|
<< Click to Display Table of Contents >> Best practices in security |
The following recommendations pertain to the secure configuration and management of the Bizagi Cloud Platform. This article covers different aspects, such as access control, authentication, encryption, secure coding, and logging. The recommendations aim to help users ensure the confidentiality, integrity, and availability of Bizagi applications and data, as well as prevent unauthorized access, misuse, or modification.
Specific security recommendations for Bizagi Studio and Bizagi Automation Service are provided.
In this section, we detail the best security practices for Bizagi Studio, focusing on the following components.
Access Control
When developing a new project in Bizagi Studio, it is crucial to identify the roles required by the project's users and configure the necessary permissions in the Administration section. Bizagi Studio has a permissive default policy, which means that if no roles are configured, users will have permission to access all sections of the application. For more detailed information, refer to the User Administration section.
Bizagi Studio offers security management for entities. This feature allows you to control the visibility and editability of entities through global functions and expressions. Depending on your business case, configure the most secure option for your organization. Enabling this mechanism helps to control the access that Bizagi Studio developers have to different processes or elements of a model. You can find further information in the Bizagi Studio Security section.
To manage access to the information in your project, you can utilize Case Security. A case can be set as either public or private, and its security can be defined in the Expert view of Bizagi Studio. By marking a case as private, only the users assigned during the case's process will have access to the information within that specific case. For more insights into managing sensitive information in Bizagi, refer to the Case Security section.
Monitoring and registration
To ensure effective monitoring and registration, we recommend configuring and enabling the available traces in your Bizagi Studio model. Enabling traces for Authentication, Bizagi API, Connectors, Rules, and Expressions is particularly recommended. For further information refer to Tracing configuration.
Configuration Management
When updating a running Bizagi project, it is advisable to deploy the changes to the Testing environment first and perform tests to ensure everything works as expected. Then, deploy the changes to the Production environment. We do not recommend deploying changes directly to Production environments. For further information refer to Test environment deployment.
Identity and Authentication
Proper configuration of authentication mechanisms with a trusted Identity Provider (IdP) is crucial. The IdP should manage multifactor authentication mechanisms. Refer to the Cloud Authentication section for more information.
Malware protection
When creating a Bizagi project that requires processing or uploading files, it is recommended to add whitelist or allowed list restrictions for file extensions. This limits the types of files that can be uploaded to your Bizagi instance. For further information refer to File uploads.
API Security
Bizagi provides programmatic access to underlying business information through its API, based on RESTful and OData services. We recommend using the OData services for integration with external applications. For introductory information about the OData API, refer to Bizagi API.
Additionally, for Service Oriented Architecture (SOA) integration layer services, implementing the available WS-Security authentication layer is advised. This ensures web services are supported via HTTPS. Consult the SOA Layer and Invoking Web services (SOAP) sections for more information.
Data Protection
Bizagi Cloud Platform features data encryption, for data at rest using Transparent Data Encryption (TDE) and for data in transit using Transport Layer Security protocol (TLS). The Data encryption section provides a comprehensive understanding of data protection in Bizagi Cloud Platform.
When exporting a complete project, Bizagi offers the option to export its respective metadata. To secure this metadata, it is recommended to password-protect the exported .bex or .bdex files. Password protection encrypts the file contents, safeguarding them against unauthorized exposure. For further information, refer to Exporting the metadata of a project for support.
This section focuses on best practices in security for Bizagi Automation Service, covering the following components:
Access Control
Ensure that each user in the system is assigned a role with the minimum privileges required for their respective operations. The Work Portal Security section provides additional details.
If you intend to consume information from Bizagi using APIs such as OData, review the configuration of token expiration time and confirm that users have access to the API using roles within the system. For more information, refer to Bizagi API Authentication.
When registering OAuth 2.0 applications, avoid assigning administrator-level privileges to the associated user. Instead, create a dedicated user with access limited to the specific data and actions required. Using high-privilege accounts such as admon or BAAdministrator can compromise data confidentiality and integrity if credentials are exposed.
Additionally, limit the registration of external applications through OAuth 2.0 to those that are strictly necessary, in order to reduce the risk of unauthorized integrations with the Work Portal. Bizagi does not define restrictive roles by default, so it is your responsibility to configure appropriate access control according to your organization’s security requirements. We also recommend rotating the clientSecret periodically to minimize the risk of credential misuse. For more information, refer to the OAuth 2.0 Applications Options article.
The Management Console also has its own security configuration requirements.
Access Control
From the Management Console, configure roles and Personas to restrict access to information and prevent unauthorized actions. Note that configuring Bizagi Authentication is not allowed in the authentication section of the Management Console. Consult the Security option section for more information.
Monitoring and registration
To ensure effective monitoring and registration, we recommend configuring and enabling the available traces in the Management Console. Enabling the "all" option is recommended. Regularly checking the event log available in the Management Console helps identify issues in your model. Configure and enable the traces available in the Management Console for Authentication, Bizagi API, Connectors, Rules, and Expressions. For further information, refer to Event log.
Last Updated 7/2/2025 12:42:06 PM