Skip to content
Support
  • There are no suggestions because the search field is empty.

Vince Live Security Overview

Vince Live is a modern, serverless SaaS application providing a secure, scalable, and easy to use platform for running workflows in the cloud.

Overview

General

Vince Live - the Software as a Service that processes workflows.

VXL Live - the Excel Add-in that uses an Excel spreadsheet as input and output data to Vince Live workflows.

Shared Responsibility Model

As a SaaS solution, Vince Live follows the Shared Responsibility Model (external link). It is important that customers’ understand this model and their respective security responsibilities within Vince Live.

It is essential that customers are aware of their security responsibilities within the Vince Live environment and take the necessary steps to secure their data and user access. By adhering to the shared responsibility model, customers can help to minimize security risks and ensure the overall security and availability of the Vince Live SaaS solution

Authentication and Authorization

Vince Live supports strong authentication with MFA, and can be integrated with most third-party Identity Providers (IdP) for Single-Sign-On (SSO) using the OpenID Connect (OIDC) protocol.

API clients using the OAuth 2.0 protocol is supported, allowing for secure machine-to-machine communication and automation.

For authorisation Vince Live uses a Role-Based Access Control (RBAC) system, allowing for fine-grained access policies.

Data storage and communication encryption

All data stored in Vince Live is encrypted at rest using AES-256. Whenever possible customer specific encryption keys are used. All encryption keys are stored securely on FIPS 140-2 compliant Hardware Security Modules (HSM).

In transit data is protected using TLS 1.2+

Network Security Requirements

This section outlines the essential network security requirements and configurations for accessing Vince Live services.

Domain Whitelisting

For organisations with restrictive security policies requiring domain whitelisting, the following domains and ports should be allowed:

Production Environment

Protocol Domain Port
HTTPS *.vince.live 443
WSS graphql.vince.live 443

Development & Staging Environments

Note that you only need to allow these if you have been assigned explicit access to our dev or staging environments.

Protocol Domain Port
HTTPS *.dev.vincelive.dev 443
WSS graphql.dev.vincelive.dev 443
HTTPS *.staging.vincelive.dev 443
WSS graphql.staging.vincelive.dev 443

TLS Requirements

  • Vince Live exclusively supports TLS 1.2 and later versions
  • Earlier TLS versions are not supported for security reasons

Notes

  • All connections are encrypted using industry-standard protocols
  • WebSocket Secure (WSS) connections are required for real-time features
  • No long-polling fallback is implemented or required

Connection to M3 and User Permissions

Vince Live integrates with the ION API gateway (both M3CE and on-premises), with a service account, for access to the M3 rest APIs. This allows for a secure, easy to implement integration between Vince Live and the Customers’ M3 environment.

The service account user has permissions to run as another user, which it does by default in M3 CE.

In Vince Live, every user can be tagged with their M3 User ID. This means that every M3 transaction can be done using that user’s ID and permissions. Subsequently, API permissions configured in M3 will be applied, and workflows will fail if the user does not have the required permissions.

If the Vince Live user is not tagged with a M3 User ID, the ION API Gateway service account will be used as fallback. The service account is also used for non-interactive workflows.

VXL Live

VXL Live is an Add-in to Microsoft Excel that allows for easy import/export of M3 data directly from within a spreadsheet.

The Add-in is largely a special, embedded, version of Vince Live, with all the same security controls as the standard browser based version.

The VXL Live Add-in only communicates with Vince Live using encrypted traffic - it does not directly access any other services.

FAQ

  • What identity providers are supported for Single Sign-On (SSO)?

    Vince Live supports all OIDC compliant identity providers, such as Micrsoft 365 / AzureAD, Okta, Ping, Google, and more.

  • Do you support SAML for SSO?

    No, Vince Live only supports OIDC compliant identity providers.

  • How is M3 UserIDs handled when using M3 APIs?

    The connection to M3 is set up as in Infor ION API Gateway with a service account. This service account user has permissions to run as another user, which it does by default in M3 CE.

    Every user in Vince Live can be tagged with their M3 UserID. When this tag is present, every M3 API transaction in workflows run by this Vince Live user, will be sending the defined M3 UserID as current user.

    This means that any M3 API permissions configured in M3, will be applied, and workflows will fail if the user does not have the required permissions - as expected.

    If the Vince Live user is not tagged with a M3 UserID, the ION API Gateway service account will be used as fallback.

  • How can I automate the update of M3 UserIDs?

