Project Reporter Help: Security guidelines

Contents : Introduction to Project Reporter
Security guidelines

Project Reporter allows you to create user accounts and passwords to control access to project information. However, these security features are designed more for convenience and ease of use than for impenetrability. The user account mechanism is designed to facilitate use of the same account by multiple users (provided that the licensing requirements are met), and passwords are transmitted in unencrypted form. Therefore, it is possible for a knowledgeable and determined user to gain access to project information that s/he would not normally be able to see.

If you wish to provide more robust security for reports generated by Project Reporter, you should configure it to work with one of the supported third-party web servers, which have more advanced support for user authentication and request filtering. You can also make use of supplementary security tools such as network firewalls and directory permissions.

Sample scenarios

Here are some examples of how you might configure Project Reporter for different user environments:

Environment	Requirements	Security
Simple intranet	All project information can be shown to anyone on intranet Intranet is behind a firewall, or not connected to Internet	No special configuration required — use a stand-alone web server such as Apache Tomcat, and let all users enter as Guest (each user still requires a separate client license)
Restricted intranet	Project information can only be shown to people involved with project, and some users should not see cost information Intranet is behind a firewall, or not connected to Internet	Use the stand-alone web server, but disable the Guest account and create separate report views with and without cost information included. Create separate individual or shared user accounts for users who should or should not have access to cost information, and assign the views appropriately to these accounts. Optionally, set operating-system permissions on directories used as data sources by Project Reporter, to prevent unauthorized direct access to project files via a shared file system.
Restricted extranet/Internet	Reports need to be accessed by people in branch offices or other outside sites Outside users are on extranet or Internet	Use the stand-alone web server if you have a closed extranet, or configure a server such as Apache Tomcat with a third-party web server or SSL to restrict outside access to certain domains or users.
Unrestricted Internet	Reports are accessible to anyone visiting your public web site	Use the stand-alone web server and/or a third-party web server or SSL, and create a link from your home page which logs all users in as Guest (requires unlimited-client license).