FAQ
How is security handled in your system?
Data security is enforced through the use of a single database logon and a single user account with access to the file vault. The Aras Innovator application server acts as a proxy for all data and vault transactions, ensuring that all access to data is controlled by the Aras Innovator Identity Permissions control layer. MD5 is used to encrypt certain data fields before transmission (e.g. passwords). All users are assigned a unique username/password account (Identity) within Aras Innovator. These user accounts can be administered within the Aras Innovator administration screens or using Active Directory or any other user authentication system.
What information can be restricted? Can it be defined by user, by group?
The Aras Innovator Identity Permissions security model is an Identity membership-based security scheme combined with a “need to know” object-level access list technology developed in partnership with Aras aerospace & defense industry customers. User’s are assigned to Identities (analogous to Groups) and all tasks, objects, forms etc. have a ‘need-to-know’ list of Identities that are allowed to access them for read, update, management and deletion. Similar to Active Directory, the Identity based security scheme is a membership manager. Each user is assigned membership into one of more groups (Identities). Those groups have a hierarchy of membership within other groups, inheriting the rights of the organizations of which they are members. Each business item (BOM, Drawing, Supplier, Workflow, Material Master, etc.) has a default access assigned to it upon creation. This default is then modified, as required, for each instance of the business item, throughout its lifecycle, to produce a true “need-to-know” list for each. Company business rules determine the level of security required; simple broad-brush, role based access or specific “need-to-know” lists of individuals for each Item/object. The power and flexibility of this model enables companies to include their suppliers and customers as real-time users within the PLM system with the confidence that visibility is restricted and intellectual property is protected.
Provide internal and external user security profiles.
Fully compliant. The Innovator Identity Permissions security model is an Identity membership-based security scheme combined with a “need to know” object-level access list technology developed in partnership with our aerospace & defense industry customers. User’s are assigned to Identities (analogous to Groups) and all tasks, objects, forms etc. have a ‘need-to-know’ list of Identities that are allowed to access them for read, update, management and deletion.
What kind of security is required or recommended for file sharing of data reports, report layouts, and other documents which are stored outside of the database and application?
Report Layouts are the only items stored outside of the Application Database. They are stored within the Microsoft Reporting Services database. Aras Corp recommends that the administrative passwords for Microsoft Reporting Services be kept within IT only.
What kind of security is required or recommended at the database level, aside from the application?
Aras Corp recommends that the SQL Server “sa” password and the “Innovator” user passwords be kept secret. No other user accounts with SQL Server are required.
Is the security administration function separate from the regular administration functions?
There is only a single client program that is the programmers interface, the administrators interface and the end-users interface. All the menus, forms and functions are segregated by the permissions associated with the login id. The various functions for security are segmented by login id as well as assigned roles of the login id. The highest security functions are only accessible by the root user. The Innovator Admin has a lesser overall security scope, allowing for the creation and modification of new item types. The access and capabilities of the various id’s and roles are fully configurable to meet your corporate security allowances.
What additional security is required to limit the risk of unauthorized persons into the system?
No additional security is required. Data security is enforced through the use of a single database logon and a single user account with access to the file vault. The Innovator application server acts as a proxy for all data and vault transactions, ensuring that all access to data is controlled by the Innovator Identity Permissions control layer. MD5 is used to encrypt certain data fields before transmission (e.g. passwords). All users are assigned a unique username/password account (Identity) within Innovator. These user accounts can be administered within the Innovator administration screens, or using Active Directory.
Is the solution designed to handle external user access over the Internet utilizing DMZ (firewall) architecture? If so, how?
Yes, Innovator is designed for access over the internet utilizing DMZ architecture as well as through intranet access. At Aras, we are able to access our demonstration server in Lawrence either thru direct internet access, or remotely logged into the intranet thru a VPN client. External users and suppliers will access the Innovator server via their Web Browser (Internet Explorer) connecting to the server either through a VPN connection or a secure Reverse-Proxy Server connection. The Aras www.myInnovator.com for example, sits 100% within the DMZ allowing cost effective and secure connection by both internal and external users.
