Security Best Practices

Security represents a strong focus in the design and development of Sage X3. The solution has been audited and certified by an external authority for safe operation in the Cloud.

A security policy is always compromised by its weakest link. It is therefore critical to pay attention to the security of your systems and implementation. Use all available tools for this.

This document summarizes what you should pay attention to when implementing Sage X3.

General security guidelines
Securing on-premise architecture is not optionalGeneral guidelines
Recommended on-premises deployment architectureNetwork securityDatabases security
Platform Security
System securityAuthenticationAuthorizations
Development security considerationsAudit

General security guidelines

Securing Sage X3 on-premise architecture is not optional

Customer details, financial records, staff information – you will store sensitive data using your business software. It might be stored on your servers if you have in-house systems or outside your business, if you use cloud computing services.

You get maximum security for your data without any action if you use Sage X3 Cloud. However, if you choose to install Sage X3 as an on-premise instance, or if you host it with a non-Sage managed cloud provider, there are a few rules to follow.

Wherever your data is, you must take a multi-layered, industry-proven approach to keep your data where it belongs and as secure as possible. This document reviews the main controls you should implement to secure your data.

General guidelines

Sage recommends following the general guidelines below to ensure security.

Use HTTPS for production instances

Sage X3 is a web application that must be accessed using an HTTPS connection.

Keep your systems up to date

Always apply the latest system and software fixes. This includes the latest Sage X3 patches. Our updates can provide enhancements to security, performance, and functionality.

Use network layer controls

Use local firewalls on your Sage X3 servers or network layer controls to lock any IP port that is not needed for Sage X3 operation or user access. Typically for the non-production deployments, if all Sage X3 components are installed on a single server, Sage X3 only needs the HTTPS ports to function. For multiple-server installations, you need to open the ports (or ranges of ports) that Sage X3 components use to communicate with each other.

Recommended on-premises deployment architecture

In the on-premises deployment scenario, the customer is responsible for network and operating system security. The safety of an on-premises installation depends on the security measures that are in place within your network. Sage has achieved excellent results in realizing optimally secure infrastructure for Sage X3 applications in cooperation with the in-house IT specialists concerned.

Sage recommends the following deployment architecture, which is quite similar to the cloud deployment architecture.

The Sage X3 ERP is accessed via a web server that routes the traffic to the relevant environment whereby the web server is responsible for the TLS connections. We also recommend implementing a relevant security perimeter in front of the web server in case the application(s) built in Sage X3 are exposed to external users.

We recommend configuring the database for dedicated use by Sage X3. For supported versions of web servers, operating systems, and databases, see the system requirements for the latest Sage X3 release as described in the release Reference Guide.

The architecture you implement is key to your security, especially if your system can be accessed from the public Internet. To connect your systems and make them available from the Internet, you have to configure network layer controls before enabling internet access.

Network layer control

Any secure deployment requires some measure of network access control. Sage recommends a three-tier architecture for Sage X3 production deployments, which includes appropriate network layer controls. The goal of network access control is to restrict communication to the application systems and Other communication attempts are blocked.

We recommend to logically segment the subnets and restrict the communication between the tiers. Best practices for logical segmentation include:

Sage X3 uses several components that communicate together through IP ports. The only port that actually needs to be accessed by users for Sage X3 to operate is the HTTPS port (443 by default). All other ports can (and must) be protected from external access, especially if the server is accessible from the Internet. The MongoDB port (27017 by default) and the Elasticsearch port (9200 by default) are examples of ports that should not be available.

The servers on which Elasticsearch is installed must not be exposed over the network. It should only be accessible from the node.js servers. The Sage X3 platform sends the query to Elasticsearch with additional security filters, based on the privileges of the user. When you access the Elasticsearch server directly, you can bypass these security filters: this compromises security by returning all the relevant indexed data.

In addition to the above network layer controls, we recommend configuring a proxy layer with all the protection mechanisms mentioned below:

Please refer the ports/services table for creating necessary access rules between the logical segments.

ComponentOpen portAccessed byPort Access
AdxAdmin1895 (formerly 1818)X3 ConsoleStrictly localhost only
X3 server runtime20100, 20101, .. (formerly 1801, 1802, …)Node web server, Print Server, Other X3 server runtime if anyRestricted access to necessary services only
Print server1890Node web server, X3 server runtimeRestricted access to necessary services only
Node web server443BrowserRefer to the recommendations provided
Node web server8124Node web serverRestricted access to necessary services only
Node web server (debug proxy)9514Node web server,X3 server runtimeDevelopment environment only with restricted access to necessary services only
MongoDB27017Node web serverRestricted access to necessary services only
RDB1521 (Oracle), 1433 (MSSQL)X3 server runtime, X3 services componentRestricted access to necessary services only
ElasticSearch9200Node web serverRestricted access to necessary services only


The AdxAdmin service running on port 1895 (formerly 1818) should not be exposed to the network and should be limited only to localhost.

Network security

Database security

Databases must be secured following the principles listed below.

Relational database

The server on which the relational database is installed must not be exposed over the network.

