Prevent unauthorized access to systems

Cyberattacks and other forms of unauthorized access pose a constant threat to IT systems. Fortunately, many tools are available to counter these threats and shield your infrastructure.

Authenticate users and devices

With P4, you can implement user authentication by using either passwords or tickets. You can also configure password strength. Authentication can be integrated with an external Active Directory or Lightweight Directory Access Protocol server. Alternatively, use the internal P4 Server user database. Additionally, users can authenticate via a cloud identity provider (IdP) using the SAML or OIDC protocols. See Authentication options and P4 Authentication Service.

Grant access and permissions

The process of granting access rights and permissions is designed to ensure that only authorized users, user groups, devices, and other entities can access a system, application, or network.

P4 Server provides a protection scheme to prevent unauthorized or inadvertent access to files in the depot. The protections determine which P4 Server commands can be run, on which files, by whom, and from which host. You configure protections with the p4 protect command. For more information, see Access authorization. Periodically, conduct a review of superuser privileges. Ensure that the privileges are granted only to users who require super access. Also ensure that new users are granted only the minimum access that they require.

Follow these guidelines:

  • When specifying security levels, do not grant permissions to user * because this configuration can lead to unauthorized access.

  • Review the settings for the configurables that enforce access control. Ensure that the default settings are used because they are designed to enforce security. For example, to limit the number of login attempts, ensure that 3 is specified for the dm.user.loginattempts configurable. To ensure that only a user with super access can create users, ensure that 2 is set for the dm.user.noautocreate configurable. To help prevent automatic creation of users, ensure that 0 is set for the auth.ldap.userautocreate configurable unless the server is configured to use LDAP. To learn more, see LDAP authentication.

In addition, you can improve security by creating service users for server-to-server authentication, as described in Service users. You can also create operator users. Operator users are system administrators who maintain the server environment but are not direct users of P4. For a description of the user types, see p4 user.

Set up the system user

P4 Server does not require privileged access. For security reasons, do not run the p4d service as root or otherwise grant the owner of the p4d process root-level privileges.

Implement firewalls

Firewalls serve as a barrier between a trusted internal network and untrusted external networks, such as the internet.

You can set up secure communication between clients and servers, and between servers. Run P4 behind a VPN. If that option is not feasible, set up SSL/TLS encrypted connections as described in Secure data in motion and firewalls as described in Firewalls. By using firewalls, you can help prevent outside access to any other services running on the P4 Server host.

Implement logging

Logging can be implemented to gather operational and security data for a system, identify performance and security issues, and minimize the risk of data breaches.

With P4, you can enable auditing and monitor audit file access by using the P4AUDIT feature, which logs individual access to an audit log. See Auditing user file access.

User activity information, including date, time, username, workspace, client application, IP address, command, and triggers, can be recorded in a server log. See Using P4LOG. This type of logging generates unstructured logs. However, the preferred method is to use structured logs, which provide more information and can more readily be exported to other tools. For details, see Structured logs.

Starting with the P4 Server version 2024.2, you can port a structured server log file to an external service by using the OpenTelemetry Protocol (OTLP). To ensure that log data is properly archived and does not consume excessive disk space, consider enabling a log rotation and retention policy. The OTLP feature is available only for P4 Servers running on the Linux 64-bit platform. For more information, see p4 logexport.

Restrict access to any file systems that store the P4 Server audit and server logs.