Security Measures

Security within ONESOURCE Indirect Tax Determination is provided by the following means:

  • Secure Socket Layer (SSL)
  • Transaction Authentication
  • Password Authentication
  • User Roles

Each of the security measures is described below.

Securing HTTP Connections

When tax professionals log on to Determination to make configurations, they send information across computer networks—a process which is exposed to security vulnerabilities. To reduce the risk of data interception, you should always run Determination using a secure HTTP connection. Secure HTTP uses digital certificates to encrypt the data that flows from your internet browser window to Determination in the application server. Each application server has different ways to establish secure connections. Below are the general steps for configuration; refer to your application server documentation or contact your application server vendor for specific instructions.

  • Acquire a certificate from a trusted certificate authority or generate a self-signed certificate.

  • Import the root or chain certificate to the java keystore on each application server host.

  • Configure your application server to accept connections over HTTPS.

  • Optional: Configure your application server to force or redirect unsecured HTTP connections to HTTPS connections.

Transaction Authentication

You can use a default built-in authentication method to enable transaction security. This method requires authentication before calculation (and writing to the audit database) occurs. Without this security in place, it is theoretically possible for a malicious user to pass in bogus transactions and corrupt the audit database. Enable this authentication by:

  • Setting the Configuration parameter CALC_AUTHENTICATION_REQUIRED to Y.
  • Granting the Source System role to a Determination user. See User Roles.

  • Including the <USERNAME> and <PASSWORD> input XML element data for this user in each batch of transaction data submitted to ONESOURCE Indirect Tax Determination.

    See Batch Level Input XML Elements.

Password Authentication

Once you have completed the initial installation of ONESOURCE Indirect Tax Determination, it is important for you to protect the user screens by changing the password of the ^dba account. You should change it from the initial value of "password" to a more secure value. For details about how to change the password, please consult Edit Users.

All users must log in with a password. Initial passwords are assigned by the User Administrator and may be configured so that users are forced to change passwords upon first login to Determination.

By default, ONESOURCE Indirect Tax Determination enforces password changes on a regular basis as well as password validation based on:

  • Minimum and Maximum Length. The defaults are 6 and 60, respectively.
  • The inclusion of at least one upper-case and one non-alphabetic character per password. The default is to enforce this inclusion.

If desired, you can use Configuration Security parameters to relax password change and validation requirements.

User Roles 

When you log on, you log onto a company to which you have been associated. You can only access Determination pages for which you have been granted access by the User Administrator through user roles. In this way, each user is limited to only the functions necessary to complete assigned tasks.

Administration of users and user roles, including adding, modifying, and deleting users, attaching and detaching roles from users, and changing user passwords, is available only to users with the User Administrator role. No other users can modify this data.

For more information see the description of the User Administrator role and a list of predefined roles in Roles and Permissions.