application of data-level security in framework manager - presentation

7/29/2019 Application of Data-level Security in Framework Manager - Presentation

1/46

Applica'onofdata-levelsecurity

inFrameworkManagerPresenters:

JimGrossTexasTechUniversity(TTU)

DarrelPyleSouthernMethodistUniversity(SMU)

SwethaSiripurapuTheUniversityofOklahoma(OU)


2/46

JimGross(formerlyofTexasTechUniversity)

SeniorERPAnalyst

OfficeofInformaHonTechnologyServices

SamoustonStateUniversityBox2449untsville,TX77341

[email protected]


3/46

TexasTechUniversityAgenda

Whatisdata-levelsecurity? Whatisanexampleofdata-levelsecurity? CreaHonoftheSecurityQuerySubject ApplicaHonofdata-levelsecurityatTexas

TechUniversity Pros/ConsofusingFrameworkManagerto

implementsecurity?

owisdata-levelsecuritymaintained?


4/46

Whatisdata-level(rowlevel)securityandhow

isitdifferentfromothersecurityCognos?

Object-levelSecurity:Defineswhichusershaveaccesstofolders,reportsorpackages.Data-levelSecurity:Allowstheusertoonlyseetheirdatawithinaquerysubject.

ColumnSecurity:Defineswhetherauserhasaccesstoafieldinthequerysubject:e.g.SSN


5/46

Whatisanexampleofdata-levelsecurity?

Data-levelsecuritycanbeexplainedbygiving

theexampleofasalesdepartment.TheSalesManagerhasaccesstoallsalesdataforall

regions;whereas,eachsalespersoncanonly

seethedatafortheirsalesregion.(North,

South,East,andWest)


6/46

Crea'onoftheSecurityQuerySubject

Expandsecuritytabletolowestlevel(7th)oftheOrganizaHonalierarchy.

#sq($account.defaultName)#macrousedtoacquireusername(eRaider)

Filterthesecurityquerysubjectbythecurrentuser.


7/46

Applica'onofdata-levelsecurityatTexasTech

SecurityFilterProperty All_AuthenHcated-Group [TARGET_QS].[ORGN]in([SECURITY_QS].

[ORGN])


8/46

Pros/ConsofusingFrameworkManagerto

implementdata-levelsecurity?

PROs Securityiseasilyimplemented/modified SecuritycanbegrouporrolebasedCanbebasedoffexisHngsecuritysystems

CONs

BypassofsecuritythroughuseofSQLobjectsinreportstudio


9/46

Howwillthedata-levelsecuritymaintained?

TheidealistohavethebusinessunitsmaintainthereownsecurityneedsthroughanapplicaHon.

Ifonedoesnotexist,asimplewebapplicaHoncanbecreatedtoassistintheprocess.

Excelspreadsheet


10/46

DarrelPyle

SeniorBusinessSystemsAnalyst

BudgetsOffice-BI/DataWarehousing

SouthernMethodistUniversityP.O.Box750505,Dallas,TX75275-0505

[email protected]


11/46

ApplicaHonofDataLevelSecurityatSMU

Complexity:

9,614DeptIDvalues 6,335acHve 3,279historicDeptIDvalues

394NodesinaraggedDeptIDtree 125CognosusersfortheFinancialspackage


12/46

ApplicaHonofDataLevelSecurityatSMU

Severalpiecesworkingtogether:

1.DeptIDtreeinPeopleSoFinancials2.CognosSecuritypageinPeopleSoFinancials3.ETLs

i.

FS_ORG_LVL-flaensDeptIDtreeii. FS_ORG_ROW_SECappliessecuritytoDeptIDlevel

4.FrameworkManager5.LDAPAuthenHcaHon


13/46

DeptIDtreeinPeopleSoFinancials

(raggedhierarchy)


14/46

CognosSecuritypageinPeopleSoFinancials

FinancialsSystemteamisresponsibleforwhoreceivesaccessandtheapprovalprocess

CentrallocaHonforeasymaintenance FinancialsSystemteamsendsarequesttoBIif

theuserdoesnotcurrentlyhaveaccesstoCognossothatthenecessaryLDAPgroupscan

beassigned.


15/46


MulHplenodesatvariouslevelscanbeassignedwithdifferentsecurity

MulHpleDeptIDscanbeassignedwithdifferentsecurity

Securityisappliedfromthelowestlevel(DeptID)totheupperlevel(TOTALnode)

Lowerlevelsecurityoverridesupperlevelsecurity


16/46



17/46

TableStructure(PS_U_DEPT_SECURITY):

EMPLID*(equalsLDAPusername)DEPTID_NODE*treenode/DeptIDvalueSEC_TYPE*specifiesifDEPTID_NODEisatreenodeorDeptIDvalue

ACCT_SEC_G_AexcludessalaryandbenefitsaccountsINCL_POSNallowaccesstoposiHondata*Keyfield


