Whitelist URL Policies Management

Security is a major concern for all companies. Sage commits to constantly enhance the security of its solutions. This is even more important with the COVID crisis leading companies to deal with more home office workers with distance connections that can open additional entry points to hostile actions.

Sage X3 allows calls to various services over the network (both internally and externally) with different protocols, the most common being HTTP and HTTPS. This can be done:

  • Directly through the user's home page or a page associated with a function. This is the easiest way to do it, but also less secure. The iFrames technology can lead to security threats.

To reinforce control over external calls, a mechanism has been put in place in 2021 R3 (12.0.27) to allow security administrators to:

  • Identify all these exchanges
  • Control them through a dedicated administration page in Administration, Administration, Settings, External URL policies

The external URL policies function allows administrators to define a whitelist of URLs. Today, I will be demonstrating an example of embedding an external URL to a home page.

First, let's navigate to Administration, Administration, Settings, External URL policies. As we can see there are some Sage factory records which are provided by Sage. These external URLs are predefined integrations that Sage maintains

Today, we're going to add the highly controversial, yet widely used "Free Encyclopedia" website: Wikipedia.org

To add a new external URL, select the Actions button in the top-right hand corner, then select New external url policy

Input Name and respective URL. The status section contains checkboxes for Enabled and Checked.

  • Enabled allows the access if selected and prevents the access if unselected.
  • Checked means that the administrator has validated the value of the Enabled checkbox.
    • By default, all URLs provided by Sage are Checked, however you can decide to block/disable these URLs by clearing the Enabled checkbox.
    • For example, you may only want to use Google Maps rather than OpenStreetMap

The Type indicates if the URL will be embedded or a service. We are only going to focus on an Embedded URL which involve the UI and uses the iFrame integration. If you would like more information in regards to URL services please review URL whitelist

Next, select Actions, then Save

Now, that we have our external URL defined. Our next step is to add a menu item which contains this URL. Navigate to Administration, Authoring, Pages, Menu items

Select Actions, then New menu item

Input the desired Code, Title and Description. The Link type should be defined as External link. In the Content section we'll define our Wikipedia URL. Also, since we intend to embed this URL into a home page, we will set the display to open in Same window

Select Actions, then Save

Next, we'll add the menu item to our home page. Navigate to Administration, Authoring, Pages, Home pages.

Select Actions, New home page

Input Page Name (cannot contain any spaces), Title and Description if desired. We're setting the home page for our current endpoint therefore, we will select Use current endpoint.

Select the plus symbol under Gadgets

Under the Gadget section, use the selection icon to select the menu item created in the prior step. No endpoint is necessary as Use current endpoint is checked. Assign the home page an owner. Then Save

Select Sage logo in top left-hand corner to return to the X3 home page. In the bottom left-hand panel there is a section titled My Home Pages, select the Home page created in the prior step.

Our Wikipedia URL displays properly in the embedded iFrame

Next, we'll click a link within the embedded URL to determine if the subsequent URLs will render. I'll click the English Wikipedia link as a test.

After clicking the English Wikipedia link, the URL is NOT resolved and the content is blocked

This is actually the INTENDED behavior for the external URL policy management. iFrames are not added automatically to the whitelist. This is done on purpose because adding a web page to a home page is easy to do and presents a risk that should be controlled more strictly. 

In our example, we ONLY whitelisted URL: https://www.wikipedia.org/ therefore, the subsequent Wikipedia URLs are NOT allowed within the embedded iFrame.

In order to allow the subsequent Wikipedia URLs, we would need to modify the external URL policy. We will add a wildcard (*) when specifying the Wikipedia URL. 

Navigate to Administration, Administration, Settings, External URL policies

Click Edit to modify the existing URL from https://www.wikipedia.org/ to https://*.wikipedia.org/ 

Save the change and return to the X3 home page.

Log out of X3 and back into X3 to refresh the session.

Now, let's test the embedded URL again by selecting the English Wikipedia link

The subsequent Wikipedia URLs are NOW resolved within the embedded iFrame

As you can see in our demo that ANY web page or domain specified on a screen or homepage that has NOT been added to the whitelist will be rejected. I hope this information has been insightful and a worthwhile discussion.

Into X3........................ annnnnndddd Beyond! 

Anonymous