Security Considerations for the OMI web client

The OMI web client allows users to open OMI ViewApps from workstations or other devices (such as a phone or tablet) where no System Platform components are installed. To support secure access from non-System Platform nodes, anonymous access is not allowed and an administrator must configure a System Management Server.

You cannot use OMI web client to open another process on the device on which it is running. For example, you cannot open a native desktop application or a command window on the device.

When the Galaxy uses operating system group-based security, the OMI web client does not support user role and access level-based navigation. All navigation nodes will always be displayed regardless of access levels or user roles that may be assigned to them. Any user who can open the ViewApp can access all nodes and see all objects tracked by the ViewApp

You cannot use the OMI web client if you are using Galaxy security as the authentication mode for your Galaxy. You must use one of the other authentication modes: None, OS User-based, OS Group-based, or Authentication Providers.

Note: The OMI web client only supports authentication using AIM, and the authentication happens in the AIM node.

If you have configured your Galaxy to use OS user security, and a user tries to log in as a local OS user (such as localhost/user1) to an OMI web client app running on a remote node, authentication may fail. This is because the localhost will be interpreted as the machine which AIM is running, and the localhost/user1 of the AIM machine may not have permissions set up properly in the Galaxy.

ViewApp namespace attributes related to security do not show the correct values based on the logged-in user.