18/46

NightlyETLsrefreshrowlevelsecurity DeptIDandAccounttreeETLsarerunprior RowlevelsecurityETLusestheDeptIDtreein

thewarehousetopopulatethelowestlevelof

security(DeptID)

ThisallowsforboththeTreeNodesecurityandindividualDeptIDsecuritytobeapplied

DeptIDsecurityoverridesanynodesecurity Lowerlevelnodesoverridehigherlevelnodes


19/46

TableStructure(FS_ORG_ROW_SEC):

EMPLID*:(equalsLDAPusername) DEPTID*:DeptIDvalue ACCT_SEC_G_A:excludesalary&benefitaccts ACCT_SEC_DESCR:descripHonforaccountsecurity INCL_POSN:allowaccesstoposiHondata POSN_SEC_DESCR:descripHonforposiHonsecurity SEC_DESCR:overallsecuritydescripHon

*Keyfield


20/46

FrameworkManagerQuerySubjects

QuerysubjectswithintheFrameworkManagerpackagefiltersthedatapriortotheuserbeingabletopullinanydata

ThisincludestheDeptIDandAccounthierarchiesthattheusersareabletosee


21/46

ABuilt-infuncHoninFrameworkManageraccomplishesthetaskbypassingtheLDAP

userNametoCognoswhichisequaltothe

OPRID_SECUREDvalueonthesecuritytable.

ThefuncHonis:

#sq($account.personalInfo.userName)#


22/46

ThisfuncHonisappliedtothefollowingquerysubjects:

FS_ORG_LVLFS_ORG_LVLforPosiHonsFS_ACCT_LVLFS_POSN_BUDG_FACT


23/46

FS_ORG_LVLQuerySubject

Select

FS_ORG_ROW_SEC.OPRID_SECURED,

TBL.*from

[BI].FS_ORG_LVLTBL,

[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC

Where

TBL.DEPTID=FS_ORG_ROW_SEC.DEPTID

andFS_ORG_ROW_SEC.OPRID_SECURED=



24/46

FS_ACCT_LVLQuerySubject

SelectACCT.*

from[BI].FS_ACCT_LVLACCT

Where

ACCT.LEVEL3'SALARIES&BENEFITS'

ORACCT.LEVEL3=(

SELECT'SALARIES&BENEFITS'G_A_LVLFROM

[BI].FS_ORG_ROW_SEC

WEREFS_ORG_ROW_SEC.OPRID_SECURED=


ANDACCT_SEC_G_A='NANDrownum()=1)


25/46

FS_ORG_LVLforPosiHonsQuerySubject

Select

FS_ORG_ROW_SEC.OPRID_SECURED,TBL.*

from[BI].FS_ORG_LVLTBL,

[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC

Where

TBL.DEPTID=FS_ORG_ROW_SEC.DEPTID

andFS_ORG_ROW_SEC.INCL_POSN='Y




26/46

FS_POSN_BUDG_FACTQuerySubject

Select

FS_ORG_ROW_SEC.OPRID_SECURED,

TBL.*From[BI].FS_POSN_BUDG_FACTTBL,

[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC,

[BI].FS_ACCT_LVLACCT

WhereTBL.ORG=FS_ORG_ROW_SEC.DEPTID




27/46

FS_POSN_BUDG_FACTQuerySubjectConHnued

ANDTBL.ACCOUNT=ACCT.ACCOUNT

ANDFS_ORG_ROW_SEC.INCL_POSN='Y'

AND(

ACCT.LEVEL3'SALARIES&BENEFITS'

OR(

ACCT.LEVEL3='SALARIES&BENEFITS'

ANDFS_ORG_ROW_SEC.ACCT_SEC_G_A='N'))


28/46

SwethaSiripurapu

ITAnalystII

[email protected]


29/46

RowlevelandColumnlevelsecurity

ObjectLevelSecurity:Definesusersthathaveaccesstofoldersandreports.ColumnlevelSecurity:Defineswhetherauserhasaccesstoafieldinthequerysubject:e.g.

SSN

RowlevelSecurity:Allowstheusertoonlyseetheirdatawithinaquerysubject


30/46

Overview

Cognos ProcedureSessionVariables

Cognos ReportsSQLStatements

SessionVariables

Calls Writes

Runs Calls


31/46

Cognoscallsprocedure Opensessioncommandblockonthedata

sourceconfiguraHoninCognos CallsasecuritypackageinOracle SetssessioncontextfortheCognosuser


32/46

OpenSessioncommandblock:

BEGIN

sys.security_package.create_context(#sq($account.personalInfo.userNam

e)#);

END;


33/46

SYS.security_package.create_contextacceptsuseridandretrievescolumnandrowlevel

informaHonfortheIDandsetssession

contexts

PoliciesforthecontextaresetfortablesinODS;theyapplytheaccessrestricHonsforthecurrentuser.


