Table of Contents
- Introduction & Service Profiles
- Domain Review
- CSP Configuration and Editing
- CSP Violation Detection and CSP Management
- CSP Alerts
Introduction & Service Profiles
The Services & CSP Management Module gives users the ability to build, deploy and monitor a CSP on their site. Here domains can be inventoried, approved or rejected, domain whitelists can be created, CSPs can be created, and ultimately user sites can be monitored for domain whitelist and CSP violations. Let's dive in to how the CSP management system works and cover some important terminology.
Service Profile Organization and Management
In Blue Triangle, the hierarchy of Service Profiles is as follows: One or more domains makes up a service, one or more service makes up a vendor. See the below interactive demo for more information on this hierarchy and where to find the information on the Service Details page.
The demo will also walk through the End User managed process and Blue Triangle managed process for Service Profile creation.
How to Create Service Profiles
New Service Profiles can be created on the Service Profiles page in the portal. The following interactive demo will walk through how to create Service Profiles in the Blue Triangle Portal.
How to Edit Service Profiles
Once you create a Service Profile, they can be edited at any point on the Service Profiles page.
Domain Review
Domains must be approved by both a Tag Governance Admin AND a Security Admin. Both of these are user roles that can be assigned to a Blue Triangle portal user with an access level of “Department Admin” or higher for the site that will contain that CSP configuration. Both of these roles can be fulfilled by one person.
Any service profile configured for the account and/or site will add to a review list of domains that must be approved or not approved prior to becoming available for use in CSP configuration. If you do not see a domain you expect to see, first check the service profile. Click edit on the service profile of concern, at this time domains that have been added may be added to the configuration. From here, click save. These domains will now be available to approve.
Domain Review Color Coding
Note that both the Security Admin and the Tag Management Admin must approve a domain. If neither has approved or rejected a domain yet, that domain will not be color-coded and will be considered “pending”.
If only one approves, the domain will be considered still “pending” approval but will be color-coded yellow.
If one approves and the other rejects a domain, the domain will be considered “rejected” and will become color-coded red in the domain review list.
Only if both approve will the domain also be considered “approved,” color-coded green, and allowed for use in CSP configuration.
See below for an example of various combinations of approval and the impact on color-coding in the list.
While reviewing domains on a case-by-case basis is recommended, bulk review is possible. Both Security Admins and Tag Management Admins can click the box under the check-mark (approve) or the ex-mark (reject) in the domain review list. Doing so triggers the following message popups, which require additional input to bypass and save changes:
Need to export the Domain Review List?
The list of domains can be exported via TSV or CSV when opening the modal and selecting one of those options from the dropdown at the top right of the table. This may facilitate the initial review process when first approving and rejecting domains for use on a site’s CSP.
Unassigned Domains
Follow this interactive demo to see if you have any domains that are currently not assigned to any Service Profile. If you see any domains listed here, please reach out to your BT Representative to sort them to the appropriate service.
CSP Configuration and Editing
Configuring a New CSP
When naming the CSP please note that the CSP name affects only the way that it is recorded in Blue Triangle’s system for listing and editing in the “Configured Content Security Policies” section of the page prior. If the CSP manager of the site will ultimately be responsible for multiple environments and multiple versions of a CSP on a single site, following a naming convention that makes sense to differentiate those factors would be recommended.
Note that once a CSP has been created, its name can be changed in subsequent versions, which is useful if the naming convention changes between pre-production environments and production environments.
Editing an Existing CSP
CSP Violation Detection and CSP Management
Once a CSP has been placed on a customer’s site in a non-blocking or a blocking mode, CSP violations (in the case of blocking) or Whitelist violations (in the case of non-blocking) will be recorded in the Domain Violation & Audit Log.
What to Do When a Domain in the Log Needs to be Used in the CSP:
If a domain in the Domain Violation & Audit Log needs to be used in a CSP, it must first be approved by the Tag Management Admin and Security Admin for use in the CSP. After it’s approved for use, it will still be detected and logged when it appears on the site until it is added into the active CSP on the page or pages where the violation was detected.
To add a newly approved domain to a CSP, navigate to the CSP Manager page, look for the CSP to be edited under the “Currently Configured CSPs” section, and click the pencil icon to the left of the row.
CSP Alerts
Comments
0 comments
Please sign in to leave a comment.