Framework/Configurations/SVT/Services/ODG.json
{
"FeatureName": "ODG", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_ODG_Config_Lockdown_Server", "Description": "ODG must be installed on a hardened locked down VM", "Id": "ODG110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Locking down machine isolates ODG tool and prevents malfunctioning programs from damaging or snooping on the data source machine. ", "Tags": [ "SDL", "TCP", "Manual", "Config" ], "Enabled": true }, { "ControlID": "Azure_ODG_DP_Disabled_Additional_Log", "Description": "Additional logging in diagnostics should be disabled", "Id": "ODG120", "ControlSeverity": "Low", "Automated": "No", "MethodName": "", "Recommendation": "Additional logs in ODG tool contains all the data passing through ODG. If its required to enable additional logs than keep/share the logs in encrypted format.", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ODG_ACLS_DataSource_Privacy", "Description": "Privacy level setting must be configured to private while using ODG in PowerBI.", "Id": "ODG130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "With privacy level settings, user can specify an isolation level that defines the degree that one data source must be isolated from other data sources. Refer: https://support.office.com/en-us/article/Privacy-levels-Power-Query-CC3EDE4D-359E-4B28-BC72-9BEE7900B540?ui=en-US&rs=en-US&ad=US", "Tags": [ "SDL", "TCP", "Manual", "ACLS" ], "Enabled": true }, { "ControlID": "Azure_ODG_ACLS_Least_Permission_While_Sharing", "Description": "Must use the least required permission based on scenario while sharing gateways through PowerApps/Flow", "Id": "ODG140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Any one from these permissions must be provided while sharing gateways through PowerApps. Can use - Can use the gateway to use and create apps and flows. Can use + share - Can use the gateway to use and create apps and flows, and can share the gateway for others to use. Admin - Manages the gateway, can use the gateway to create apps and flows, can share the gateway with users tenant wide, can specify the type of connections that can be used with the gateway, and can delete the gateway. Refer: https://powerapps.microsoft.com/en-us/tutorials/share-app-resources/#on-premises-data-gateways", "Tags": [ "SDL", "TCP", "Manual", "ACLS" ], "Enabled": true }, { "ControlID": "Azure_ODG_BCDR_Design_Failover_Plan", "Description": "Failover plan should be designed as per business requirements.", "Id": "ODG150", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Out of the box no failover support is provided with ODG. So custom failover plan should be designed (e.g. To minimize the response time, ODG should be setup on another machine from where data source is accessible.)", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_ODG_AuthZ_Grant_Min_Access", "Description": "User accounts/roles connecting to data source must have minimum required permissions", "Id": "ODG160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "All user accounts/roles which are involved in ODG must have minimum required access rights to data source. (e.g. If Gateway is fetching data from data source then user role must have read-only access.)", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true } ] } |