Validation checklist

•

Environment: cloud

Some tooltip text!

• 3 minutes to read

 • 3 minutes to read

My custom application is ready, what should I consider before I ask for a validation test?

Development Tools subscription

Access to a customer's tenant from a custom application requires an active Development Tools subscription license. The license is purchased by the customer.

If the subscription is discontinued, any custom applications will lose access to that tenant.

Security

• All redirection URLs and all URLs embedded in web panels are secure: run Qualys SSL Labs - SSL Server tests and aim for an A
• SSL 2.0 and 3.0 are disabled
• TLS 1.2 is supported
• All data is validated on input and escaped on output
• The application uses federated authentication and validates all tokens received from SuperOffice

Provisioning

The SuperOffice App Manager grants explicit consent to approved custom applications during activation.

Custom apps therefore do not need to implement the workflow for giving consent.

Error handling

• The application handles scenarios where access to the customer's database is lost, such as during our maintenance windows. Check the tenant status page

Limit your searches

• API calls don't choke the database, see best practices
• Ensure the user types at least 3 characters before you start searching for contacts, persons, email addresses, selections, and similar
• No more than 10 API calls per second

Protect your web panels

• Information doesn't leak via web panels (and thus forwarded to others who are not authorized)
• The context identifier template variable (uctx) and also the User login associate ID (usid) are part of the URL of all web panels you add
• usec is never passed as a parameter in the URL

System user and important rules

• Never rename the owner company (contact.name field for the company with contact_id found in the Company database table). If you do, our license check fails and all users are locked out!
• Persons may be associates - if they have a row in the associate table then
  • don't update a person's company (person.contact_id)

Warning

You must protect the customer database from total destruction, which will require Online Operations to update the database manually. Use the system user with great caution.

Maintenance window

• You will handle unavailability scenarios such as when CRM Online is not available

I'm good to go!

Sign me up for validation