Backfeed URL security

web.config

As the user requesting the Backfeed page will not be logged into Q_Panel the path to the OutcomeResult.aspx path needs to allow for anonymous access, this is achieved by adding the following into the web.config.

  <location path="ClientBackfeed"> 
    <system.web> 
      <authorization> 
        <allow users="*"/> 
      </authorization> 
    </system.web>   
   </location>

Trusted Login

To enable the Backfeed URL to access the core Q_Panel functionality a trusted login process is required.  To do this, the process interrogates the operating system to get the name of the currently logged on user.  For the Backfeed URL this is determined by how the application pool used by Q_Panel is set up.

Q_Panel Application Pool

If the Identity of the App Pool is set to 'ApplicationPoolIdentity', then the currently logged on user is returned as the name of the Application Pool.  This is normally how it is set up.

The trusted login will search for the Q_Panel User account that has a matching value in the Network Id field with the Identity that the Application pool is running under.

The table below shows the other possible values:

Application Pool Identity Q_Panel User Network Id
ApplicationPoolIdentity Name of application pool used by Q_Panel (e.g. MarscAppPool) “Load User Profile” must be set to True for this application pool.
LocalService LOCAL SERVICE
LocalSystem SYSTEM
NetworkService MACHINENAME$ (e.g. BOB-LAPTOP$)

Backfeed URL User

A new Q_Panel user should be created (e.g. named BackfeedURL) which will be used exclusively by the Backfeed URL.  This user must be

  • a ‘Service’ account type
  • have the Network Id set appropriately depending on the application pool identity (see table above)
  • be a member of a security group or groups that give it access to the backfeed functions (see below), as well as access to the child database.  This could be a new Backfeed URL security group, or an existing group such as Admin or Admin (global)

For example:

The Backfeed URL security group should have access to the child database and the following functions:

  • Administration/Backfeed/Submit
  • Maintenance/Outcome Code/New
Users can be created using User Manager and security groups can be created using Group Manager, both of which can be found within the Security menu of Q_Panel.