Security

On Versions 7 and above platform, the security is managed by following the main principles:
* Standard web browsers and 'http' or 'https' protocol are used. The web technology provides a first level insulation between the web server and the workstation.
* Passwords are not transferred on the network. The authentication system is based on standards. It can be, the Windows login that is controlled in an LDAP directory, or an Oauth2 authentication (a redirection is done to the authentication server). For simplicity reasons or for autonomous demo servers), a fallback solution based on users and encrypted passwords stored in the Sage X3 People Web Server is available, but is not to be used for production environments.
* The connection between the Sage X3 People Web Server and the Sage X3 People server is based on certificates that are created at installation time by a private certificate authority.
* The rights managements are done at service level and are based on function profiles associated with the user.
* The access of the Sage X3 People processes to the server is restricted by a white list of authorized directories.
* On the Sage X3 People Web Server, the processes and/or the services that 'node.js' and 'mongodb' do not require to be root or have administrator privileges.

One of the consequences of this is that the management of passwords that was handled by Sage X3 People is now obsolete and no more used; the security rules for passwords are now managed by the security providers (google, LDAP rules) you choose.