cancel
Showing results for 
Search instead for 
Did you mean: 
VivekGoel
Level 10

Currently the bprelease package can be exported and if taken out of organization , it can be imported to any environment across any organization which is against the IP rights of the original organization. It practically defies the definition of security compliance. There should be an option to password protect functionality or using RBAC to control the bprelease import within the same org only.

6 Comments
Denis__Dennehy
Level 15
I agree, there could be an option added to encyrpt.

As a workaround, If your solution has the roles and permissions set up correctly, only those with the correct role/permission can create releases and it will be audited when they do so.  It could be part of your internal process for those people that if any release is to be stored outside of Blue Prism your preferred file encryption tool/method must be used to secure it.
VivekGoel
Level 10
Agreed dennis, thats the only way..but that's still too mich manual task to do..and to explain such things to clients we incorporated similar steps in our CoE setup model.
VladimirPerić
Level 6
Ideally this could be connected to the already configured encryption keys - select a key to encrypt it with, and if the target DB has the same key, it can be decrypted and imported, otherwise no dice.
Other customers also asked for release integrity validation through Certificates or other methods of signing the release. We need to make sure that the release being imported into the Prod environment is exactly the release exported from the lower environment for deployment. If the contents of the release change, then it should fail integrity validation on import.
AndreyKudinov
Level 10
RBAC has nothing to do with it. Encryption/signature verification is two different things, although they usually come together.
You can always just md5hash release and zip it with password. 

Currently server keys are usually different for different BP instances - there would need to be a separate signing/encryption keys.
Also keep in ming that changing or loosing your decryption key would mean that you lost access to all of your releases without an easy way to reencrypt/decrypt them.

Simply making bprelease an optionally password protected zip file with hash would not only make it 'secure enough' for the most use cases, but also make file size smaller
MelanieGiuliani
Community Team (Retired)
Hi Vivek,

Thanks so much for submitting your idea! We are moving it into the Under Consideration status while we route the idea through our internal review process. 

We will update you as your idea moves along the lifecycle.

Thank you!
Melanie