Storing Secrets for Scripts: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
Secrets provide method to store passwords and other confidential data in QPR ProcessAnalyzer, so that they can be used without users being able to see the original plaintext. For example in ETL scripts, SAP, Salesforce and ODBC passwords can be stored as secrets, which can be referred by their names in the ETL script commands.
Secrets provide a method to store passwords and other confidential data in QPR ProcessAnalyzer, and use them without being able to see the stored secret values. For example in scripts, SAP, Salesforce and ODBC passwords can be stored as secrets, which can be referred by their names in the script commands.
 
There are project-specific and global secrets. To use a secret, the user needs to have ''GenericRead'' permission to the project (or global ''GenericRead'' to use global secrets). To define a secret, the ''ManageProject'' permission to the project is needed (or global ''ManageProject'' to define global secrets). If both a global and a project-specific secret with the same name and type are set, the project-specific secret will be used in that project, and thus the global secret is unavailable for that project.


Each secret has a type which defines in which command the secret can be used. The purpose of the type is to improve security, so that the secret can only be used in the intended command.
Each secret has a type which defines in which command the secret can be used. The purpose of the type is to improve security, so that the secret can only be used in the intended command.


There are project-specific and global secrets. To use a secret, the user needs to have ''GenericRead'' permission to the project (or global ''GenericRead'' to use the global secrets). To define a secret, the ''ManageProject'' permission to the project is needed (or global ''ManageProject'' to define the global secrets).
== Setting secrets ==
Secrets can be set by calling the [[QPR_ProcessAnalyzer_Objects_in_Expression_Language#SetSecret|SetSecret]] function for the project, or the corresponding generic context [[Generic_Functions_in_QPR_ProcessAnalyzer#SetSecret|SetSecret]] function.
 
Example: Set a project secret (for project id 1):
<pre>
ProjectById(1).SetSecret("sap", "SapAdminPassword", "I l0ve 5AP!");
</pre>
 
Example: Set a global secret:
<pre>
SetSecret("sap", "SapReaderPassword", "I l0ve 5AP!");
</pre>
 
== Listing secrets ==
To list all secrets in the project, use the [[QPR_ProcessAnalyzer_Objects_in_Expression_Language#Project|Secrets]] property for the project. For the global secrets, there is the corresponding global [[Generic_Properties_in_Expression_Language#Secrets|Secrets]] property. Note that the secret value cannot be retrieved even by system administrators.


== Setting and listing secrets ==
Example: List project secrets (for project id 1):
Secrets can be set by calling the [[QPR_ProcessAnalyzer_Objects_in_Expression_Language#SetSecret|SetSecret]] function for Project entity, or the corresponding generic context SetSecret function.
<pre>
ToJson(ProjectById(1).Secrets);
</pre>


There is a property [[QPR_ProcessAnalyzer_Objects_in_Expression_Language#Project|Secrets]] for projects to list all secrets in the project. For the global secrets, there is the corresponding global Secrets property. Note that the secret value cannot be retrieved even by system administrators.
Example: List global secrets:
<pre>
ToJson(Secrets);
</pre>


== Using secrets ==
== Using secrets ==

Latest revision as of 10:41, 12 May 2025

Secrets provide a method to store passwords and other confidential data in QPR ProcessAnalyzer, and use them without being able to see the stored secret values. For example in scripts, SAP, Salesforce and ODBC passwords can be stored as secrets, which can be referred by their names in the script commands.

There are project-specific and global secrets. To use a secret, the user needs to have GenericRead permission to the project (or global GenericRead to use global secrets). To define a secret, the ManageProject permission to the project is needed (or global ManageProject to define global secrets). If both a global and a project-specific secret with the same name and type are set, the project-specific secret will be used in that project, and thus the global secret is unavailable for that project.

Each secret has a type which defines in which command the secret can be used. The purpose of the type is to improve security, so that the secret can only be used in the intended command.

Setting secrets

Secrets can be set by calling the SetSecret function for the project, or the corresponding generic context SetSecret function.

Example: Set a project secret (for project id 1): 

ProjectById(1).SetSecret("sap", "SapAdminPassword", "I l0ve 5AP!");

Example: Set a global secret: 

SetSecret("sap", "SapReaderPassword", "I l0ve 5AP!");

Listing secrets

To list all secrets in the project, use the Secrets property for the project. For the global secrets, there is the corresponding global Secrets property. Note that the secret value cannot be retrieved even by system administrators.

Example: List project secrets (for project id 1): 

ToJson(ProjectById(1).Secrets);

Example: List global secrets: 

ToJson(Secrets);

Using secrets

Secrets can be used in the following commands:

Note: Currently ImportSqlQuery and ImportOleDbQuery don't yet support the secrets.

Retrieved from "https://wiki.onqpr.com/pa/index.php?title=Storing_Secrets_for_Scripts&oldid=26378"