This section explains how to set up and configure securiCAD Enterprise
There are two kinds of licenses. System wide licenses and organization specific licenses.
- System wide license
Sets the maximum possible value for that whole system.
- Organization license
Can have its own limitations, but cannot be more permissive than the system license. If no organization license is applied, it will use the system wide license.
When securiCAD Enterprise is accessed for the first time, you will be asked to apply a system license. This will set the license for the whole system and all organizations if a specific organization license is not set. Select Upload license and upload the license file you received from foreseeti.
Organizations will inherit the system license if no other license is selected for the organization. There are two ways to set an organization license:
- As the system admin, go to Admin > Organizations and click on the license of the organization you want to change. Then select Replace license and upload the new organization license.
- As an admin of an organization, go to Admin > License and select Replace license to upload a new organization license.
securiCAD Enterprise is a multi-tenant system and Organizations can be used to separate users and data into groups. Each organization will have their own URL to access the securiCAD Enterprise instance, but the system can still be managed centrally.
To create new organization, login as the system admin and go to Admin > Organizations. Select New organization and select a name for the Organization.
Note: the name you choose will be a part of the URL for the organization and used when organization members login.
Members of an organization have to login via a custom URL automatically generated based on the organization name. For example, for a member of the “test” organization in securiCAD Enterprise on IP 10.0.0.1, the URL to login would be: https://10.0.0.1/login/test
Administration of users and system permissions is done under Admin > Users in the sidebar. Managing user accounts and the system roles is only available to the system admin.
On the Users page, select Add user to create a new user.
The Username is the name the user will use to login to the system. There are four different system roles for a new user (the system roles do not specify which projects a given user has access to or what type of privileges the user has in these projects):
1. A User can only interact with existing projects the user has been added to in the Organization.
2. A Project creator have all the rights of a User and can also create and delete projects.
3. An Admin have all the rights of a Project creator and can also add and delete other Users and Project creators in its Organization.
4. System admins can manage, create and delete all other users and organizations as well as see all data in all Organizations and Projects.
The user’s Organization will determine what set of Projects the user can have access to. Project access is governed by separate, specific project roles managed inside the project. Refer to the Projects section for a description on how to manage project access.
Set a temporary Password so that the user can login the first time and update the password.
A Project is an administrative entity that allows you to manage user access to Scenarios, Models and Simulation results. Users in an Organization can be added to a Project with various level of access and permissions.
Open an existing project or create a new one. Go to Project overview > Users do manage access to the project. Select Add user to select users from the organization to grant access to. There are three different projects roles:
- A Guest can only view the project and cannot delete or alter any information. This includes starting scenarios and simulations.
- A User has the rights to alter project information and to start simulations but is not permitted to delete a project or to manage project user permissions.
- A project Owner has full project administration rights, including deleting the projects and user permission management.
Webhooks allows you to subscribe to simulation results in a project, and the Webhook menu allows you to manage webhook endpoints on a per-project basis
If a project with a webhook configured has a simulation finish, a HTTP POST request is made to the specified URL with a JSON blob containing the simulation results and some simulation metadata
- Project containing the simulation
- User that triggered the simulation
- URL to view the report
Currently there is no validation of webhook post receiver ownership, so make sure you write the correct URL.
If you list multiple webhooks the result will be posted to all of them.
To get started with webhooks you need securiCAD Enterprise 1.10 or above, and a web server that listens to HTTP POST requests. See the code below for a simple Flask python application webhook.py that works as a good starting point. Note that this example requires you to install Flask and its dependencies in your python environment and export the FLASK_APP environment variable. You do that by using pip "pip install flask". As for exporting FLASK_APP depends on what OS/shell you're running. In bash, you’d write export FLASK_APP=webhook, in PowerShell you’d write $env:FLASK_APP = “webhook”.
from flask import Flask, request, Response import json import os app = Flask(__name__) @app.route('/webhook', methods=['POST']) def respond(): print("New post received") filedir = os.path.dirname(os.path.realpath('__file__')) filename = filedir+"\output.json" with open(filename, 'w') as file: json.dump(request.json, file) return Response(status=200)
Start the server with flask run --host=0.0.0.0 and some output should be presented, with the last message saying “Running on http://192.168.xxx.xxx:5000/”. This is the IP address the webapp is listening on. In other words where we need to direct the webhook POST message coming from securiCAD Enterprise. Note: do not close this terminal window, because doing so will shut down the server.
Now we need to go into the securiCAD Enterprise web GUI. In the GUI, click on the project (assuming you already have one, if not, create a new project) you wish to hook up to the server. On the left-hand side, you should see Webhooks in the menu. Click on it, then click on “Add webhook”. Type in http://xxx.xxx.xx.xxx:5000/webhook, with the X-es replaced by the IP that we got from Flask earlier. Now, go back to the project. Upload a model and
start a scenario. Once the simulation is finished, you should receive a notification in the terminal running the web server that a new request has been received, with the simulation results and metadata with a timestamp. The result of the simulation can be found in the output.json-file, which can be found in the the same folder that contains the webhook.py-script.
The output.json file will likely not be formatted correctly due to being sent as a web packet, so additional json formatting may be required. This can be resolved automatically with most common text editors such as Visual Studio Code.
The integrity of a self-hosted securiCAD Enterprise installation depends on the security of the hosting machine and the dedicated user account on which the solution is running. All sensitive data is stored in a database and is only accessible to the dedicated account.
All web traffic is authenticated and encrypted as well as the traffic to and from the message broker. The authentication and encryption depend on self-signed certificates delivered with the deployment. The certificates can be replaced with third-party certificates, cloud certificate managers or certificates issued by the organization.
All relevant user, project and simulation data is stored in a dedicated database. securiCAD Enterprise can be deploy with any PostgreSQL-compatible database with encryption, replication and redundancy. Data can also be stored in a SQLite database locally on the machine.
Users of securiCAD Enterprise are authenticated through SSO or with a username and password. User accounts can be managed by the organization in a role-based access control system. Certificates can be used to restrict access to the securiCAD Enterprise instance further.
When a user is successfully authenticated, a JSON Web Token (JWT) is issued and stored in the browser session storage which grants the user access to the data and roles assigned to the user.
Authentication and authorization to RabbitMQ is done by an auto-generated account.
The files necessary for backup are all held in the
/home/es directory. This includes both the securiCAD Enterprise user information, the models, simulation results and the configuration. The files to backup for a full restore or re-installation of a system are:
If you are unsure where the database is located, check the configuration parameter described here: https://docs.foreseeti.com/docs/backend-configuration#sqlalchemy
Updated about 1 month ago