Configure OdataLink models with security in mind

Understanding Model and Security

One purpose of the model is to secure access to your data. With it you can control:

  • WHO you want to grant access.
    This is done by managing users.
  • WHAT data you want to expose.
    This applies to both the data files and endpoints.
  • WHERE you want them to access the data.
    This is controlled via the firewall and IP addresses.

Each option needs to be considered carefully so that any risks are mitigated. Greater risk comes if all these security features are disabled.

We have prepared the following guide to assist you with configuring OdataLink with security in mind. Sections are listed in order of importance.

Note that if you have multiple models, you should ensure each model is secure.

Topics covered include:

  1. Configure which users can access the data
  2. Configure the Firewall
  3. Configure which Data Files can be accessed
  4. Configure which Endpoints can be accessed
  5. Turning your OData Feeds on an off
  6. What’s next when everything is secure?

Configure which users can access the data

OdataLink allows you to controls WHO can access the data.

This is configurable via the Login Type setting of the model. You can choose from:

  • Anonymous
  • Basic

Anonymous and why you shouldn’t use it

First off, we DO NOT RECOMMEND the use of Anonymous access. It is only provided as a quick means to get up and running building power queries.

This option removes the need to authenticate to access your data.

But it also means no one needs to authenticate to access your data. Anyone who knows your OData Feed could use it. And this is particularly more risky if you use your OData Feed on cloud platforms like Power BI online. And it is even worse if you do not use the firewall.

Once you have committed to using OdataLink, we strongly recommend you use BASIC authentication.

The following article provides information to help you change from Anonymous to Basic authentication.

Basic Authentication and why you should use it

Basic Authentication allows you to fully control WHO can access the data. This protects your account from outsiders.

But more importantly, it also allows you to protect your account from people within your organisation by ensuring specific users can access specific models. You can chose which users have access to which model and can manage that assignment at any time.

An another important benefit of using basic authentication is that it allows you to revoke any users that have left your organisation.

Invite users to OdataLink when using Basic Authentication

Once you have made the correct choice to use Basic authentication, you will need to invite users to OdataLink. You will need to determine whether they are:

  • Administrator with full access to the site.
  • Users with only access to the Odata Feed.

As part of the invitation process, you can also chose which users have access to which model. Remember you can also change which users have access to which model at any time.

Firewall considerations when it comes to different users

You will also need to configure access through the firewall if they work from different locations.

Configure the Firewall

The firewall is the most important security feature of OdataLink you can configure. We DO NOT recommend you disable the firewall.

The firewall allows you to control WHERE you want data to be accessed. More importantly, it allows you to exclude whole regions from accessing data.

This is done by maintaining a list of IP Addresses and assigning them to your model.

ISPs typically issue out two types of IP Addresses.

  • Static IP addresses are fixed and never change.
    This is typically provided to businesses.
  • Dynamic IP addresses are leased/assigned for a short period time and change.
    This is typically provided to home internet.

Because of this, you may want to configure the firewall differently.

Add a fixed IP address to OdataLink

In it’s simplest form, you can add a fixed IP address to the firewall. This ensure that the fixed

You will also need to assign the IP address to your model.

Log into OdataLink prior to using the Odata Feed to update your dynamic IP address

Alternatively, if your ISP issues dynamic IP addresses, you can log into OdataLink prior to using the Odata Feed. OdataLink will check your current IP and if different, it will prompt to update it. This approach is useful if your IP address changes seldomly and you only work from one single location.

Configure a range of IP addresses to handle frequent changes

If your IP address changes frequently, the better approach is to authorise a wide range of IP address owned by your ISP.

The approach we recommend is using the https://ipinfo.io/ site.

https://ipinfo.io/49.179.127.127

You can also Google Who Is and your IP address and find other sites that provide this information.

Sites like these allow you to identify who provides the IP addresses. They also includes the range related to the IP address.

Using this information, you can add a new IP address and enter a start/end IP address that is wide enough to allow access but still restrictive enough to block many threat actors.

Further help configuring the Firewall

You can find further information on our wiki regarding configuring IP addresses within OdataLink.

Configure which Data Files can be accessed

For those with multiple Xero or MYOB data files, you can configure which data files can be accessed by which model.

As an example scenario where this is useful, accounting firms may configure models for specific clients. For them, being able to assign the data files to a specific model/client is very important.

Refer to the following article to find out how to assign specific data files to models.

Configure which Endpoints can be accessed

Models provide a vast library of endpoints ranging from sales, purchases, payroll, financial, etc. Not all this data should be seen by all users. Carefully considering the minimum data you want to provide to your users is very important.

In some situations, it’s also recommended to configure different models for different audiences.

As an example scenario, you can configure a Sales Model that only gives access customer and sales data for sales rep; and have a Payroll Model with payslips for HR. In this scenario, each model would provide access to vastly different endpoints.

Refer to the following article to find out how to manage the list of endpoints available for each model.

Turning your OData Feeds on an off

In the event of you want to disable your Odata Feeds quickly, OdataLink provides an account wide setting that allows you to turn on or off complete access to all Odata Feeds.

This option also exists for each model, allow you to enable or disable access to single model.

In exceptional circumstances, OdataLink has the ability to disable accounts that are deemed insecure.

What’s next when everything is secure?

Security, unfortunately, is a constantly evolving field. It pays to review everything regularly to ensure you stay on top of any external or internal threats.

If you have require further advice, reach out to us via live chat or contact us.