One of the enhancements made to Sage CRM 2019 R2 (123-171704-ENH) is in the way in which Self Service passwords were stored. It this article I want to place this change within the overall context of Security for Self Service.

Sage CRM Self Service is an API that lets a customer integrates a corporate web site with Sage CRM. The API allows visitors to a customer's site log and access areas of the site that perform functions such as viewing account information, reporting problems, or requesting product information.

The extent of the customer access to corporate data or the ability of a visitor to perform these functions is determined by the particular implementation of Self Service API.

You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. But where integration with Sage CRM is enabled using the Self Service API then HTTPS provides critical security and data integrity for both the website and customer/visitor personal information.  The Self Service uses classic ASP pages. As long as the ASP page can be invoked the processing of the self-service pages should not care whether the initial request was via HTTP or HTTPS and the port is not directly relevant.

A person accessing an area of a website that includes data or metadata drawn from Sage CRM is called a visitor. Visitors can either be anonymous or authenticated.

Anonymous access means that some areas of the corporate site are designed to allow access without having to enter a username or password. Typically anonymous access is used for pages that include an enquiry or registration request form - obviously, you do not want to have a registration form for new visitors on a page that they can't access without logging in! Another use for anonymous access is to create public access to data held in CRM tables, for example, a Knowledge-base that draws from the solutions table. But any custom table in Sage CRM could be exposed through self-service.

Authenticated access means that users are required to enter a username and password. A cookie is used to store the user credentials and the validity of this cookie can be checked on subsequent pages that the visitor accesses.

The password is encrypted in the main CRM User Interface and the Self Service login screen.

Enabling a contact within Sage CRM to be an authenticated via the Self Service API is just a question of selecting the Self Service tab under the person context in the Sage CRM main interface. The Sage CRM user can then click to enable the 'Self Service Enabled' box. A CRM user can change the person’s login ID and password by typing the new values in the Logon ID and Password fields. Once the save button is clicked the person is enabled for Self Service.

Note: Authentication in Self Service essentially means 'Can this visitor access this page?' but it does not provide complete security over data access. The design of the pages in self-service has to be carefully considered to prevent visitors using the pages access data they should not see. This is covered in other articles.