Microsoft Active Directory – the software should interface with Microsoft Active Directory for easier management of user accounts and administration
Aras Innovator can be used with Active Directory to enable single-sign-on for end-users. User accounts can be administered in AD, but the membership of those users in groups and roles for permissions, workflow assignments, etc, is administered inside Aras Innovator.
Phased – access permissions to Product data will change through the phases of a product’s lifecycle, with the product’s development team having free access to all product info early in the products design phases, but formal change control processes will start to apply to much (but not all) of the products data as it nears the manufacture phase. Permissions may change through the following Phases:Early Development ? Mid Development ? New Product Intro ? Released ? Obsolete
The Innovator Lifecycle Management service is used to automatically change Permissions when work items move through the Lifecycle. The administrator used the drag-n-drop Solution Studio tool to set the Lifecycle Permission rules.
Role/Team/Product Based – permissions levels also need to be customisable per user, and per folder or document type to allow a high level of flexibility with the types of access that users have to the various areas within the system
The Innovator Permission model is based on Identity Membership where User accounts are assigned one or more Identities, and these Identities can be organized hierarchically, with inheritance of permissions. Each business item instance can be assigned a default Permission set based on the Item type, or can be assigned unique, private permissions to a specific sub-set of Users (this enables tight Need-To-Know List management if it is required).
Access to change Permissions – Users such as Project Managers should have the ability to change Permissions to allow users that they choose to access their project folders.
Innovator’s standard Permission model controls: Get, Add, Delete, Update and Change-Permissions.
Supplier access – access to specific areas of the system would be provided to key suppliers, although a high level of security is required for this. Areas included would be part specifications for parts that a supplier provides, or even BOM and Change Management info for specific products that Contract Manufacturer produces
Innovator is a 100% web application, designed from the ground up to implement secure web based communications and data-sharing throughout the “extended” organization. The administrator will use the drag-n-drop Solution Studio tools to define a permission scheme that supports the desired Supplier interface. Innovator has been successfully deployed across supply chains with high levels of security and data integrity.
Permissions Copy – ability to copy the Permissions of an existing document or folder to another document or folder
The Innovator model uses named Permission sets to simplify the administration of permissions on actual documents and other business items. [ setting private, need-to-know permissions on any item is also possible, but most customers find that named permission sets are the most effective means of maintaining security and minimizes administrative overhead ]. Permissions can be re-assigned, copied, and changed automatically (by the Lifecycle engine).
Active directory integration – How does it work in Innovator? How is it set up?
Aras Innovator supports 3 modes of authentication. (1) all user account and password information is internal to Innovator, (2) logins are authenticated against an external system, usually Active Directory and (3) mixed mode, some users (such as suppliers) are authenticated by Innovator, others are authenticated using Active Directory. Active Directory authentication is sometimes called Single-Sign-On, because users who have logged onto the Windows domain can open their browsers to the Innovator URL and directly access the Innovator user interface without logging in to Innovator. Active Directory authentication eliminates the passwords stored in the Innovator database, and uses the AD authentication to allow access to Innovator. The system administrator will still need to create accounts within Innovator, and assign the Innovator specific permissions and group memberships. To configure Innovator for 3rd party authentication, please check the document “Aras Innovator 8.1 - Login Hooks.pdf” and also check the forums. There are several posts on this topic. There is a Active Directory specific Technical Note on the Aras web site. Check the new section of the Aras.com /University page named “Bill’s Workbench”.
Access rights to objects - are there only 4 choices - get, update, delete, can change access how does this work with user roles? Does the system have the ability to give promote access but not edit access to one role/group?
Promote permission is assigned specifically for each possible promotion on each Lifecycle Map. In the Lifecycle Map editor, each State-to-State Promotion (the allowed “transitions”), has an Identity associated with it. Only members of this Identity will be allowed to make the promotion. In this way, Update permissions to the Item are separate from Promotion rights.
The system shall allow Global internal resources and external suppliers (LAN, WAN, External) access to product data, configuration and implementation information.
Meets requirement. Aras Innovator is a web-based enterprise PLM system, highly scalable, and with a robust security model. Most Aras customers include both internal and external resources (suppliers, customer) as end-users of the PLM system.