Only the SAFE X3 server (application/run-time) and the report server can access RDBMS. Execution servers and report servers are proxies that get the data requested by external services.
Never set up the database connection to the platform with the database administrator account. This account is only required for some configuration steps, and it can be changed afterward.

MongoDB database

The servers on which the document database is installed must not be exposed over the network. Only the node web server needs access to the MongoDB database.

Please follow the official guide on Mongo DB security.

Consider getting the enterprise version of MongoDB for additional security.

Platform Security

Secure your servers with tight user access rights

The servers that host Sage X3 components contain configuration files and other data vulnerable to inside threats. Administrators should be the only roles allowed to log in to the servers. Make sure that you set up users for Sage X3 Administration with the appropriate rights to the relevant directories.

Caution: Do not mix Server Administrators with Sage X3 Administrators.

Sage X3 servers should be built using industry-standard guidelines (such as the Center for Internet Security benchmarks) which are freely available. It is also possible to use the CIS approved images for the installations to meet the security standards.

Stop or disable services that are not required

Sage recommends using CIS benchmark controls for operating system hardening.

Be sure to not have running services you do not need. A good practice is to put the start mode of those services to Disabled or Manual if you think you may need it at some point.

The Sage X3 Adxmin service is required only when configuring the solution and thus can be put to Manual start mode.

System security

The filesystem security of the different servers should be implemented with the relevant tools (antivirus, network access security, etc.) at the right level. Make sure these tools do not cause performance issues. For example, avoid running a continuous antivirus scan on a database server.

On application and process servers, the SAFE X3 engine runs in a sandbox. This allows you to control the system commands that are launched, and the location where files can be read, created, modified, or deleted. This prevents malicious code written for the execution engine from running operating system commands (by using System instructions).

Setting up the sandbox is recommended, especially if you operate in a Cloud, or if the SAFE X3 code is supplied by external vendors.

Please, refer to the Sandbox configuration file documentation to ajust it according to your needs.


Use advanced authentication

Sage X3 supports several identity providers, such as:

This improves security by offloading the management of user credentials that do not transit through the ERP (when integrated with Oauth2 identity providers or with Sage ID). It also improves the user experience by providing a Single Sign-On (SSO) experience.

Note: You can securely store the credentials you generate in password managers. You can use any of the authentication methods described above, but you should never use the basic authentication in production, as it is only intended for demos.

Caution: A user account should never be shared to ensure traceability of user actions.

Use strong passwords

Make sure you change the default Sage X3 Administrator password to a strong password after the application setup. Please consider the following recommendation as a minimum:


On the web platform

Once authenticated, users are connected to the platform with a user login account. Each user belongs to at least one group, and each group is associated with a role.

When logging in, the user can select the role to use among the list of authorized roles. This role is linked to a security profile which is associated with a level (0 to 99, 0 being the most powerful).

The security profile defines the privileges a user has on platform operations. Make sure you assign a set of roles with appropriate security profiles to each user. As the platform administrator, you can define as many roles and security profiles as necessary.

Always apply the least privilege principle when designing your roles.

A security profile can grant twelve different privileges, of which the following are critical for security:

Note: technicalSettings is typically a privilege that should be assigned to a single ADMIN role.

On the folders

What we call a folder is the repository that contains business data related to one or more companies having one or more sites (each company is linked to a legislation code). A folder is identified as an endpoint on the platform. Groups specify the endpoints a user is allowed to connect to. This list is critical for security.

Caution: Make sure each user is only granted access to the appropriate list of folders.

A user who connects to the platform is identified by a user code in each folder. By default, the user code and the user login account are the same. However, it is possible to redefine the user code for each endpoint on the user administration page.

In each folder, it is possible to define access to the information at a very detailed level:

Thanks to these features, you can set up access to critical data differently on each folder for a given user.

Caution: Make sure you maintain these rules over time. Keep them as simple as possible, without compromising the security policy you need to enforce.

For each folder, there is a main administrator user code. It is ADMIN by default, but you can change it by setting up the ADMUSR parameter. Only use this user code for tasks that require it.

Note: It is recommended to use ADMCA instead of ADMIN according to the principle of least privilege. ADMCA is an admin user with a restricted set of functions.

Web server configuration

The security of the web server is configurable through the nodelocal.js file, we recommend to:

See the nodelocal configuration file for more details on these parameters and how to set them.

Development security considerations

Sage X3 is supplied with a developer workbench that allows bespoke development. This can bring additional security threats that you can address with the following best practices:

Disable development capabilities in production

Development mode is intended to be used in a dedicated environment with no access to any production servers.

SQL injection

The SAFE X3 language includes ExecSQL and SQL functions with an argument that can be evaluated. All data used to build SQL statements must be properly escaped.

HTML injection

This security issue can only happen when additional graphical components are added to the user interface. At the moment, the extensibility tool is only available for early adopters. Detailed security guidelines will be given to developers, but they are out of the scope of this document. A dedicated security audit will be done on additional components supplied by external providers to prevent this risk.


Sage X3 includes a set of tools that might be activated in production. This is a best practice after a period of operation, especially with the following tools:

Caution: Using some of these tools (especially the first two) can significantly impact performance. It is therefore recommended to use them only for a short period of time, and for a limited number of users, when applicable.