34/46

Codeforcolumnlevelsecurityfromsys.security_packageBEGIN

SELECTSEMI_SENSITIVE_IND,SENSITIVE_IND,GRADE_IND,PASSPORT_IND,SSN_IND

INTOV_SEMI,V_SENS,V_GRADE,V_PASS,V_SSN

FROMOUCUSTOM.SECR_COL_LVL

WEREUSERNAME=UPPER(p_user);

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SEMI_SENSITIVE_IND',V_SEMI);

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SENSITIVE_IND',V_SENS);

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','GRADE_IND',V_GRADE);

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','PASSPORT_IND',V_PASS);

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SSN_IND',V_SSN);

EXCEPTION

WENOTERSTEN

NULL;

END;


35/46

Codeforrowlevelsecurityfromsys.security_packageBEGIN

SELECTDEPT_LISTINTOV_DEPTS

FROMOUCUSTOM.SECR_ROW_LVL

WEREUSERNAME=UPPER(p_user);

IFV_DEPTSISNOTNULLTEN

DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','DEPT_LIST',V_DEPTS);

ENDIF;

EXCEPTION

WENOTERSTENDBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','DEPT_LIST','----');

END;


36/46

TablestructureforColumnlevelsecuritytable

Sampledatafromcolumnlevelsecuritytables


37/46

TablestructureforRowlevelsecuritytable

Sampledatafromrowlevelsecuritytables


38/46

SQLstatementtocreateColumnlevelPolicy

--MZT_STUDENT,SSNpolicy

BEGINDBMS_RLS.ADD_POLICY(OBJECT_SCEMA=>'OUCUSTOM',

OBJECT_NAME=>'MZT_STUDENT',

POLICY_NAME=>'ODSMZTStuSSN',FUNCTION_SCEMA=>'SYS',

POLICY_FUNCTION=>'F_ODS_SECR_SSN_CK',

STATEMENT_TYPES=>'SELECT',

POLICY_TYPE=>DBMS_RLS.DYNAMIC,

SEC_RELEVANT_COLS=>'TAX_ID',

SEC_RELEVANT_COLS_OPT=>DBMS_RLS.ALL_ROWS);

END;


39/46

SSNpolicyfuncHonF_ODS_SECR_SSN_CKCREATEORREPLACEFUNCTIONsys.F_ODS_SECR_SSN_CK

(V_SCEMAINVARCAR2,V_OBJECTVARCAR2)

RETURNVARCAR2IS

V_PREDICATEVARCAR2(2000):='0=1';

v_indvarchar2(1);

BEGIN

--Acquireindicatorfromcontext

selectsys_context('ODS_COL_CONTEXT','SSN_IND')intov_indfromdual;

ifv_ind='Y'then

return'0=1';

else

returnnull;

endif;

ENDF_ODS_SECR_SSN_CK;


40/46

SQLtocreaterow-levelpolicy--MZT_STUDENT,row-levelpolicy

BEGINDBMS_RLS.ADD_POLICY(OBJECT_SCEMA=>'OUCUSTOM',

OBJECT_NAME=>'MZT_STUDENT',

POLICY_NAME=>'ODSMZTStuRLS',FUNCTION_SCEMA=>'SYS',

POLICY_FUNCTION=>'F_ODS_SECR_RLS',

statement_types=>'SELECT,UPDATE,INSERT,DELETE',

update_check=>TRUE,

enable=>TRUE,

staHc_policy=>FALSE);END;


41/46

Row-levelpolicyfuncHonF_ODS_SECR_RLSCREATEORREPLACEFUNCTIONsys.F_ODS_SECR_RLS

(V_SCEMAINVARCAR2,V_OBJECTVARCAR2)

RETURNVARCAR2IS

v_listvarchar2(1000):=null;BEGIN

--Acquireindicatorfromcontext

selectreplace(sys_context('ODS_COL_CONTEXT','DEPT_LIST'),',','|')intov_listfromdual;

ifv_listisnullthen

return'1=1';

elsereturn'REGEXP_LIKE(student_department_list,'||chr(39)||v_list||chr(39)||')';

endif;

ENDF_ODS_SECR_RLS;


42/46

Tablewithrecordsbeforeapplyingsecurity


43/46

Recordsaerapplyingcolumnlevelsecurity


44/46

Recordsaerapplyingrowlevelsecurity


45/46

QuesHons?


46/46

JimGross(formerlyofTexasTechUniversity)

SeniorERPAnalyst

OfficeofInformaHonTechnologyServices

SamoustonStateUniversity

Box2449untsville,TX77341

[email protected]

DarrelPyle

SeniorBusinessSystemsAnalyst

BudgetsOffice-BI/DataWarehousing

SouthernMethodistUniversity

P.O.Box750505,Dallas,TX75275-0505

[email protected]

SwethaSiripurapu

ITAnalystII

TheUniversityofOklahoma

[email protected]

application of data-level security in framework manager - presentation

Documents