    Depending on your configuration, this can possibly be configured using a workflow;

    • the workflow can read from Microsoft Graph API or Infor IFS API to get a list of user emails and M3 UserIDs
    • Using this list, it can update the Vince Live users using the Vince Live Users API

    Please contact Vince for assistance in setting up such a workflow.

  • How do I as an admin deploy VXL Live as an Add-In in Excel within my organization?

    Please refer to this guide: Deploy VXL Live Excel Add-in

  • Do I need to redeploy VXL Live for every new version?

    No. Vince continuously updates VXL Live, as frequent as multiple times a week, but no changes require a re-deployment of the Excel Add-In. Every time the user opens Excel, the latest version of VXL Live will be loaded.

Roles and Attribute-Based Access Control (ABAC)

In Vince Live, we implement attribute-based access control (ABAC) to provide highly granular control over user roles and permissions. This allows for fine-tuned access management and ensures that roles are only applicable to users with the "User" permission setting, while users with the "Admin" permission have unrestricted access. This documentation provides an overview of roles in Vince Live and their significance in the access control system.

  • Role Creation and Workflow Association The primary step in configuring roles is to create them according to your specific requirements. By defining roles, you establish distinct groups with predefined access privileges. When creating or editing workflows, these roles can be associated with them. Each workflow linked to a role becomes a rule within that specific role. This setup enables efficient management of permissions based on user roles.
  • Configurable Access Levels Within Vince Live, you have the flexibility to determine access levels at a detailed level for specific features. For instance, you can define whether users are allowed read-only or read-write access to features such as users, connections, and workflows. This fine-grained control ensures that users have appropriate permissions based on their role and responsibilities within the organization.
  • Deny Rules for Enhanced Access Control In addition to defining allow rules, Vince Live also supports the inclusion of deny rules. This feature is particularly useful when granting access to multiple areas. Deny rules allow you to explicitly restrict access to certain features or functionalities, even if they are allowed by default based on a user's role. This capability adds an extra layer of control and security to your access management strategy.

Roles in Vince Live, implemented through attribute-based access control (ABAC), enable precise control over user permissions and access levels. By associating workflows with roles, you can define specific rules and restrictions for different user groups. This fine-grained access management allows for efficient customization of user privileges and ensures that users have the appropriate level of access to features and functionalities within Vince Live. Additionally, the inclusion of deny rules provides added flexibility and control over access control policies. With Vince Live's robust role-based access control system, you can confidently manage user permissions and safeguard sensitive data and workflows.

Defining user roles in Vince Live allows organizations to customize access levels and grant specific privileges to individuals based on their responsibilities and requirements. This flexible user management system ensures secure and efficient utilization of the software's capabilities.

Managing Permissions for Roles in Vince Live

In the Permissions section of Vince Live, administrators can tailor role permissions using four key drop-downs : App, Resource, Resource Name, and Actions.

  • App Drop-down: Selecting an application loads relevant options in the Resource drop-down.

  • Resource Drop-down: Based on the selected App, it displays resources such as API Clients, Connections, Dashboard, Environment, Gateway, Group, Meta data, Role, User, Variable, and Webhook, Workflow.

  • Resource Name Drop-down: Lists specific items under the selected Resource (e.g., connections).

  • Actions Drop-down: Offers choices like *, Read, and Write.

    *: Grants full access (Read and Write) to the selected resource.

    Read: Provides read-only access.

    Write: Allows create and modification access.



App:

The "App" dropdown in Vince Live serves as a means to categorize the diverse range of resources available within the application. It primarily distinguishes between "Foundation" and "Custom Tables," maintaining a clear separation.

Foundation

Foundation encapsulates the essential entities integral to Vince Live. These entities constitute the core components of the application, forming the backbone of its functionalities.

Custom Tables

Custom Tables house additional, user-defined resources, providing a flexible and customizable space tailored to specific needs.

