Securing MagicTools – for PI

How your organization can use MagicTools – for PI with security and data sensitivity in mind

Installation

Application – “MagicTools – for PI” is a Windows application named MagicTools.exe that is installed locally on a Windows computer or within a Mac Parallels virtual Windows environment on a Mac computer. It relies on the .NET framework and several library files installed along with the main program.

Installer – It is installed using an executable installer program, MagicToolsforPISetup.exe, which is created by Inno Script Studio.

Code Signing – The software is signed by a code-signing certificate issued to Believable Magic LLC by Sectigo RSA Code Signing CA.

Configuration

User Settings – Configuration settings are stored locally for each user of the software in a folder only accessible to that user. For example:
C:\Users\{username}\AppData\Local\Believable_Magic_LLC\MagicTools.exe_Url_{uniqueId}\1.3.4.21246

Upgrades – After upgrading MagicTools software, when the software is first started up, a new settings file is created in a folder named for that version by copying the previous version’s settings file forward.

Unencrypted – Configuration settings are stored in an unencrypted state to make it convenient for a user to review their own settings file contents if necessary.

Settings

Two of the settings displayed in the Setup tab within the MagicTools software and stored in the configuration file are considered sensitive:

  • MagicTools License Key – this key is obtained from the seller and is used to validate that the current user is licensed. MagicTools makes a web service call to an endpoint on the believablemagic.com server to validate the current license key. It is the responsibility of the licensed organization to put this key only into the hands of people who are authorized to use the MagicTools software on behalf of the organization.
  • Predictive Index API Key – this key is generated within the administrative user interface of the PI Software by a Site Admin or Account Admin user of the PI software. Any actions taken via MagicTools using this API Key are recorded within the PI software as actions of the API Key owner. This key is considered sensitive data because it grants access via the Predictive Index API to data stored in the PI software. Learn more about: Using PI API Keys

The sensitivity of the PI API Key described above is the reason that Believable Magic recommends the following two guidelines:

  • For PI Users – MagicTools – for PI is intended for use by those individuals who have already been entrusted with access to the organization’s PI data via a PI user account.
  • Individual API Keys – MagicTools users should each be given an individual PI API Key that is associated with an assigned PI user account so that they may access and modify the same data via MagicTools as they are able to access and modify through the PI software directly.

No New Permissions – API Keys don’t have more power than their users do. Providing an individual API Key to a trusted PI user does not extend their access and control privileges, it only enables them to use those privileges more efficiently and powerfully through MagicTools.

API Access Required – API Keys are only useful to PI client organizations that have API Access turned on. PI clients may ask the PI Support team to turn on API Access for your organization if this has not already been done.

Securing the Data

No Internet Storage – All data processed by MagicTools is directly accessed via the Predictive Index API over the Internet from the local computer, storing no data on any other system anywhere on the Internet apart from the local computer running MagicTools.

No Believable Magic Access – Believable Magic systems never handle or touch the PI data handled locally by MagicTools.

Local Output Files – MagicTools generates log files and (optionally) export files that contain plain text copies of whatever PI data is handled by the actions being taken by the user. All of these log and export files are placed into a user-selected Processing Output Location folder.

Output File Disposal– It is the end user’s responsibility to ensure that any log and export files are properly disposed of after they are no longer needed.