ERP Access

Security

Security Policy

ERP Access is designed around secret minimization, actor-linked auditability, strong default-deny controls, and operationally safe failure behavior.

Secret handling and storage

Portal passwords, issued API passwords, client x-api-keys, and gateway tokens are never stored in plaintext. Upstream ERP secrets and cached upstream sessions are encrypted at rest.

  • Portal passwords and issued client API passwords are stored with password hashing.
  • Issued client x-api-keys and gateway tokens are stored as keyed hashes, not raw values.
  • Upstream API passwords, upstream x-api-keys, and cached upstream tokens are encrypted with keys derived from `APP_KEY`.

Access enforcement model

Every client request is validated against account state, actor identity, issued credential status, policy grants, endpoint rules, schedule controls, and the global kill switch before it is relayed upstream.

  • Unknown or unmapped endpoints fail closed.
  • Policy evaluation is deny-by-default and ignores query strings for route matching.
  • Revocation takes effect immediately for credential sets, access tokens, suspended accounts, and deleted policies.

Audit and logging controls

The gateway records a detailed audit trail for token issuance attempts and API relay requests so operators can explain who accessed what, when, and under which decision path.

  • Audit rows capture correlation IDs, actor identity, token linkage, policy snapshots, matched rules, IP addresses, upstream metadata, and safe request/response truncations.
  • Successful token responses redact the returned gateway token from stored response-body previews.
  • Raw Authorization headers, raw bearer tokens, raw basic credentials, and raw x-api-keys are never written to logs.

Runtime restriction controls

ERP Access distinguishes between outages and deliberate operator controls. A blocked API may still be behaving correctly if a schedule, policy, or kill switch intentionally denies access.

  • The global kill switch blocks public API traffic while leaving the portal itself available.
  • The API access schedule defaults to Monday through Friday, 11:00 AM to 8:00 PM Pakistan time.
  • Certain policies may be marked schedule-exempt, but that does not bypass authentication or account checks.

Operator responsibilities

Administrative users are expected to issue the minimum viable access needed for an integration, rotate secrets when exposure is suspected, and review audit evidence before escalating incidents.

  • Do not share one-time credential banners in unsecured channels.
  • Use admin unrestricted credentials only when a fully bounded policy cannot satisfy a valid internal need.
  • Run schema migrations promptly after pulling application updates so security and audit features remain complete.