Important Security Policy Updates - Effective December 14th

Cristinel Anastasoaie - Monday, November 21, 2011

Updated - Friday, 25 November: to reduce the amount of work required to update existing websites, we are keeping the {tag_recipientpassword} functional until our January release. All the other changes will be released as planned on December 14th.

Effective December 14th 2011 we will be updating the way we handle CRM user passwords, for security reasons. In order to achieve a greater level of security, we are going to update some of our Admin Console user interfaces and CRM APIs. Existing customer reports will also be altered during the update.

Below is a list of user interfaces and APIs impacted by the change:

  • BC Admin > Customers > Customers > View customer details: CRM user password will be obfuscated
  • BC Admin > Customers > Customers > Edit customer details: CRM user password will be obfuscated; site admin or partner will still be able to update the password
  • BC Admin > Reports > Customer Reports > New Customer Report > Step 2 - Select fields: Password field will be removed from the list of available fields, making the password field unavailable in Customer Reports
  • BC Admin > Reports > Customer Reports > Saved Customer Reports > View data: Password field will be removed from ALL saved reports; customer sites will be altered
  • BC CRM APIs > ContactList_Retrieve, Contact_RetrieveByEmailAddress, Contact_RetrieveByEntityID, Contact_RetrieveByExternalID, Contact_RetrieveByUsernamePassword, Contact_Retrieve, Contact_Retrieve (message name Contact_Retrieve2), Contact_Retrieve (message name Contact_Retrieve3) - Password field will return an empty value.
  • Moved in our January release: BC Admin > Email Marketing > Create campaign - {tag_recipientpassword} will be deprecated and customers will be unable to send the password in email campaigns; when running the campaign, the tag will return an empty value.

December security update FAQ

Q: Can a Partner or Site Admin still update a CRM user password in the Admin UI?
A: Yes, Site Admins and Partners can still enter a new CRM user password through the Edit Customer UI. The new value will be saved and used to login to secure zones.

Q: How can a Partner or Site Admin help CRM users recover their passwords?
A: Since the CRM user password is no longer readable by Site Admins or Partners in Report or in Manager Customer UIs, we encourage Partners to use the following methods to help customers retrieve their passwords:

  • Use "Email Login Details" from Customer Details > Manage Customer Subscriptions screen
  • Update login pages to include a "Forgot Password" form which customers can use to retrieve their secure zone passwords; Read the Allowing Customers to view and update CRM details article on the Business Catalyst Knowledge base for more information on how to help secure zone customers retrieve their passwords.

Q: What happens when password field is left in the import file?
A: We will update the import functionality so that it does not overwrite the existing password with a blank password. Starting with next release, leaving the password field blank, will keep the existing password. The following uses cases are going to apply when updating or inserting customers through import & API:

  • If contact exists in CRM and password field is left blank in the import file, the system will keep the value existing in the database
  • If contact exists in CRM and password field includes a value in the import file, the system will update the password with the value provided in the import file
  • If contact does not exists in CRM and password field is left blank in the import file, the system will create a new contact and will not generate a password for it
  • If contact does not exists in CRM and password field includes a value in the import file, the system will create a new contact and create a password based on the value provided in the import file

Q: Following the January release, can Partners or Site Admins still automate the Secure Zone login by appending username and password to an URL?
A: No. Starting with our January release, site customers will have to enter username and password when accessing a secure zone. To avoid entering login credentials the next time they access the site, site customers can check the "Remember me" checkbox.

Q: Following the January release, can partners send the login details to contacts created using import or APIs?
A: Starting with our January release, we will replace the existing workflow used to send login information with a more secure one. Partners will be able to include in the email a one time token which will redirect first time users to a screen where they can enter their password.

We will send a separate email communication to all Partners whose sites are using customer reports or APIs to retrieve CRM user passwords.

Please make sure that your customers and team members are aware of these important updates.

Thank you for all of your help and support,

Cristinel Anastasoaie
Adobe Business Catalyst Product Manager

Comments