This document explains KanbanBOX technical specifications concerning security.
Firewall rules to authorize access to KanbanBOX
In order to allow network communication to the KanbanBOX infrastructure, the following domains must be whitelisted in the company firewall:
- *.kanbanbox.com (where * means all of the subdomains)
KanbanBOX IP addresses may vary over time, depending on workload and infrastructure development; so it’s very important to allow the *.kanbanbox.com domain, not just the at-the-moment associated IPs.
Optionally, the KanbanBOX team can provide access through static IP addresses when the company firewall is not able to manage DNS rules with dynamic IPs.
Type of users
A user can be defined as:
- Personal account, for individuals
- Shared workstation, for shopfloor shared workstation and devices.
Users’ access to the KanbanBOX graphic interfaces is protected by a combination of username/password.
Access to the API is granted by adding an API key to each request. The API key is uniquely associated to one user, and can be changed or deleted as needed.
Password and API key have to be considered secret and, consequently, must be kept appropriately.
Multi-factor authentication (MFA) can be activated for each user, for an additional level of security.
Every authorized access, as well as every rejected access attempt, is recorded in the access log, available for inspection to all admin users inside the web interface.
Filter access based on IP
Upon request, the Client can specify the set of company gateway IPs from which users are authorized to access KanbanBOX.
The filter based on IP addresses can be enabled by user type (personal account, shared workstation).
Federated access and Single-Sign-On (SSO)
Optionally, the KanbanBOX team can configure Single-Sign-On (SSO) access connecting to the company identity management software with SAML 2.0 compatible technology.
The SSO access can be forced based on the user type (personal account, shared workstation).
The SSO access is also supported by the KanbanBOX Android/iOS apps.
Filter access based on the environment
A user can be configured to access both production and test environment, or to access only the test environment.
Management of permissions based on roles
The set of functionality every user can access depends on the user role. Available roles in KanbanBOX are:
At the following link is present the list of permissions by role: List of permissions by role.
Integration with Identity Management System
Upon request, the user management in KanbanBOX can be automated through the integration with an external Identity Management software. The Identity Management software can be configured to create/update/delete users in KanbanBOX, while local user management in KanbanBOX can be restricted or disabled.
All communications between clients and KanbanBOX servers use HTTPS protocol and are encrypted with SSL/TSL technology.
Security of the integration from KanbanBOX to external software
Integration flows from KanbanBOX to external software require, in most of the cases, that KanbanBOX connects to the software to send messages when an event takes place in KanbanBOX.
Webhook is the tool used in KanbanBOX to send these messages. Here the full documentation: Webhook.
KanbanBOX can send data to external systems over the HTTPS protocol, calling Rest or SOAP type services, or over files exchange protocols (SFTP, FTPS).
With HTTPS protocol, KanbanBOX can authenticate with:
- HTTP Basic Authentication
- Token-Based authentication
- Oauth2 Client Credentials authentication flow
With SFTP/FTPS, KanbanBOX can authenticate with:
- username and password
- public key provided by the customer
KanbanBOX test and production enviroments can be configured to use different endpoints and credentials.
Filtering access based on KanbanBOX IP addresses
To communicate with external services KanbanBOX uses a static set of IPs, consequently an external system can filter the inbound requests by authorizing only requests from KanbanBOX IPs.
The KanbanBOX team can provide a link with the list of static IP addresses, always updated.