Like what you see? Have a play with our trial version.

Overview

The Yellowfin user interface ships with some quick wins regarding security. The most important ones are listed below, but do spend time becoming more familiar with the administration tools. There is a full section on the Yellowfin wiki dedicated to administering Yellowfin. 

External API cookie timeout 

If you plan to embed content using the JavaScript API, decide the acceptable timeout length for this cookie. This can be changed from the burger bun menu  on the left, under Administration > ConfigurationSystem (Gear icon) > General Settings. 

         



Password settings 

Configure your password settings to meet your organizational requirements from the burger bun menu  on the left, under Administration > Configuration > Authentication (padlock icon) > Password Settings. 

     


Disable quick logon 

Yellowfin offers a quick logon feature that allows users to easily log back in without entering their credentials, over roughly a 12-hour window. In environments requiring strict authentication mechanisms, this may not be desirable. To disable this, run the following SQL against the Yellowfin configuration database and restart the service. 

UPDATE Configuration SET ConfigData=’NO’ WHERE ConfigCode=’LOGONCOOKIE’; 


Request validation 

When this feature is enabled, a nonce is added to requests and is validated by the server before the request can be processed. This will help prevent request replay attacks, or automated request submissions. This feature can be enabled from the burger bun menu  on the left, under Administration > Configuration  > System (Gear Icon) > General Settings > Unique Tokens for Every Request.  


      

Yellowfin tools with security impacts 

Yellowfin ToolDescription
Code ModeCode Mode allows content creators to write their own JavaScript. This should be provided to select trusted developers only, and content should be periodically audited to validate the content. 
JavaScript ChartsJavaScript Charts provides similar functionality to above, but at a report level. This feature should be treated similarly to above if in use. 
Plugin ManagerThe plugin manager allows users to upload custom plugins into Yellowfin. Access to this functionality should only be granted for the highest-level administrator and should include a manual code review of any custom plugins. 
Freehand SQL

Freehand SQL in calculated fields, views, or reports allows content creators to manually query a data source. Keep in mind that from a security perspective, this feature is like running queries directly against an RDBMS in the context of the data source user. 



Deployment and Hardening Guide

Back to the Overview



  • No labels