Fine Grained Access Control in Banner v7
Fine Grained Access Control in Banner v7
Fine Grained Access Control in Banner v7
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SkyBridge Global, Inc.<br />
Connect<strong>in</strong>g your bus<strong>in</strong>ess with technology<br />
<strong>F<strong>in</strong>e</strong>-<strong>Gra<strong>in</strong>ed</strong> <strong>Access</strong> <strong>Control</strong> <strong>in</strong> <strong>Banner</strong> 7<br />
Presenters:<br />
Shelly W<strong>in</strong>gfield<br />
Amanda Marshall<br />
SkyBridge Global<br />
Board of Regents<br />
www.skybridgeglobal.com<br />
© 2004 SkyBridge Global, Inc. All rights reserved. Proprietary and Confidential.
SKYBRIDGE GLOBAL<br />
Agenda<br />
Introduction<br />
Glossary<br />
<strong>F<strong>in</strong>e</strong>-<strong>Gra<strong>in</strong>ed</strong> <strong>Access</strong> <strong>Control</strong> (FGAC)<br />
Related terms and concepts<br />
FGAC <strong>in</strong> <strong>Banner</strong> 7<br />
Value-Based Security (VBS)<br />
Personally Identifiable Information (PII)<br />
2
Glossary<br />
Glossary<br />
SKYBRIDGE GLOBAL<br />
• <strong>F<strong>in</strong>e</strong>-<strong>Gra<strong>in</strong>ed</strong> <strong>Access</strong> <strong>Control</strong> (FGAC)<br />
– An ORACLE feature new <strong>in</strong> release 8i<br />
– Used to provide row-level security (RLS)<br />
– Once security policies and functions are created and applied,<br />
the database server automatically enforces these security<br />
policies, no matter how the data is accessed<br />
– VBS and PII are applications of the FGAC feature<br />
– PII and VBS to not require each other, you can implement<br />
together or separately<br />
– SCT <strong>Banner</strong>’s FGAC features require a m<strong>in</strong>imum release of<br />
General 7.0 and are designed to function with Oracle 9.2i<br />
3
Glossary<br />
SKYBRIDGE GLOBAL<br />
•Doma<strong>in</strong><br />
– A functional area or functional set of <strong>in</strong>formation <strong>in</strong> <strong>Banner</strong><br />
such as Course Catalog, Schedule, Admissions, Test Scores,<br />
etc.<br />
– There are two types – one for VBS and one for PII<br />
•Doma<strong>in</strong> Driver<br />
– The table that is designated as the driver for the bus<strong>in</strong>ess<br />
logic associated with a VBS or PII doma<strong>in</strong>.<br />
– Usually the parent table of a module<br />
4
Glossary<br />
SKYBRIDGE GLOBAL<br />
• Predicate<br />
– SQL clause for a doma<strong>in</strong> and group that def<strong>in</strong>es the<br />
access restriction<br />
• Policy<br />
– Oracle object on a table that makes FGAC work<br />
– Must create policy before PII and VBS will work<br />
– Policy created by process the DBA runs after users<br />
def<strong>in</strong>e doma<strong>in</strong> and its tables<br />
– One policy per table <strong>in</strong> the GOKFGAC FGAC<br />
schema<br />
5
Glossary<br />
SKYBRIDGE GLOBAL<br />
• Bus<strong>in</strong>ess Profile<br />
– Group of users that have the same access<br />
restrictions<br />
– Reduces data entry of access restrictions<br />
– Different than BANSECR roles. Ma<strong>in</strong>tenance of<br />
Bus<strong>in</strong>ess Profiles is distributed and moved out of<br />
BANSECR schema.<br />
•CRUD<br />
– An acronym for the four types of operations that can<br />
be performed on data: Create, Retrieve, Update,<br />
and Delete functions.<br />
6
SKYBRIDGE GLOBAL<br />
How does FGAC work?<br />
1. User <strong>in</strong>serts <strong>in</strong>to saradap<br />
Insert <strong>in</strong>to saradap<br />
(saradap_pidm, …..)<br />
Values (1234, …..)<br />
