Light My Way - Documentation

Page Content

1 System Requirements
- 1.1 Client
- 1.2 Server
2 Architectural overview
3 Security
4 Client Installation
- 4.1 Specific site limitations
- 4.2 Access Token (Authentication)
- 4.3 Managed storage keys
- 4.4 Registry entries using file
- 4.5 Connecting to the data service
5 Server Installation
6 Open source licenses

System Requirements

Client

Supported browsers:

Chrome
Microsoft Edge

If there is a need for Light My Way on any other browser, contact us, we are happy to add it.

Server

The server is hosted as a cloud service and made available to customers as part of the subscription.

For special cases there is an on-prem hybrid concept for private networks.

Architectural overview

The web extension architecture allows to provide user guidance without dependency to normal release cycles. No access to the server of the target application is required and guides recorded and distributed for CLOUD hosted target platforms is supported. Light My Way has no footprint on the target server application whatsoever and no server-side deployment is required.

Security

Data stored in server repository
- Data classification: Internal
- Content (guides) recorded by customer ( ‘click here’ + html identifier)
- Content (guides) controlled by customer in Admin UI
- Configurations using UI key values (css/xpath selectors for button ID’s etc)
- Subscription audit detail (3DEXPERIENCE user id’s, last use dates etc)
- No scripts, SQL or executable entries are stores in the data
- Sanitized HTML used for rich text (quilljs)
Access control
- User: JWT token (registry to request header)
- Author: JWT token (registry to request header) + Passkey
- Admin: Passport (username / password)
Web Extension (Client)
- Integrity: reviewed, approved, hosted and secured by chrome store
- Quality assured, scanned and tested before all (releases)
- Does not load or evaluate any scripts dynamically (css/xpath and sanitized rich text format)
- Manifest Permissions: storage, webNavigation, unlimitedStorage, contextMenus
Tools
- Vulnerability scans (dependency track) executed and acted on continuously
  - Zero vulnerability policy
- Static code analytics (SonarQube)
- Controlled build chain (jenkins)
- Controlled deploy (terraform, docker)
Production env
- Runtime security (Upwind)
- WAF
- Secret management
- DB Encryption
Traceability / audit
- History of configuration changes in admin UI
Protocol
- SSL/HTTPS
ISO 27001 (information security)
- Certified and audited on a yearly basis. We are continuously following up and mitigating security risk and have a security mindset in everything we do.

Client Installation

The client extension is one and the same for consumers and authors, it includes the default part used for consuming guides and by enabling author mode from the extension popup, the user can start creating guides after also providing an author key.

For web extension side loading by registry, the ExtensionSettings policy is used. For detailed understanding, please refer https://docs.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide and https://docs.google.com/document/d/1pT0ZSbGdrbGvuCsVD2jjxrw-GVz-80rMS2dgkkquhTY/edit#!

Specific site limitations

Restricting the extension access to the sites it is intended for is good practice. This so that the panel tabs or evaluation is excluded on all other sites. Site access is controlled using the runtime_allowed_hosts registry entry.

"runtime_allowed_hosts"="[\"https://lmw.technia.cloud\",\"://example.com\",\"://*.3ds.com\"]"

If limiting to specific sites, the data service host https://lmw.technia.cloud must be included for Light My Way server communication to work

Access Token (Authentication)

To lock down access to the guide data a token can be generated with your account. If activated the token will be required to gain access to guide data.

As of this release the Light My Way team will generate the access token for you.

Access Token - Renewal

For increased security the access token can be renewed on a regular basis, but note that you would also have to deploy a new token to all clients.

The current access token will automatically become outdated as a new token is generated.

Access Token - Distribution

Distribution of the access token to clients is done by managed storage in registry. This means that the same distribution method is used for the access token as for the extension itself. Read more about managed storage here:https://developer.chrome.com/docs/extensions/mv3/manifest/storage/.

A managed storage key is only accessible by the extension itself (and those with access to read the registry). The token is added to and passed to the data service call with encrypted request headers.

Note that the proper manifest an managed storage schema configuration is already included with the product and you do not have to bother about that. An example of how to distribute the access token is included with the sample reg file in below chapter.

