Before continuing with this article it is recommended to take a look at the Service architecture to better understand the context.
All PackAware systems and subsystems except the SQL database accept connections from the Internet.
The SQL database is accessible only from Azure cloud IP ranges and selected developer PC IP addresses.
Azure Active Directory and Microsoft identity platform is used to authenticate users of the service. The user's password never leaves Microsoft systems. Azure AD enables organizations to use SSO (single sign-on) and multi-factor authentication.
PackAware identifies the user by the ID tokens provided by the Azure Active Directory.
Authorization refers to the permissions the user is assigned when using the service and determines what content the user can access and what operations the user can perform.
Authorization is performed by the PackAware application based on user group memberships defined for the authenticated user and permissions defined to the user groups.
There are multiple ways to assign users to user groups:
See PackAware documentation for the roles that can be assigned to user groups:
The customer has full control over the user groups and permissions.
PackAware system administrators and support personnel can override the permissions defined by the customer to provide support or when required for security, maintenance, marketing or purpose of providing the service.
All communication between systems is encrypted by TLS or equivalent cryptographic protocol.
|Browser – Application server||HTTPS with TLS|
|Browser – Log service||HTTPS with TLS|
|Browser – Content delivery network||HTTPS with TLS|
|Browser – Map Service||HTTPS with TLS|
|Browser – Azure AD||HTTPS with TLS|
|Application server – Log service||HTTPS with TLS|
|Application server – SQL database||TLS|
|Application server – Blob storage||HTTPS with TLS|
|Application server – Email service||HTTPS with TLS|
|Content delivery network – Application server||HTTPS with TLS|
|Tracking device supplier system – Application server||HTTPS with TLS|
Outside temporary caches and buffers customer data is stored encrypted.
|Log service||Encrypted, managed by Microsoft|
|SQL database||Encrypted, managed by Microsoft|
|Blob storage||Encrypted, managed by Microsoft|
|Azure AD||Encrypted, managed by Microsoft|
|Email service||Encrypted, managed by AWS|
The encryption keys, access keys and other secrets used in production systems are handled only by named system administrators. For Azure services, access to management operations is protected by Azure AD.