360view xi3 new security concepts

8/14/2019 360view Xi3 New Security Concepts

1/33

New BOE Xi 3.x security

concepts


2/33


3/33

)ecurity $einition: User rights and restrictions=links between actors (user or

group) and universesuniverse overloads, documents, applications-security

commands, domains and stored procedures

)uper/isor:user centric! security vision

0ser centric security implementation

roup inheritance: "earest value selected

#nly 3 waysto implement security$ %asy to administrate

& user can belong to more than one group:ser instances

Eecti/e ri#ht calculation depending on ob'ect

BO5 or BO6 security: Reminder


4/33

1 BO5 or BO6 security concepts

2 BOE Xi R2 security concepts

3 BOE Xi 3.x security: Whats new

! "i#ration an$ i%p&e%entation: 'ha&&en#es

5 36()uite: )trea%&ine an$ exten$ )*+

BusinessO,-ects


5/33

BOE Xir2 security concepts:Folders

Under #% ir*, universes and documents are stored within o&$ers

#b'ects can be stored in one +older only$ here are +our +older trees

Think like Windows. It is a set of doors

Unlimited +older tree (documents universes)


6/33


7/33

BOE Xir2 security concepts:Users

& user can belong to more than one group (the %veryone group, a technical group

and a +unctional one)


8/33


9/33

BOE Xir2 security concepts:Rigts o!erloads

Explicit rights override inherited rights:


10/33

BOE Xir2 security concepts:Rigts

6 possible e1plicit values on security commands:

- Exp&icit&y #rante$(O4): User or group is given the right

- Exp&icit&y $enie$(4O): User or group is denied the right

- Not speciie$(N*): "o right assignment

Eecti/e ri#hts(user real rights) = e1plicit rights aggregation

Note: 0N) %eans 0Not )peciie$

N)! can be largely used because it does not have any e++ect on e++ective rights

calculation$ Used with O4! or 4O !, it is transparent

"S O# #O O#$"S

#O$"S

O#$#O

Xir2Object

s#O O# #O O# #O #O


11/33

1 BO5 or BO6 security concepts

2 BOE Xi R2 security concepts

3 BOE Xi 3.x security: Whats new

! "i#ration an$ i%p&e%entation: 'ha&&en#es

5 36()uite: )trea%&ine an$ exten$ )*+

BusinessO,-ects


12/33

BOE Xi %&x security: Generalin'o

New '"' interace: rainin# session nee$e$

No %o$iication on contents7actors:

- 0olders organi7ation remains the same: 8 +older trees

- "o change on groups structure

- 9till * category trees

- 9ervers and connections unchanged

New 8in$ o o,-ects: *ccess &e/e& are o,-ects &i8e others

- rede+ined &ccess ;evel ("&,


13/33

BOE Xi %&x security: Rigts

5ights are now divided in collection: .eneral, /ontent, &pplication and 9ystem

5ights have been duplicated on content: >undreds o+ rights

/ontent rights overload general rights

.eneral right set: 9chedule #b'ects prohibited

/ontent right

overloads .eneral settings: 9chedule 3eski 3ocuments

allowed

Net resu&t:

)che$u&e $ocu%ents not a&&owe$ except

9es8i $ocu%ents


14/33


15/33

BOE Xi %&x security: Uni!erseslist

.ranularity possible on accessible Universes

;ist o+ universes to re+resh documents:

;ist o+ universes to create?modi+y @ueries:


16/33


17/33

BOE Xi %&x security:Folder ineritance 2(2

2mpact on rights inheritance:

5ight only applied +or one door and not to sub

doorsB


18/33

BOE Xi %&x security:,neritance

2t is possible to override e1plicitly denied rights

2t is possible to e1plicitly deny a right at a top level and then e1plicitly granted the

same right at a lower level (without breaking inheritance like in i r*):


19/33

BOE Xi %&x security:Security settings

0irst door is no longer transparent

- Aou can no longer applied "& access level to all top level doors

Aou can apply multiple rights at one intersection


20/33

BOE Xi %&x security:E-ecti!e rigts

Eecti/e ri#hts (user real rights) = e1plicit rights aggregation

"ote: "9! means "ot speci+ied!

5ights inherited +rom groups$ /ould be multiple rights

%++ective rights calculation now also depends on:- 5ights set on /ontent

- ype o+ +older inheritance

"S O# #O O#$"S

#O$"S

O#$#O

Xi !.xObject

s#O O# #O O# #O #O


21/33

BOE Xi %&x security: .at/sne01

Aou can apply right at content level$ /ontent rights override general rights

Aou can override an e1plicitly denied right at a lower level

Aou can apply a right at +older level and at sub +olders level

Aou can apply multiple rights between a +older and a group

Aou can apply granularity on the list o+ universes you want to use +or

report creation or modi+ication


22/33

Xi it


23/33

Xi securityimplementation(migration:allenges

#% i 6$1 security model is power+ul

Understand the new security concepts

- ake advantage o+ them

- 5edesign your security model

/hallenges o+ security migration or implementation:

'ha&&en#e 1:

"ana#ethe repository post migration or post implementation, whilst limitingadministration tasks and by o++ering an optimum @uality o+ service to end-users

'ha&&en#e 2:

%p&e%ent an$ 9ocu%entyour i security


24/33


25/33

User +riendly web inter+ace to

manage your security

3ocument your deployed security

&udit and clean your /C9

&ddress any kind o+ .5/


26/33

ackup, version and restore content

5estore deleted content using our

uni@ue recycle bin

3rag and drop ob'ects between /C9or schedule promotion

/ompare 9& usiness#b'ects

environments

Canage report and universec

versions


27/33

)che$u&e )*+ BusinessO,-ects reports +rom an %1cel, /9< spreadsheet or a

9D; @uery distribution list

9yna%ic sche$u&in# an$ ,urstin#

- 0ill in prompts, +ilter, +ormat and destination values within %1cel, /9


28/33


29/33


30/33


31/33

/ompare your 9& # license

pool with the licenses you have

deployed

;icense compliance is 'ust a

mouse click away


32/33

9& usiness#b'ects custom

portals$ 2n+oview or 2 ;aunch ad

substitution

0ully integrated within intranet


33/33

360view xi3 new security concepts

Documents