Implementing IP address whitelists

Administrators can secure access to Hybrid Data Pipeline resources by implementing IP address whitelists. When an IP address whitelist is enabled for a resource, any user attempting to reach the resource from an invalid IP address will be denied access, and a 403 access-denied error will be returned. Access to the following resources can be managed with IP address whitelists.

Data access (ODBC, JDBC, and OData)

Web UI access (system level only)

IP address whitelists must be applied at the system level, tenant level, user level, or some combination of these levels. The following protocols are applied when IP address whitelists are implemented.

When an IP address whitelist is set at the system level, users across the system must access the given resource from an IP address or range of IP addresses specified in the whitelist.

When an IP address whitelist is set at the tenant level, users who reside in the tenant must access the resource from an IP address or range of IP addresses specified in the whitelist.

When an IP address whitelist is set at the user level, the specified user must access the resource from an IP address or range of IP addresses specified in the whitelist.

When an IP address whitelist is set at multiple levels for a given resource, Hybrid Data Pipeline first checks the system level, then the tenant level, and then the user level. If any check fails, the user is denied access.

Web UI access may only be set at the system level.

IP address whitelist restrictions do not apply when resources are accessed from a local host.

The IP address whitelist feature is enabled by default. However, if a whitelist has not been defined for a particular resource, all IP addresses will be allowed access to that resource.

In the event that an IP address whitelist implementation inadvertently prevents administrators from using Hybrid Data Pipeline, an administrator can bypass the whitelist by accessing the service directly from any machine hosting the service. First, the administrator must have access privileges to the host machine. Next, the administrator can access the service from a host machine by replacing the servername in the Hybrid Data Pipeline URL with localhost, 127.0.0.1, or ::1. Then, the administrator can disable the IP address whitelist feature or update the implementation as desired.

Depending on the level at which IP address whitelists are being implemented, an administrator must have certain permissions.

An administrator with the Administrator (12) permission can implement and create whitelists for all resources at the system, tenant, and user levels.

An administrator with the following permissions can create whitelists for resources at the tenant level: the MgmtAPI (11) permission, the IPWhiteList (29) permission, and administrative access to the tenant.

An administrator with the following permissions can create whitelists for resources at the user level: the MgmtAPI (11) permission, the IPWhitelist (29) permission, and administrative access to the tenant to which the user belongs.

An administrator who does not have the Administrator (12) permission, but wants to use the Web UI to apply IP address whitelists, must have the WebUI (8) permission.

IP address whitelists can be configured through the Web UI or the Hybrid Data Pipeline API. See the following topics for details.