Most M3-customers have not secured their data – are you one of them?
One of the things most IT-managers do not want to talk about, is the security of the api’s in their M3-installation. The fact is that most M3 customers today are running M3 without security on the API-layer.
Is this a big deal? Yes it is!
Traditionally, api’s were used by other systems only, so one had to enable e.g. a MECUSER, a WMSUSER etc. for api-access, and disable access for everybody else. Today, everybody are using api’s (already when logging on with SmartOffice/H5, through Mashups and scripts or other M3-applications).
Doesn’t M3 have support for securing the APIs? Yes, but…
Securing the api’s in M3 is done through the program SES005. The challenge is that this implementation is really, really simple and not manageable when it comes to thousands of M3-transactions and many users. Since there is no support for grouping users or api’s in SES005, it is almost impossible to manage all transactions and all users i SES005.
This hasn’t been a problem before. Is it really a problem? Yes!
There are three reasons why this is a much bigger problem today than it used to be.
- Everybody needs access to api’s today (or else they cannot log on to M3 at all). Previously only a few users needed access to the api’s
- Almost everything in M3 now has api-support. This means that you can update, create or delete almost everything in M3 through api’s. In early versions of M3, the api-support was very limited.
- With the newer versions of M3 (10.1+), the users can run api’s directly from their browser (e.g. Internet Explorer). Previously you needed a program (e.g. MITest) to actually run any transactions, and this would reduce the chance of someone doing something he should not.
Are you one of them?
For most M3-implementations we have seen – any M3-user can do anything they like in M3!
Is there a solution to help secure your api’s? Yes, now there is.
We have implemented a solution that helps you manage the api-security automatically, based on your security-setting for M3-Functions.
Please contact firstname.lastname@example.org to get more information on our Vince Security Center.