites (as warned in the user interface).

securing-data-practices-with-sitefinity-user-groups_body-image-6.png


Be sure you are in the correct user group when you create your users.

securing-data-practices-with-sitefinity-user-groups_body-image-7.png


In this Sitefinity demonstration instance, I am managing multiple sites in different regions.

securing-data-practices-with-sitefinity-user-groups_body-image-8.png


I created a new role for my Marketing Lead Generation teams, named Lead Gen. The permissions set for this role will be very similar to the permission settings for the out-of-the-box Editors role, which only allows a user to create and manage pages and content. I could have assigned Peter to the Editors role to accomplish this, but for the sake of this demonstration I created a new one.

securing-data-practices-with-sitefinity-user-groups_body-image-9.png


Next, I created a user account for Peter Parker who is responsible for managing registration form data for the EMEA region’s web site.

securing-data-practices-with-sitefinity-user-groups_body-image-10.png



Keep in mind that Peter must be on the correct site’s URL to login.

securing-data-practices-with-sitefinity-user-groups_body-image-11.png


When Peter logs in, he will only have access to the EMEA site and can only access Pages and Content.

securing-data-practices-with-sitefinity-user-groups_body-image-12.png


To demonstrate a bit further and show how your data controllers are meeting compliance, the same process was followed for creating another user group and user account for the APAC region website. The user, Steve Rogers, was also assigned to the Lead Gen role, but belongs to the APAC Marketing Team user group.

securing-data-practices-with-sitefinity-user-groups_body-image-13.png


Although Steve is assigned to the same role as Peter, when he logs in, he will only have access to the APAC site and can only access Pages and Content.

securing-data-practices-with-sitefinity-user-groups_body-image-148931a520-0d0c-4624-9bab-3855187014ed.png


Continue reading...
 
Status
Not open for further replies.
Top