System Security

System Access and Authorisation

The CMP Converged Monetisation Platform. The MDS Global product that supports customer care and billing for digital service providers. components that provide identity, access and authorisation are the Identity Server and Role Extender.

The Identity Server is an instance of WSO2 and provides centralised user A person with the capability to log in to the CMP GUI software, such as a customer service advisor or agent. authentication, including Single Sign On, and role management across the different components of CMP. Users can be created and assigned roles in the Management Console of Identity Server.

You can also create users and assign them access to CMP applications and functionality in the Administration Console An operations web console that allows batch jobs to be scheduled, run manually and monitored. The console also provides for viewing and modification of business and user applicable system configuration.. See the Administration Console Users screen and the online help for more information. More granular maintenance takes place directly in the Identity Server Management Console.

CMP employs a multi-level role-based security model in which each user who has rights to access a CMP component is assigned zero or more roles that define which functional area or resource they can access once they are successfully authenticated.

The authorisation implementation in many parts of CMP uses very granular level roles for maximum flexibility and future proofing. It would be too cumbersome to have to grant access to all of these granular roles directly to users. A number of granular roles are therefore mapped to higher level business roles and access is granted to these business roles.

The Role Extender, executing in Spring Boot, takes a role to which access has been granted in the Identity Server and returns the full list of lower level roles that this maps to. CMP components use roles to which that access has been directly granted and the corresponding extended lists of roles returned by the Role Extender to determine whether to allow an action to be performed.

The mapping of business roles to granular roles is factory configuration that is not designed to be modified when CMP is installed.

For more information, see the CMP Security Guide, which covers:

• CMP role-based security
• Security groups and roles
• How to create users and assign roles in Identity Server

Secure Communication and Encryption

By default, all CMP components communicate over HTTPS protocol. The required SSL certificates must be obtained prior to installation.

For more information, see SSL Certificates in the CMP Installation Guide.

SABRE Server Encryption

CMP is capable of encryption of all outgoing files and decryption of all incoming files using PGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is an asymmetric algorithm meaning it requires a key pair (public and private) to support encryption and decryption. Payloads are encrypted using the public key and can only be decrypted using the matching private key along with a passphrase encryption following the OpenPGP standard (RFC 4880) for encrypting and decrypting data.

For more information, see SABRE Server Encryption in the CMP Installation Guide.