The system shall have secure vaulting (storing) of unstructured data (files) and controlled updates and version tracking of vaulted and data that is under change control.
Meets requirement. Aras Innovator vault server is file type independent, and is able to provide versioning and configuration management for any file type. End-users are able to check-in, check out and version control files of any type, using just the standard Aras Innovator user interface.
CAD integrations are used to provide automation over and above the built-in file server functions. With the CAD, Office and EDA application integrations, menu's are added within the application to allow direct access to the Aras Innovator vaults without logging in to PLM separately. The integrations also automate the extraction and database upload of attributes, and the maintenance of inter-file dependencies.
The system shall be capable of controlling data ownership such that concurrent editing by different individuals is avoided.
Meets requirement.
The system shall be capable of importing, archiving, and managing any type of defining element utilized by the native authoring and/or viewing software being used. Examples are, but not limited to: PDF, IGES, STEP, Gerber, HPGL, .hex, .lib. ProE, AutoCAD, NX, Mentor, Cadence, Solidworks, Illustrator, PageMaker, PowerPoint, Freehand, MSOffice, zip, gzip.
Meets requirement. Aras Innovator vault server is file type independent, and is able to provide versioning and configuration management for any file type. End-users are able to check-in, check-out and version control files of any type, using just the standard Aras Innovator user interface. All of the formats noted in the requirement are supported.
The system shall provide a collaborative backbone with the means to effectively and securely exchange data and information and provide seamless access to product information across internal and external functional teams (LAN, WAN, External) down to the item level.
Meets requirement. Aras Innovator is used by many customers within the military and defense contractor community, and includes the security features demanded for those environments. As a 100% web enabled aplication, Aras Innovator has the capability to extend workflows, collaboration and quality management functions to the company's supply chain and customer base with the confidence of secure data transmission and bulletproof data access rights management.
Internal and external users that interact with the product data or any of the supporting data shall have access to the new system to view, sign off, export or contribute to the appropriate data to support their activities.
Meets requirement.
Internal and external users access control shall be configurable by owner, group, roles, etc.
Meets requirement. Aras security models are based on a hierarchial membership model with inheritance (similar to Microsoft Active Directory). Permissions to data and rights to run specific functions can be assigned to individuals or to groups.
The system shall allow external suppliers (LAN, WAN, External) controlled access to product data, configuration and implementation information. This access shall be controlled such that a supplier should not be able to see all of the product data, only a subset as defined by the business unit.
Meets requirement.
The system shall have a LDAP compliant access capability.
Meets requirement. Simple integration with Active Directory is explained in the installation guides. Aras Innovator also supports miced-mode authentication, which can dramatically simplify managing log-on accounts for a large supplier base. In mixed-mode authentication, internal users are authenticated with Active Directory (single-sign-on), while Supplier log-on accounts are managed only within Aras Innovator. This eliminates the need to create Active Directory accounts for all suppliers.
Describe how security is applied with respect to access by roles, access by region or country, access by business unit and/or contract type, and access restrictions for single documents.
Aras Innovator controls data access rights with a Permissions object which controls Read, Update, Delete, Discover and Change-Access by user or by Identity. "Identity" is an Aras Innovator concept analgous to a Role and/or Group. The permissions can be applied in patters across all documents linked to a Project, or set item-by-item in a "Need to Know" style control system. The Identity model in Aras Innovator is hierarchical with inheritance, allowing complex permissions management scheme to be implemented, with minimal on-going administration.
What types of authentication are supported?
Aras Innovator supports either Internal authentication (user account and passwords stored within the Innovator application) or external authentication. The most common external authentication is single-sign-on with Active Directory, however, the Aras authentication API allows an open interface to any external authentication method.
Aras Innovator can also be operated in a mixed-mode, in which some users are authenticated by Active Director (e.g. internal users) and others are authenticated using Aras Innovator user accounts (e.g. Suppliers).
Does the application provide a human-readable log that shows all activity (search/view/edit) by user?
Yes. There is a built-in configurable History feature that is viewable from within the application. There is also a human-readable server log accessible to IT.
Does the application provide a human-readable log that shows all activity (search/view/edit) by function?
Yes.