Currently, Planning Analytics provides two ways to save credentials for ODBC TIs:
Save credentials in ecrypted form within each TI
Save credentials in plain-text in a cube so that credentials can be retrieved at run-time.
The first option makes it prohibitively difficult to manage credentials when rotating passwords. In an environment with more than a thousand ODBC TIs, an extended amount of time would need to be spent updating the password within each TI in order to satisfy security best-practices.
As for the second option, although it provides a centralised location where credentails can easily be updated, it is a non-starter completely. No IT/Security Risk Management team would sign off on credentials being stored in plain-text.
As a result, we'd like IBM to provide a mechanism through which ODBC TI passwords can be mass updated through one of the following methods:
an external tool that can update passwords for TIs
a REST API endpoint to update passwords for TIs
enable Planning Analytics TIs to retrieve credentials from industry standard vault products
Why is it useful?
|Who would benefit from this IDEA?||All PA customers subject to security requirements|
How should it work?
For external tool, we should be able to provide a list of TIs and then provide the new credentials to be used for each TI. The tool should then be able to interate through the provided TIs and then update the credentials.
For REST API, a POST/UPDATE endpoint to update the credentials for the TI.
For vault option, provide mechanism to configure vault product within the TI so that it can access the credentials.
|Priority Justification||Feature is relevant for security standards compliance for all companies.|
NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "firstname.lastname@example.org" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions