Use Advanced Security and Administration

CA Agile Central's Advanced Security and Administration module provides teams who work in secure environments with options to control the data that is stored in the subscription, as well as the ability to integrate login authentication with existing identity management systems.

The features in Advanced Security and Administration are included free with Unlimited Edition subscriptions. Enterprise Edition users who would like to use these features may contact their account representative to add the module for an additional fee.

Notes:
  • You must be a subscription administrator to enable or edit any of these features
  • Neither the CA Agile Central Workitem connectors nor the CA Agile Central SCM connectors support this feature; however, these connectors can be used in SSO Exception Mode (see SSO with exceptions below).

CA Agile Central Advanced Security and Administration includes the following:

File extension validation

You can control which file types can be uploaded as attachments to work items. When this policy is enabled in a subscription, CA Agile Central will validate the extension of files to be uploaded and reject any that do not match the specified types.

To set up a list of allowed file types:

  1. Click the Setup link in the upper-right corner of any CA Agile Central page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Attachments allow only the specified file extensions option from the Allowed File Attachments field.
  5. From the text box that displays underneath the field, enter the extensions of file types you want to allow as attachments.

    Place each extension on a new line.

  6. After you have entered all the file types necessary, click Save & Close.


Note: Files that have already been uploaded will not be flagged or removed if they do not match the allowed file types list. This feature only works for attachments added after the setting is enabled.

IP filtering

Use IP filtering to set a list or range of IP addresses that can log in. Any IP address not listed in these settings will not be able to access the CA Agile Central tool, even with the proper credentials.

Sample error from invalid IP address

To set up IP filtering:

  1. Click the Setup link in the upper-right corner of any CA Agile Central page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Restrict access to specified IPs option from the IP Range field.
  5. From the text box that displays underneath the field, enter multiple single IP addresses into this box or a IP address range in CIDR notation.
  6. Select the Apply IP Range restriction to Subscription Admins option if you would like subscription admins to only log in from whitelisted addresses. If this option is not selected, administrators of the subscription may log in from any IP address.
  7. Select the Enable additional CA Agile Central services integrations option to allow internal CA Agile Central applications to access the subscription. This option allows other CA Agile Central services like Flowdock to communicate with your data.
  8. After you have entered all the IP information necessary, click Save & Close.


Global whitelist

To allow internal CA Agile Central services such as Flowdock and capacity planning to communicate with your subscription when IP filtering is enabled, you must select the Enable additional CA Agile Central services integrations option in the subscription settings. If this option is not selected, some CA Agile Central integrations may not work properly.

Note: IP filtering will affect all users in the subscription, not just those in your workspaces.

Single Sign-On (SSO)

If you have an SAML 2.0-compliant Identity Provider (IdP), you can configure the CA Agile Central subscription to log in to CA Agile Central through Single Sign-On (SSO). The key to this secure internet SSO is your web browser. The browser interacts with the SAML 2.0-compliant Identity Provider, validates user credentials, creates the SAML assertion, and then sends the assertion to CA Agile Central.

Note: Neither the CA Agile Central Workitem connectors nor the CA Agile Central SCM connectors support this feature; however, these connectors could be used in SSO Exception Mode (see SSO with exceptions below).

For information on setting up and configuring SSO in your subscription, see Technical Overview for Implementing Single Sign-On.

SSO with exceptions

CA Agile Central SSO provides two standard options for login control: SSO-only and hybrid (SSO or web) authentication. SSO-only is the most secure; only users authenticated on your network may log in.

However, CA Agile Central integrations for third party applications such as Quality Center and JIRA cannot access the subscription data through the web services API when using the SSO-only mode. You can configure the integration through either an SSO exception or an API key.

To provide the best security while enabling integrations, a third mode is available: SSO-only with exceptions. As our integrations require a username to fetch the subscription data, these users may be added to an exception list (or whitelist) to log in to CA Agile Central with standard web access.

Important: Do not select SSO with Exceptions from the drop-down list if you do not have any exceptions. Doing so may cause issues with user authentication.

You can request to use the SSO-only with exceptions mode when setting up your SSO with CA Agile Central Support. If you are already using SSO, follow these steps to create an exception list:

  1. Click the Setup link in the upper-right corner of any CA Agile Central page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the SSO authentication with exceptions option from the Authentication field.
  5. From the text box that displays underneath the field, enter any usernames that you would like to have permission to access CA Agile Central outside of your network, including usernames used for integrations.

    Enter one username per line and use the full user@company.com format.

  6. After you have entered all the usernames, click Save & Close.


Note: Subscription administrators will still be able to log in using either SSO or the public link to CA Agile Central, even if they are not on the exception list.

Custom log out landing page

You may specify which URL your users are directed to when they log out of a CA Agile Central subscription using SSO. This is useful if your organization has special requirements for logging out of applications, or if you would like to provide your users with links to other [no-lexicon]resources.

To use a custom log out landing page:

  1. Click the Setup link in the upper-right corner of any CA Agile Central page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Specified URL option from the On SSO logout, take user to field.
  5. From the text field that displays underneath the field, enter URL of the page you would like users directed to upon log out.
  6. Click Save & Close.

Feedback

Need more help? The CA Agile Central Community is your one-stop shop for self-service and support. To submit feedback or cases to CA Agile Central Support, find answers, and collaborate with others, please join us at rallycommunity.rallydev.com.