MySource Matrix Section Name

User Security

MySource Matrix has the following types of users, each of which has varying access levels:

• Normal User: has no access to authoring any content
  
  
• Backend User: may author content if their profile allows them to edit that content.
  
  
• Administrator: may access the administration interfaces, including all content, and most system tools.
  
  
• Root User: may access the administration interfaces, including all content, and all system tools.  There is only one “Root User” per system.

A simple and intuitive user interface is provided to allow an administrator to grant read, write or administration access to an asset or group of assets, by a particular user or group of users. As for all changes to assets, an audit trail is kept of changes to permissions of assets.   Decentralised author access is secured through:

• User login and password (may operate through LDAP or Active Directory)
  
  
• Enforceable use of Secure Sockets Layer (SSL) encryption
  
  
• Optional IP range restriction
  
  
• Optional visual key

MySource Matrix employs User Groups to represent roles, and permissions can be granted to user groups.  An example could be creating a User Group called “Department 1 Content Authors”.  Rather than granting access to write to pages within the Department 1 site to individual users, access is granted to this group.  When people leave or join the department, they are simply added to the User Group, and no changes are required to the permissions of the pages within the department site.  If individuals are members of more than one group, they will be given access to according to the permissions granted to each asset, with access being granted taking priority.  MySource Matrix can also be configured to interface to LDAP for user and role information. 

Permissions

MySource Matrix allows you to grant read, write or administration privilege to users or user groups:

• Read Permission: if a user has Read permission for a particular Live asset, they are able to view the asset in your site via their browser.  Any MySource Matrix user with read permission can also view the asset in MySource Matrix.  Unless you have denied public read access to a particular asset, the asset is always visible to the web-surfing public.
  
  
• Write Permission: if a MySource Matrix user has Write permission for a particular asset, they are able to view and update the editing screens of the asset in MySource Matrix, excluding changing status, site settings, permissions, and the workflow and metadata schemas. Users with Write permission may view the asset even if it is not Live.
  
  
• Administration Permissions: if a MySource Matrix user has Administration permission for a particular asset, they are also able to change the status, edit site settings, permissions, and the workflow and metadata schema for the asset in MySource Matrix.

LDAP Bridge

MySource Matrix provides the LDAP module which allows you to source user and role information from your LDAP/Active Directory.   Once configured to connect to your LDAP/Active Directory, you can view all your external users and roles within MySource Matrix.  You can also view the name, email address and other details for each user.  When authenticating, MySource Matrix firstly checks in your LDAP users and then your locally defined users.  Clients often take all information about MySource Matrix users (i.e. their staff) from the LDAP directory, and enter all site users for a members area directly into MySource Matrix.

Single Sign-On

MySource Matrix can be configured to authenticate from your Active Directory or LDAP server, to ensure that usernames and passwords are maintained in only one location and the same accounts are used across all systems.  Users are still required to login to MySource Matrix after logging onto Windows.  However, once authenticated, MySource Matrix can create a session for a configurable period (e.g. 1 day, 1 week or 1 month), thereby saving the user re-entering the username and password each time they use MySource Matrix.

Member Zones

MySource Matrix allows you to define areas of your site which require users to be authenticated before allowing them access.  These are areas where public read access has been denied.  MySource Matrix hides content in Members Areas from users that do not have appropriate levels of access, including removing references from menus and navigation systems.

Other Security Features

• Session management - when authenticated the system allocates a temporary session key that is tied to their IP address so that would be hackers may not spoof their session.
  
  
• Centralised updates - the centralised management structure ensures that client machines do not act as vulnerabilities to the system.
  
  
• File type restriction - it is possible to restrict files types that may be loaded to the CMS and these files are loaded to a non-executable directory. That means if someone were to load malicious code to the server it would not be executable on the server.
  
  
• Executables restriction - the system keeps detailed audit trails and logs so administrators may analyse attempted security breaches.
  
  
• Audit trails - the system keeps detailed audit trails and logs so administrators may analyse attempted security breaches.

Securing Different Areas Independently

MySource Matrix allows you to secure different areas of your site independently.  You can set specific areas to be publicly accessible, and others to be Member’s Only or Staff Only requiring users to be authenticated. You can even set certain areas of your site to required SSL authentication, and others to be unsecured.

External Security/Privacy

At the MySource Matrix level, the access control mechanisms of the underlying operating system are utilised to ensure that only the webserver user has write access to the public data directory (which is needed for storing uploaded files and cached content) and write access is denied to the PHP source code.  The access control mechanisms of the database restrict access to the MySource Matrix and the HIPO Server processes. 

Additionally, it is important to ensure physical access to your webserver is restricted, and the user accounts are strictly controlled.  External access to your server hosting the CMS should also be protected through a perimeter firewall, a firewall on the CMS server itself, and through the configuration of Apache directives, and the use of SSL.  Finally, your server could be configured so that the Apache webserver is the only process listening to the network externally.

Security Audit

MySource Matrix has been security audited by the Defence Signals Directorate for use by Federal Government Sites and passed all audit requirements.

Secure Deployment on Internal and External Sites

MySource Matrix allows for the creation of secure websites with access restricted content. It may be used for the creation of Intranet’s, extranet’s and public websites with member’s only areas. It should be noted that MySource Matrix has been security audited by Australia’s Defence Signals Directorate and has been passed for the secure deployment of Federal Government websites.