Usage instructions
Important: before using the
access key functionality (see
Configuration), please read the following (security) instructions thoroughly.
General
• This functionality is meant to provide (read-only) access to information in Planon or a third-party application that needs access to data in Planon, such as: surveys, charts, etc.
• This functionality only works for Self-Service, SDK and Kiosk clients and Planon apps.
Self-Service and Kiosk clients
• As security measure, throttling is applied to restrict the number of authentication requests via the access key per time interval, per client. The throttle time interval is only checked per client computer.
• If you log in with the access key, your session is 'state-full', which means you stay logged on until you log off.
SDK
• The SDK connector supports access key authentication via the HTTP header instead of extending the URL. The Authorization parameter is set with a custom planon type: AUTHORIZATION: PLANONKEY accesskey=<key>. With this implementation, the key cannot be retrieved when using HTTPs.
• If you log on with the access-key your session is stateless.
Hardware requirements
• Make sure your application has enough memory to accommodate these logins (check with your system management to evaluate your current memory usage).
Security
Because access keys allow you to provide users access to the Planon application, Planon expects customers to understand the impact and follow security guidelines responsibly.
It is important to acknowledge that anyone who has your access key has the same level of access to the resources that you do.
Because users may be inclined to think that it cannot do any harm, they will much easier share a link than they would share a user name and password. Planon, therefore strongly recommends being very strict when using this functionality:
• Keep in mind if you distribute an access key, all people using it will use the same account to access Planon.
• Do not provide/generate an access for your root user. Anyone who has the access key of your root user has unrestricted access to all the resources in the account.
• Do not distribute access key links freely, only share them on a need-to basis.
• Only use this kind of access if you really cannot use a user name and password solution.
• Limit the ability to generate key pairs to a dedicated account.
• Set an expiry date of the access key pair.
• Limit (access) privileges of the account for which this functionality is configured.
◦ It is best to remove Web Client access for this account.
◦ Only enable those product definitions that are required.
◦ If used for the SDK, then only enable access to the SDK. If used for Kiosk, then only enable access to Kiosk etc.
• Limit the rights of the account to that what you want to accomplish.
• Make a Planon Self-Service form for the account for which you are generating access keys only, do not use it for other purposes.
License
When using access keys, Planon licenses will be consumed as usual. The type of license applicable determines the license usage, the number of concurrent users granted access, etc.:
• Named user: If the account is connected to a named user license, an unlimited number of people can login because they all use the same account.
• Hit count: each login and usage will consume hits and increment the hit count.
• Concurrent license: you can only login as many times as you have concurrent licenses.
• Watch out with configuration make sure the regular Planon users still have a license. Make an assessment of the number of concurrent logins you expect.