This documentation supports the 21.3 version of BMC Helix ITSM: Smart IT.To view an earlier version, select the version from the Product version menu.

Security configuration options

Smart IT provides the following configuration options to secure data:

Area

Option

Description

Openfire chat data

Cross-domain-policy

If you have implemented chat, you can also configure Openfire to limit the domains that have access to Smart IT chat data. The default setting in Openfire chat allows access to data from all domains.

Best practice: We recommend that you change the value to allow access only from a specific domain (or domains).

For information about how to configure these security options, see Configuring-security-options-for-Smart-IT.

File attachment types

Attachment Security

You can configure Action Request System server to prevent users from attaching certain file types to Smart IT records. For example, you might want to block users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. If you restrict attachment file types, an error message is displayed when users try to attach those file types in the following contexts:

  • Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
  • Asset profiles (for example, profile images)
  • People profiles (for example, profile images)
  • Activity feed
  • Email
  • Broadcasts
  • Change request documents
  • Knowledge articles

By default, the Attachment Security settings are blank, which allow all attachment types. For more information about these settings, see  Restricting users from uploading and viewing files with specific extensions.

For information about how to configure these security options, see Configuring-security-options-for-Smart-IT.

Content security policy

CSP properties

You can configure the content security policy option in Central Configuration. Smart IT uses this content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the SHARE:Application_Properties form. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.

Central Configuration includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.

You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles.

For information about how to configure these security options, see Configuring-security-options-for-Smart-IT.

Strict-Transport-Security response header

Strict-Transport-Security

You can enable the Strict-Transport-Security response header for Smart IT to tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Otherwise, even when you configure HTTPS, browsers can connect by both HTTP and HTTPS.

Secured connection to access Smart IT android application

usesCleartextTraffic

The default setting for this property is true. This property is available in the AndroidManifest.xml file. We recommend using TLS 1.2 connections to the Smart IT server in production.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*