Use Advanced Security and Administration

Print this topicEmail this topic

Rally's Advanced Security and Administration module provides teams who work in secure environments with options to control the data that is stored in the subscription, as well as the ability to integrate login authentication with existing identity management systems.

The features in Advanced Security and Administration are included free with Unlimited Edition subscriptions. Enterprise Edition users who would like to use these features may contact their account representative to add the module for an additional fee.

Note:
  • You must be a subscription administrator to enable or edit any of these features
  • The Rally Workitem connectors and the Rally SCM connectors are not compatible with this feature; however, these connectors can be used in SSO Exception Mode.

Rally Advanced Security and Administration includes the following:

File extension validation

You can control which file types can be uploaded as attachments to work items. When this policy is enabled in a subscription, Rally will validate the extension of files to be uploaded and reject any that do not match the specified types.

To set up a list of allowed file types:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Attachments allow only the specified file extensions option from the Allowed File Attachments field.
  5. From the text box that displays underneath the field, enter the extensions of file types you want to allow as attachments.

    Place each extension on a new line.

  6. After you have entered all the file types necessary, click Save & Close.


Note: Files that have already been uploaded will not be flagged or removed if they do not match the allowed file types list. This feature only works for attachments added after the setting is enabled.

IP filtering

Use IP filtering to set a list or range of IP addresses that can log in. Any IP address not listed in these settings will not be able to access the Rally tool, even with the proper credentials.

Sample error from invalid IP address

To set up IP filtering:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Restrict access to specified IPs option from the IP Range field.
  5. From the text box that displays underneath the field, enter multiple single IP addresses into this box or a IP address range in CIDR notation.
  6. Select the Apply IP Range restriction to Subscription Admins option if you would like subcription admins to only log in from whitelisted addresses. If this option is not selected, administrators of the subscription may log in from any IP address.
  7. Select the Enable additional Rally services integrations option to allow internal Rally applications to access the subscription. This option allows other Rally services like Flowdock to communicate with your data.
  8. After you have entered all the IP information necessary, click Save & Close.


Global whitelist

To allow internal Rally services such as Flowdock to communicate with your subscription when IP filtering is enabled, you must select the Enable additional Rally services integrations option in the subscription settings. If this option is not selected, some Rally integrations may not work properly.

Note: IP filtering will affect all users in the subscription, not just those in your workspaces.

Single Sign-On (SSO)

If you have an SAML 2.0-compliant Identity Provider (IdP), you can configure the Rally subscription to log in to Rally through Single Sign-On (SSO). The key to this secure internet SSO is your web browser. The browser interacts with the SAML 2.0-compliant Identity Provider, validates user credentials, creates the SAML assertion, and then sends the assertion to Rally. (Note: Neither the Rally Workitem connectors nor the Rally SCM connectors support this feature; however, these connectors could be used in SSO Exception Mode below)

For information on setting up and configuring SSO in your subscription, see Technical Overview for Implementing Single Sign On.

SSO with exceptions

Rally SSO provides two standard options for login control: SSO-only and hybrid (SSO or web) authentication. SSO-only is the most secure; only users authenticated on your network may log in.

However, Rally integrations for third party applications such as Quality Center and JIRA cannot access the subscription data through the web services API when using the SSO-only mode.

To provide the best security while enabling integrations, a third mode is available: SSO-only with exceptions. As our integrations require a username to fetch the subscription data, these users may be added to an exception list (or whitelist) to log in to Rally with standard web access.

You can request to use this mode when setting up your SSO with Rally Support. If you are already using SSO, follow these steps to create an exception list:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the SSO authentication with exceptions option from the Authentication field.
  5. From the text box that displays underneath the field, enter any usernames that you would like to have permission to access Rally outside of your network, including usernames used for integrations.

    Enter one username per line and use the full user@company.com format.

  6. After you have entered all the usernames, click Save & Close.


Note: Subscription administrators will still be able to log in using either SSO or the public link to Rally, even if they are not on the exception list.

Custom log out landing page

You may specify which URL your users are directed to when they log out of a Rally subscription using SSO. This is useful if your organization has special requirements for logging out of applications, or if you would like to provide your users with links to other resources.

To use a custom log out landing page:

  1. Click the Setup link in the upper-right corner of any Rally page.
  2. Click the Subscription tab.
  3. From Actions, select Edit Subscription.
  4. On the Edit Subscription editor, select the Specified URL option from the On SSO logout, take user to field.
  5. From the text field that displays underneath the field, enter URL of the page you would like users directed to upon log out.
  6. Click Save & Close.

Feedback

Please send us your feedback regarding our help site. For feedback regarding the Rally product, click here to open a support case or click here to submit a new feature request
English
By submitting this form, you accept the Mollom privacy policy.
© 2014 Rally Software Development Corp | Legal