Resource

Describe each resource

  1. Connections: Connection Resource Permissions, offering users a robust set of CRUD (Create, Read, Update, Delete) operations on connections. This advancement is designed to streamline the management of connections between Vince Live and external systems.
  2. Environment: Environment Resource Permissions, offering users a robust set of CRUD (Create, Read, Update, Delete) operations on environments. This advancement is designed to streamline the management of environments in Vince Live.
  3. Groups: Users now have access to more granular control over workflow management through the introduction of Group Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on groups, offering a seamless experience for organizing and managing workflows.
  4. API Clients: API Clients Resource Permissions, offering users a robust set of CRUD (Create, Read, Update, Delete) operations on API Clients. It allows external applications/systems to connect with vince live.
  5. Dashboards: Dashboard Resource Permissions, offering users a robust set of CRUD (Create, Read, Update, Delete) operations on Dashboards. It will help to view the widgets.
  6. Users: Users now have access to more granular control over user management through the introduction of user Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on users, offering a seamless experience for organizing and managing users.
  7. Roles: Users now have access to more granular control over roles management through the introduction of roles Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on roles, offering a seamless experience for organizing and managing roles.
  8. Gateway: Users now have access to more granular control over gateway management through the introduction of gateway Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on gateways, offering a seamless experience for organizing and managing gateways.
  9. Meta data: Users now have access to more granular control over Metadata management through the introduction of metadata Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on metadata, offering a seamless experience for organizing and managing workflows.
  10. Variable: Users now have access to more granular control over Variable management through the introduction of variable Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on variables, offering a seamless experience for organizing and managing variables.
  11. Webhook: Users now have access to more granular control over Webhook management through the introduction of webhook Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on webhooks, offering a seamless experience for organizing and managing webhooks.
  12. Workflow: Users now have access to more granular control over workflow management through the introduction of workflow Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on workflows, offering a seamless experience for organizing and managing workflows.
  13. Custom table → Data: Users now have access to more granular control over Custom table data through the introduction of Data Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on custom table data, offering a seamless experience for organizing and managing custom table data.
  14. Custom table → Configuration: Users now have access to more granular control over custom table management through the introduction of configuration Resource Permissions. This enhancement empowers users with CRUD (Create, Read, Update, Delete) operations on custom tables, offering a seamless experience for organizing and managing custom tables.

Configuring Connection Permissions in Vince Live

  1. Selecting Foundation as the App and Connection as the Resource will populate the Resource Name drop-down with available connections. Choosing * in the Resource name drop-down grants access to all connections, while selecting a specific connection grants access only to that chosen connection.
  2. This granular control ensures that users have precisely defined access to connections. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to view or update or add the connections in the connections screen.

Configuring Environment Permissions in Vince Live

  1. Selecting Foundation as the App and Environment as the Resource will populate the Resource Name drop-down with available environments. Choosing * in the environment name drop-down grants access to all environments, while selecting a specific environment grants access only to that chosen environment.
  2. This granular control ensures that users have precisely defined access to environments. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the environments in the environments screen.

Configuring Group Permissions in Vince Live

  • Selecting Foundation as the App and Group as the Resource will populate the Resource Name drop-down with available groups. Choosing * in the Resource Name drop-down grants access to all groups, while selecting a specific group grants access only to that chosen group.
  • This granular control ensures that users have precisely defined access to groups. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the groups in the Groups screen.

Configuring User Permissions in Vince Live

  • Selecting Foundation as the App and User as the Resource will populate the Resource Name drop-down with available users. Choosing * in the Resource Name drop-down grants access to all users, while selecting a specific user grants access only to that chosen user.
  • This granular control ensures that users have precisely defined access to users. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the users in the users screen.

Configuring Workflow Permissions in Vince Live

  • Selecting Foundation as the App and Workflow as the Resource will populate the Resource Name drop-down with available workflows. Choosing * in the Resource Name drop-down grants access to all workflows, while selecting a specific workflow grants access only to that chosen workflow.
  • This granular control ensures that users have precisely defined access to workflows. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the workflows in the workflows screen.

Configuring Dashboards Permissions in Vince Live

  • Selecting Foundation as the App and Dashboard as the Resource will populate the Resource Name drop-down with available dashboards. Choosing * in the Resource Name drop-down grants access to all dashboards, while selecting a specific dashboard grants access only to that chosen Dashboard.
  • This granular control ensures that users have precisely defined access to dashboards. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the dashboards in the dashboard screen.

Configuring Roles Permissions in Vince Live

  • Selecting Foundation as the App and Roles as the Resource will populate the Resource Name drop-down with available Roles. Choosing * in the Resource Name drop-down grants access to all Roles, while selecting a specific role grants access only to that chosen role.
  • This granular control ensures that users have precisely defined access to roles. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the roles in the roles screen.

Configuring API Clients Permissions in Vince Live

  • Selecting Foundation as the App and API Clients as the Resource will populate the Resource Name drop-down with available API Clients. Choosing * in the Resource Name drop-down grants access to all API Clients, while selecting a specific role grants access only to that chosen API Client.
  • This granular control ensures that users have precisely defined access to API Clients. When this permission is added to the role and the role is assigned to the logged-in user, based on the given permission, users will be able to add or view or update the API Clients in the API Clients screen.

This robust feature allows administrators to precisely define user roles, ensuring secure and tailored access to Vince Live resources.

Further reading

Static IP for on-prem traffic

Deploy VXL Live Excel Add-in