Customer portal

Federal agencies in the USA are bound by FISMA (Federal Information Security Management Act of 2002). Implementation is typically based on NIST 800.53, now in Rev 5. This applies from Federal park ranger booths to NORAD. Finance has Sarbanes-Oxley, Healthcare has HIPPA. All of them have similar sets of controls.

I’ve been engaged in improving IT security engineering and compliance for TLAs (three letter agencies), for decades and it has been an uphill fight, to be sure. Why? because yes…

Security protocols add friction to EVERYTHING, frustrating AF. It’s the challenge of security engineering. Best of intentions, of course, but security tools are nowhere near reliable enough to either install or manage or use. That’s why it’s work.

But in this day and age… I gotta tell ya, my list little list, here is just the tip, not the berg.

Right you are! My bad. Rev 5 has, indeed, reversed guidance on resets and strength. I hope I can get my current outfit to adopt Rev 5 sooner than later. And there’s a new control family in Rev 5 - Supply chain compliance – wherein every vendor in a supply chain might have to substantiate IT security compliance. I have NO idea how THAT can ever be enforceable, but it sounds like trouble in the making.

FWIW, AWS does provide for each of the items in my brainstorming list, though not simple checkboxes in every case. I write JSON/YAML every day to implement security policies for uses and roles. Which speaks to my previous point about the tools being immature. I loathe coding. All my schooling was in graphic design, for Pete’s sake.

Thanks for Dalacor’s, Tut’s and everyones’ perfectly valid observations and opinions, vis-a-vis practical security measures vs. customer benefit.

1 Like

I don’t doubt that the least bit.

But when I fear forgetting passwords more than having my credentials stolen or fear antivirus software resource tantrums more than spyware and viruses, that must tell you something.

But that might be my PTSD talking. :grin:

1 Like

Seriously you have to be joking.
A chain is only as strong as it’s weakest link.

If you really want that level of overall security you will have to dramatically reduce the attack surface and harden that component of the software product. The only way of coming anywhere near that is to

  • have a dedicated externally facing portal
  • Allow limited communication between the portal and the internal IT system (ie separated by a firewall)
  • Enforce strict version control and an extensive QA testing protocol prior to live release of any front end software updates

In summary if that is the security you need on your public facing portal then you need to do some more home work because you have chosen the wrong base product, Manager is not fit for purpose for that application.

I don’t know that If I am doing some mistake or anything else…
I am using latest desktop version (just updated). And Customer portal link works well in my PC where manager is installed.
But I copied same link and trying to open it on my mobile… it display error that "127.0.0.1 refused to connect" it’s also not open at customer’s side… and display same error. :roll_eyes:

Is I am doing something wrong? :thinking: :face_with_monocle:

You only access the Customer Portal in the Desktop edition of Manager on the PC where Manager is installed.

If you want to access it from a different device, then you must use the Cloud or Server version.

127.0.0.1 is the IP address used by Manager on the PC - but this address is only accessible from the same PC

(not strictly true, but close enough)

2 Likes

@lubos - Feature suggestion. Would it be possible to add to the desktop version a banner heading informing users that the customer portal requires server or cloud version otherwise many people will be trying to get the customer portal to work on the desktop version not realising that 127.0.0.1 is the local loopback address of the computer Manager is installed on.

I would not advise allowing the customer portal on the desktop version for security reasons. You need a proper firewall in place and a securely set server such as the Server edition or cloud edition. This is unlikely to be the case for many users running Manager on their Windows 10 or mac computer.

I was referring to Amazon online shop, not their web services. Never used their web services so cannot comment on that.

I would like to be able to access the customer portal for testing purposes locally. Perhaps a URL (API or otherwise) that I can hit rather than a UI toggle, if it is decided that it should be hidden on Desktop.

Definitely agree that users might be confused with the current implementation. Customer portal requires server or cloud edition if someone wants to send the link to a customer, which makes perfect sense. But less tech-savvy users may not realise that.