See below for more properties and settings that can be added to managed storage.

Managed storage keys

Key	Type	Description	Default value	Accepted values

Key	Type	Description	Default value	Accepted values
`accessToken`	`string`	Used to automatically authentication the extension to your account.	`null`	Access token provided by LMW team.
`account`	`string`	Used to prefill the account part of the server settings.	`null`	Your account name (usually company name). E.g. `technia`
`host`	`string`	Used to prefill the host part of the server settings.	`https://lmw.technia.cloud`	Full URL to LMW server.
`repo`	`string`	Used to prefill the repository part of the server settings. Leave empty for root repository connection.	`null`	Your repository name (usually company name). E.g. `production`
If `account`, `host` and `repo` is set then the extension will automatically connect to the repository without the user having to enter anything in the server settings.
`lmw-server-url-editable`	`boolean`	Used to toggle if the user should be able to edit the server settings.	`dword:00000001`	`dword:00000001` = true, `dword:00000000` = false
`lmw-author-mode`	`boolean`	Used to toggle if the extensions author panel should be visible.	`dword:00000000`	`dword:00000001` = true, `dword:00000000` = false
`hosted-guides-path`	`string`	Used to connect the extension to self-hosted repository.	`null`	Full URL to data repository. E.g. `https://companyurl/path-to-repository`
`hosted-guides-file`	`string`	Used to specify the file name of the data JSON file in the `repository`.	`null`	E.g. `data.json` Will default to folder name e.g. `https://companyurl/repository/repository.json`
`usage-logs-url`	`string`	Used to log usage data on customer hosted solution.	`null`	Full URL to server endpoint. E.g. `https://companyurl/server/usage`
`privacy-mode`	`boolean`	If set to false plaintext names will be logged instead of obfuscated.	`dword:00000001`	`dword:00000001` = true, `dword:00000000` = false
`windows-user`	`expandable string (REG_EXPAND_SZ)`	Used to extract the windows username for logging.	`null`	`%USERNAME%`
`lmw-registry-script-executed`	`number`	Used to force all values in the registry entry to be replaced by the content of the registry file.	`null`	`dword:XXXXXXXX` (replace X with numbers), E.g. `dword:00000001`

Note: Privacy policy update needed for usage / platform insight

Registry entries using file

Registry entries could be defined using file. Such a file is simply a text file with the .reg extension that will add registry entries when executed.

Sample registry files are available at https://products.technia.com

Installing registry entries using file

Users can double click a .reg file to add the registry entries.
For large scale distribution, Group Policy Preferences(GPP) allows the administrator to easily import a .reg file into Group Policy with several registry settings.

Uninstalling registry entries using file

Added entries can be removed at any time using the same import method on modified .reg files by adding hyphen(-) before every value. Example:- "installation_mode"=-"normal_installed"

For further information on REG files, please refer https://support.microsoft.com/en-us/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23

Connecting to the data service

If the client is installed with the needed registry entries (account, host and repo) the extension will automatically connect to the repository without the need to manually enter the server url.

Connecting unmapped data service

It is possible to connect with unmapped server repositories using the Server field in the web extension menu found at the top right of your browser. This could be useful for authors connecting to sandbox guide repositories etc that should not be used by the overall user community.

Click the extensions menu
Click “Light My Way“ icon
Enter server URL with domains and press ENTER
“Connected successfully” should appear in green

Server Installation

The normal setup is that TECHNIA will host the data service in the CLOUD and all you have to do is to connect to the account you get with your subscription.

On-prem hybrid

There are cases when cloud for different reasons is not feasible. For such cases we recommend a hybrid approach where guide creation and testing takes place in the cloud on a non sensitive data dev env. Once ready for production deploy the guide data is exported and the extension is downloaded for on-prem hosting. This solution require some minimal effort and the TECHNIA team can do the heavy lifting upgrading and migrating unsensitive guide data on the cloud.

Hybrid on-premises (LMW)

Open source licenses

Unable to render {include} The included page could not be found.

Installation (LMW)