2. FGAC executes<br />
GOKFGAC predicate<br />
function and retrieves<br />
predicate<br />
3. FGAC Appends<br />
Predicate to SQL<br />
statement<br />
(new)saradap_coll_code = ‘AS’<br />
and (new)saradap_resd_code = ‘M’<br />
4. Row <strong>in</strong>serted or oracle<br />
error message displayed<br />
7
FGAC and <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
• Value-Based Security (VBS)<br />
– Coded and applied as needed to <strong>in</strong>dividual users<br />
– Uses the FGAC feature to apply bus<strong>in</strong>ess rules<br />
def<strong>in</strong>ed by your <strong>in</strong>stitution<br />
– For Example, you can apply VBS rules to users <strong>in</strong><br />
one department so that they can only see student<br />
records relevant to that department<br />
8
FGAC <strong>in</strong> <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
These steps make up the VBS creation process.<br />
These steps make up the VBS creation process.<br />
• Perform analysis on where the VBS restriction should reside.<br />
• Def<strong>in</strong>e the doma<strong>in</strong>, which is the driver table for the VBS<br />
restrictions.<br />
• Def<strong>in</strong>e all tables that are members of the doma<strong>in</strong> and will be<br />
restricted by the VBS rule.<br />
• Have the DBA create ORACLE policies on tables.<br />
• Identify the users who need to be restricted by the VBS rule.<br />
• Create the bus<strong>in</strong>ess profile and add restricted users to the<br />
bus<strong>in</strong>ess profile.<br />
• Create the VBS rule for the doma<strong>in</strong><br />
• Assign the bus<strong>in</strong>ess profile.<br />
9
Def<strong>in</strong>e New Doma<strong>in</strong><br />
SKYBRIDGE GLOBAL<br />
• GTVFDMN - Doma<strong>in</strong> Code Validation<br />
• Preface each doma<strong>in</strong> with the product abbreviation<br />
G(eneral),<br />
S(tudent), etc…and<br />
B(anner), followed by the<br />
entity name and VBS. Example: SB_CONTACT_VBS<br />
10
Assign Driver Table<br />
SKYBRIDGE GLOBAL<br />
• GORFDMN - Doma<strong>in</strong> Driver Rules; assigns driver table to<br />
Doma<strong>in</strong><br />
11
Def<strong>in</strong>e Tables and Jo<strong>in</strong>s <strong>in</strong> Doma<strong>in</strong><br />
SKYBRIDGE GLOBAL<br />
• GORFDPL - VBS Table Rules Form<br />
• Assign other tables and jo<strong>in</strong>s to Doma<strong>in</strong><br />
12
Create Policy <strong>in</strong> Oracle<br />
SKYBRIDGE GLOBAL<br />
• Run: @gen$exe:gfvbsaddpol@<br />
and/or gfgacdroppol as<br />
BANINST1<br />
• Create policy on all tables def<strong>in</strong>ed <strong>in</strong> doma<strong>in</strong>.<br />
– Will accept wildcards <strong>in</strong> the table name<br />
• To view policy data from SQLPlus<br />
– select * from dba_policies where object_name = driver_table;<br />
13
FGAC <strong>in</strong> <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
These steps make up the VBS creation process.<br />
• Perform analysis on where the VBS restriction should reside.<br />
• Def<strong>in</strong>e the doma<strong>in</strong>, which is the driver table for the VBS<br />
restrictions.<br />
• Def<strong>in</strong>e all tables that are members of the doma<strong>in</strong> and will be<br />
restricted by the VBS rule.<br />
• Have the DBA create ORACLE policies on tables.<br />
• Identify the users who need to be restricted by the VBS rule.<br />
• Create the bus<strong>in</strong>ess profile and add restricted users to the<br />
bus<strong>in</strong>ess profile.<br />
• Create the VBS rules for the doma<strong>in</strong><br />
• Assign the bus<strong>in</strong>ess profile.<br />
14
Create New Group Code<br />