@lubos

Whilst this feature is really appreciable but it also comes with a con.

I think this feature should be restricted from other users due to privacy issues. My employees are freely able to activate this feature which potentially could be harmful for my business. As it is not possible to track how many portals are currently active amongst thousand of customers.

Sincere request to you to look into the matter urgently. Thanks.

1 Like

@raJ this is indeed a vulnerability that I hope @lubos will resolve.

Doing this I suspect requires users access control at the field not tab level such as Customer portal - #20 by Patch I’m not sure how feasible that is for Manager

Agree - because a user has access to maintain customer record doesn’t necessarily mean they should have ability to grant portal access to customers.

If not feasible to fix then this great initiative will be a failure. Indiscriminate sharing of links for customer accounts by staff should not be possible and it is now. Yes, we all trust our staff, at the same time we learned to be caurtious. The current privileges allow anyone to 1) enable the Customer Portable for a customer, and 2) to share the link to anyone. I agree that this portal should not be used yet as it was clearly explained that this is a concept so the risk is anyones. The issue is that it is available to select in any recent version and maybe should not be but like anything else be decided by Administrator in Customize, ie have someone enable it. It now is a new “default” and I agree that @lubos should review this as a matter of urgency.

@lubos this option should only be available for administror or full access users. Rstricted users should not have access due to privacy or misuse issues as explained by several forum members.

@ShaneAU I don’t think it should be hidden on the desktop, more that it is made clear to non technical users that the portal is for testing purposes on the desktop version.

@raJ , @Patch, @alasdair and @eko I fully agree that the linking between portal and manager is not well thought out. Already we are seeing users not understanding why it doesn’t work on a different computer if you are running the desktop version.

It is also not possible to track which customers have portals open which is something that I noticed when I first saw this feature. I didn’t raise it, because I wanted the developer to focus on completing more urgent aspects of the portal.

For me it’s not a problem, but I agree that this should not be something that can be activated by anyone who has access to the customer tab. This is actually a very dangerous liability from a legal point of view.

I think the problem is that the developer has developed the customer portal and simply created a link to showcase it to us users, but it is clearly not ready for prime time release. The portal itself looks good, although I agree with many that having permissions to decide whether customers see say sales orders is of importance. But that is fairly simple to add as we already have that functionality in the main part of Manager.

The weakest link appears to be how to connect to the portal from manager. At the moment we just have a url within the customer details in customer tab. With no restrictions, no user/pass requirements, no MFA etc. I would consider the portal to be a beta release not ready to be used in live environments. The url link process needs to be thought out more carefully.

Amazing feature. Worth going to the cloud version just for this feature. Well done!
One major concern though… Is there a way to choose/limit what the customer sees in the customer portal, or not yet?

Example: Can we allow the customer to only see specific fields (or allow them just to see orders or quotes, not invoices and personal details “address, email, phone”)? The reason I ask, is that if specific fields can be set as visible for the customer portal, we can hide the customer’s personal information that we don’t the “public” to see in case someone gets a hold of their link for the customer portal. I’m trialling the cloud version now and this feature is very amazing. Thank you!

I think the issue is that restricted user having access to Customers tab only can gain access to Sales Invoices tab using customer portal. This should not be possible.

I think the solution here is that Customer Portal needs to be new section under Settings where you would create customer portals for customers.

2 Likes

The latest version (21.6.17) is moving customer portals under Settings tab.

image

This solves user permission issues so restricted user cannot grant themselves higher access through customer portal.

When creating customer portal, you can also specify which tabs they can see.

image

5 Likes

This is precisely what We were thinking and needing. Keen to check it out on our next scheduled update. Thank you.

The next thing will most likely be addressing the remote access security I guess.

Thank you @lubos this is an improvement and can see where this is going. Can you please also allow us to enable/disable the client summary page as a lot of contact details are presented there that should not be easily shared via links for some customers while others would be ok with it (if given permission for their data to be electronically shared like this).