External End User Authentication

If you are having a problem using Fortress, post a message here.

Moderator: SourceGear

Post Reply

Would you like to see external user authentication and code review in Fortress?

No votes
Total votes: 2

Posts: 2
Joined: Sat Jul 18, 2009 7:34 pm

External End User Authentication

Post by Devgineer » Sat Jul 18, 2009 8:39 pm


This is more of a feature request than a bug or support request.

I am currently evaluating Fortress using the single user license. I am wondering if it is possible to create external users and password protect the customer portal? This would be an excellent feature as it would prevent having to deploy VPN and better secure work item tracking. Currently if the external user portion of Fortress is made available to a public IP address anyone can see what projects your company is working on and SPAM bug requests can be easily submitted. Using a VPN as pointed out in another post, will require purchasing VPN licenses for external users.

I'm trying to figure out if it's best to get Fortress and pay for web only licenses for each customer's users/beta testers or to stick with Vault and use a third party tool like Ontime or FogBugz. I will also be using a code review tool from SmartBear that integrates with Vault. The code reviewer and customer will each only have one log in but the developer will then have 3 logins, 1 for Vault, 1 for SmartBear, and 1 for OnTime. Having just 2 logins would simplify things greatly and I think browsing through source control/work items in Fortress would provide a better user experience than a Vault/Ontime combo.

Is external user authentication something that might be added to Fortress 2.0? Being able to track bugs, feature requests, etc. for customer's on a per user basis would make Fortress rock solid (code review would be a nice addition too).

Looking forward to your response.

Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear

Re: External End User Authentication

Post by Beth » Mon Jul 20, 2009 8:33 am

One shouldn't be able to see your projects just from using an external IP address. Users will still have to login before they can get information. If you use the External Add feature for your customers, they shouldn't be able to see your projects either.

What I've seen some users do is have users send an email if they want to submit an issue, and the reply email contains a link to the External Add feature so they can log it. That way one can verify that the user is not spam before providing the link. Some users place the External Add link right on their company websites for customers to use, and so far, I have no reports of spam coming in through that feature. Depending on how public that is though, it doesn't prevent someone from just being malicious and submitting manually a bunch of adds. That's more work than an average spammer is willing to go through. I think the users that make the option to add available to customers put the link on a webpage that the customer has to register to see.

I can put in a feature request though to require a login to use the External Add. Fortress 2.0 already has all its features set, but that feature can be considered for some future release.

Using web-only licenses is more secure, but more expensive. You can limit which projects a login has access to as well so that customers can't see all the projects. In the admin web page, expand the project, and then click on the link called Project Access. If you had a user that only needed access to one project, you could allow access to that one and deny access on the others. If you need assistance with setting that up, just let me know.
Beth Kieler
SourceGear Technical Support

Post Reply