Enabling security for data grids

After you create your data grids, the security of the data grid is disabled by default. You can change the security settings for a data grid to restrict access to a certain user or group of users.

About this task

When a data grid is a part of a collective, you can configure security and access control for that data grid. The security setting ensures that clients accessing that data grid must be authenticated. If the collective is configured to require authentication for all data grid access, authentication to the specific data grid is always required. Requiring authentication may not sufficiently limit grid access. For example, in the case of LDAP authentication, any LDAP user may access the specific grid. To restrict access, you can enable authorization for the grid.

Important: When you change the security settings for a data grid, the data grid automatically restarts. When the data grid is restarted, any data that is in the data grid is lost. Configure the security for your data grids before you begin to save data in the data grid.

Communication through the REST gateway is always secure, even if you do not have security enabled on the data grid. See REST gateway: Security configuration for more information.

Procedure

In the user interface, navigate to the data grid settings. Click Data Grid > data_grid_type. Click the data_grid_name that you want to edit.

Enable security or authorization for the data grid. Click Enable security to enable any user that has access to the user interface to access the data grid. If you want to further restrict access, click Enable authorization.

Note: You cannot enable authorization for a session data grid.

With authorization enabled, you can specify a list of users or user groups in the Access granted to list. When enable authorization is selected, only users that are listed in this access list can access the data grid data. You can assign the following access to users or user groups by clicking the name of the default access type that is displayed in the user interface:

Table 1. Access permission list and descriptions
Access Permission	Description
all	Read, query, update, insert, remove and invalidate data in the data grid, and create dynamic maps. Appliance administrators have all permission by default.
create	Read, query, update, or insert data in the data grid, and create dynamic maps in the data grid.
write	Read, query, or update data in the data grid. When using the REST interface, the write permission offers no additional permissions over the read permission. For more information, see REST gateway: Security configuration.
read	Read or query data from the data grid.

When you change the security and authorization settings, there is a timeout value of five minutes.

Authentication timeout: If you change a user password for a user that has already been authenticated to the data grid, the original credential is still valid for up to five minutes.
Authorization timeout: If you remove a permission for a user, that user continues to have the permission for up to five minutes. This timeout applies only for permissions that are removed. If you add a permission to a user, the user gets the permissions immediately.

Optional: Enable cross-site request forgery (CSRF) protection. Click Appliance > Settings, and expand Security. The default setting is Enabled. This protective can help decrease cross-site request forgery (CSRF) vulnerabilities. For example, you log in to a website that is hosted by the appliance and establish security credentials using cookies. While logged in to the website, you connect to another website that contains a malicious HTTP request to the target website. This malicious request is then run, without your knowledge, to change the user password, for example. SSL and standard authentication schemes do not protect against this threat. Therefore, sensitive data that exists in log files can be compromised when CSRF vulnerabilities exist. Use this setting to decrease that risk.