1. Security
  2. Security Features
  3. Configuring and Using SuiteProjects Pro Integrations and Add-on Services
  4. Add-on Services — Security Considerations

Add-on Services — Security Considerations

This section addresses some general principles applicable to all add-on services application as well as specific considerations for individual applications.

General principles

Some general principles apply to all SuiteProjects Pro add-on applications:

Keep software up to date

SuiteProjects Pro releases new versions of currently supported add-on applications from time to time. Download and install the new versions when they become available to take advantage of security updates as well as software fixes, new features and other product enhancements.

Important:

You should exercise appropriate responsibility and perform regression testing for business-critical applications away from your production environment before upgrading.

Always test new versions of SuiteProjects Pro Integration Manager in a sandbox environment before upgrading. In particular, test any shortcuts you may have created for processes such as accounting system integrations to verify that they run correctly under the new version of SuiteProjects Pro Integration Manager.

Service changes impacting infrastructure are communicated to all SuiteProjects Pro customers. Such service changes may include discontinued development / support and end-of-life for add-on applications. Discuss these changes with your technical teams as they arise to assess the implications and prepare for the change.

Download only from trusted SuiteProjects Pro sources

Download SuiteProjects Pro add-on applications only from the following sources:

  • In SuiteProjects Pro, go to Administration > Global Settings > Add-on Services.

  • Go to the App Store on an iPhone or Play Store on an Android mobile device.

  • Use links provided by SuiteProjects Pro Support, SuiteProjects Pro Professional Services or in SuiteProjects Pro documentation.

Follow the principle of least privilege

Access to SuiteProjects Pro add-on services should be granted on a needs basis. Allow users to accomplish their task using the lowest privileges. For example, you may grant users rights to use SuiteProjects Pro Mobile applications for time or expenses entry, but grant access to SuiteProjects Pro Project Connector to Project Managers only. Other add-on services such as SuiteProjects Pro Integration Manager should be restricted to trained individual users only.

In SuiteProjects Pro, go to Administration > Global Settings > Users > Employees > [Select an Employee ID] > Access Control > Exchange Access. to grant or revoke access to an add-on service.

The mention “Not approved for download” appears above the download link in Administration > Global Settings > Account > Integration: Add-on Services if the user has not been granted access to that application. Users can still download and install the application. However, they will not be able to set up and use the application using their SuiteProjects Pro credentials. See Access Control Overview.

Note:

SuiteProjects Pro Exchange Integration Manager requires Administrator credentials. Access cannot be granted to other users and the application is not listed in the Access Control settings for individual users.

Connection Settings

All add-on applications need to be configured to connect with your SuiteProjects Pro account to enable the exchange of data.

The connection settings include:

  • Server — Enter the URL for your SuiteProjects Pro account. The server URL includes the domain name for your SuiteProjects Pro account <account-domain>. For more information about your account-specific domain name, see Your Account URLs.

    Important:

    Make sure you connect to your SuiteProjects Pro account over a secure layer using the HTTPS protocol. SuiteProjects Pro uses the industry standard Transport Layer Security (TLS) protocol to encrypt communication between the SuiteProjects Pro server and add-on applications, and to ensure the security of the data transferred.

  • User credentials (Company ID, User ID and Password) — The application will connect successfully to SuiteProjects Pro only if the user has the relevant access rights allowing them to use the application to access SuiteProjects Pro data. See Follow the principle of least privilege.

  • Remember Password — This option is disabled by default. If enabled, the password will be stored on the device and encrypted using industry standard security measures.

    Important:

    Make sure you have appropriate security policies in place around physical access to devices. If the Remember Password is enabled, anyone with access to your unlocked device will be able to access your Oracle Service account using your Device; a person having access will be able to view, add, and edit information in your Oracle Service account. As a precaution, you should always utilize a passcode lock on your device and change your password regularly. If your device is lost or stolen, you must immediately report the incident to your Oracle account administrator and change your Oracle Service password. By enabling the Remember Password option, you accept full responsibility for any losses and/or damages, and you agree not to hold Oracle or its affiliates liable for any losses and/or damages resulting from saving your password and/or session information.

SuiteProjects Pro Access Control

The access control mechanisms configured for the SuiteProjects Pro web application also apply to add-on service applications. The features and data available depend on a variety of factors such as user settings, role privileges, form permissions and filter sets.

SuiteProjects Pro Exchange Integration Manager

See Exchange Integration Manager for more information about configuring and using SuiteProjects Pro Exchange Integration Manager for the integration.

Specific considerations include:

  • Access cannot be granted to users other than account administrators. SuiteProjects Pro Exchange Integration Manager is not listed in the Access Control settings for individual users.

  • Configuring the SuiteProjects Pro MS Exchange integration requires Administrator roles for SuiteProjects Pro, the Active Directory Domain and MS Exchange Server.

  • After SuiteProjects Pro Exchange Integration Manager is set up, any domain user with read/write access to all users exchange folders can run SuiteProjects Pro Exchange Integration Engine.

  • When configuring access to MS Exchange server -Integration Settings > Exchange Access:

    • Only enable the Use http option if the integration is local to the Exchange Server and the Exchange Server is not setup to accept HTTPS traffic.

    • Check the Override SSL Exceptions box if the SSL certificate is not signed, or if the domain name used by the integration does not match the domain in the SSL certificate. Again, only enable if the integration is local to the Exchange Server.

SuiteProjects Pro Integration Manager

See Integration Manager for more information about configuring and using SuiteProjects Pro Integration Manager.

Specific considerations include:

  • Only users who have received training on using SuiteProjects Pro Integration Manager should have access to the integration. Having an understanding of the SuiteProjects Pro application and how its database is structured is critical.

  • SuiteProjects Pro Professional Services provide you with a link for downloading SuiteProjects Pro Integration Manager after you have attended the relevant training.

  • Windows user must have full access privileges to the SuiteProjects Pro Integration Manager installation folder (typically C:\Program Files (x86)\SuiteProjectsPro\IntegrationManager).

  • SuiteProjects Pro Integration Manager does not support a multi-user setup. The application and Integration Manager shortcuts should be installed, created and launched using the same single Windows account. Running SuiteProjects Pro Integration Manager from different Windows user accounts can lead to inconsistent application behavior.

  • When uninstalling the application, delete the SuiteProjects Pro Integration Manager installation folder manually to delete the mapping data.

SuiteProjects Pro OffLine

See OffLine for more information about configuring and using SuiteProjects Pro OffLine.

Specific considerations include:

  • Access to SuiteProjects Pro OffLine is granted in the Access Control settings for individual users.

  • Users access rights and privileges are governed by the access control mechanisms configured in the web application.

  • When uninstalling the application, delete the SuiteProjects Pro OffLine installation folder (typically C:\Program Files (x86)\SuiteProjectsPro\OffLine) manually to delete the mapping data.

SuiteProjects Pro Project Connector

See Project Connector for more information about configuring and using SuiteProjects Pro Project Connector.

Access to SuiteProjects Pro Project Connector is granted in the Access Control settings for individual users.

SuiteProjects Pro Mobile

Refer to Mobile for more information about configuring and using SuiteProjects Pro Mobile.

Specific considerations include:

  • Access to SuiteProjects Pro Mobile (Android) or SuiteProjects Pro Mobile (iPhone) is granted in the Access Control settings for individual users.

  • SuiteProjects Pro Mobile uses the OAuth 2.0 authorization framework to access SuiteProjects Pro data. Users authorize access by signing in to SuiteProjects Pro on their mobile browser. The SuiteProjects Pro sign-in page was redesigned and adapted for mobile devices, and users can use biometric authentication if enabled on their device.

    OAuth 2.0 supports the following authentication mechanisms:

    • Password Authentication by SuiteProjects Pro — Employees use their SuiteProjects Pro credentials (company ID, username and password) to connect SuiteProjects Pro Mobile to SuiteProjects Pro.

    • SAML Authentication — If SAML authentication is enabled for your account, you can enable employees to sign in using one of the following methods:

      • Service Provider initiated Single Sign-on (SP-initiated SSO).

      • Identity Provider initiated Single Sign-on (IdP-initiated SSO). Users need to close the SuiteProjects Pro Mobile application and launch SuiteProjects Pro from their company SSO page before they can access SuiteProjects Pro Mobile.

  • If you use the IP Restriction optional feature to restrict access to the SuiteProjects Pro account to specific IP addresses, the IP address of the user's device must be in the IP address allowlist for this user for SuiteProjects Pro Mobile to exchange information with your SuiteProjects Pro account. If the IP address changes and the new IP address is not in the IP address allowlist for the user, the SuiteProjects Pro Mobile app can no longer exchange information with your SuiteProjects Pro account. The OAuth 2.0 access and refresh tokens become invalid at the first attempt to exchange information with your SuiteProjects Pro account, when the user saves changes or runs the synchronization manually. SuiteProjects Pro Mobile 4.4.2 or later version shows an error message. Previous versions of the app initiate the authorization process without error message. The user must ensure that the device IP address is authorized before connecting SuiteProjects Pro Mobile again with your SuiteProjects Pro account.

  • Privileges enabling users to approve timesheets and expenses using SuiteProjects Pro Mobile apps are granted in the Employee Demographic form in SuiteProjects Pro.

    Go to Administration > Global Settings > Users > Employees > [Select an Employee ID] > Demographic and select as applicable:

    • Enable Approval on mobile for Timesheets (under Timesheets Options)

    • Enable Approval on mobile for Expenses (under Expenses Options)

  • Role permissions, form permissions and permission rules defined in SuiteProjects Pro by account administrators are also enforced in SuiteProjects Pro Mobile. However, note that for Timesheets, only permission rules and form default values for the main entity form are supported. Permission rules and form default values for the time entry form are not supported.

  • Access to Timesheets and Expenses can be disabled separately for mobile applications and the web interface. Contact SuiteProjects Pro Support and ask for the Disable Timesheets on Mobile apps or Disable Expenses on Mobile apps internal switches.

  • SuiteProjects Pro uses the industry standard Transport Layer Security (TLS) protocol to encrypt communication between the SuiteProjects Pro server and the SuiteProjects Pro Mobile app on your device, and to ensure the security of the data transferred.

  • SuiteProjects Pro Mobile stores data locally on your device. Only the data relevant to the authenticated employees timesheets and expenses is stored. The app always encrypts your data with industry standard encryption.