SKYBRIDGE GLOBAL<br />
• GTVFGAC - Group Code Validation: establish a new group<br />
code (Recommend end<strong>in</strong>g group code with _GRP)<br />
15
Create Bus<strong>in</strong>ess Profiles and Assign Users<br />
SKYBRIDGE GLOBAL<br />
• GTVFBPR - Bus<strong>in</strong>ess Profile Validation: create bus<strong>in</strong>ess<br />
profile based on l<strong>in</strong>e of bus<strong>in</strong>ess or functions (Recommend<br />
end<strong>in</strong>g profile code with _PRF)<br />
• GOAFBPR - Bus<strong>in</strong>ess Profile Assignments Form: assign<br />
users to profiles created<br />
16
Create Rule for Each Group<br />
SKYBRIDGE GLOBAL<br />
17
Def<strong>in</strong>e <strong>Access</strong> to Predicate<br />
SKYBRIDGE GLOBAL<br />
18
FGAC Predicate Inquiry<br />
SKYBRIDGE GLOBAL<br />
19
Be Aware<br />
SKYBRIDGE GLOBAL<br />
• Must exit and reenter <strong>Banner</strong> after sav<strong>in</strong>g to<br />
enable new VBS<br />
• Can not modify policies.<br />
– Must delete (run gfgacdroppol.sql) and recreate (run<br />
gfvbsaddpol)<br />
• Oracle Error 28113 refers to VBS predicate syntax<br />
error<br />
• User GOIFGAC and GOVFGAC (view) to report on<br />
VBS structure<br />
• Functions <strong>in</strong> predicate clauses can slow<br />
performance, especially if predicate is aga<strong>in</strong>st a<br />
big table<br />
20
Be Aware<br />
SKYBRIDGE GLOBAL<br />
• Parameter _DYN_RLS_POLICIES must be set to<br />
TRUE <strong>in</strong> <strong>in</strong>it.ora if us<strong>in</strong>g VBS FGAC <strong>in</strong> <strong>Banner</strong><br />
• FGAC is turned off for all <strong>Banner</strong> jobs/processes<br />
exclud<strong>in</strong>g GLBDATA.<br />
– Use Gokfgac.p_turn_fgac_off and Gokfgac.p_turn_fgac_on<br />
to turn off and back on FGAC on custom jobs/processes<br />
– Any object can be made exempt by <strong>in</strong>sert<strong>in</strong>g it on the FGAC<br />
Excluded Objects Form (GORFEOB)<br />
21
FGAC and <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
• Personally Identifiable Information (PII)<br />
– Philosophy of PII: User can access PII for records<br />
<strong>in</strong> their process<strong>in</strong>g area (you can only view PII for<br />
Student Applicants if you work <strong>in</strong> Admissions)<br />
– PII is implemented system-wide. All users of the<br />
system are restricted by PII except when specifically<br />
exempted.<br />
– PII restrictions are PIDM based and only on one or<br />
two tables <strong>in</strong> the database. The purpose of PII is to<br />
restrict access to records based on the existence of<br />
data <strong>in</strong> key locations.<br />
22
FGAC <strong>in</strong> <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
• Def<strong>in</strong>e PII doma<strong>in</strong> User assignments<br />
– PII Doma<strong>in</strong>s def<strong>in</strong>e where the PIDM must exist for<br />
the User to have access.<br />
– Use Bus<strong>in</strong>ess Profiles to m<strong>in</strong>imize data entry<br />
• Assign<strong>in</strong>g PII doma<strong>in</strong>s has to be done for<br />
all users of the system<br />
• Exempt system type users, and those used<br />
for student self service<br />
• Work with DBA to create Oracle policy<br />
23
FGAC <strong>in</strong> <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
• These steps make up the VBS creation process.<br />
– Def<strong>in</strong>e & enable PII doma<strong>in</strong>s<br />
– Def<strong>in</strong>e PII tables<br />
– Have DBA Create policy on PII table and turn PII on<br />
– Def<strong>in</strong>e Bus<strong>in</strong>ess Profiles and PII assignments<br />
– Set up <strong>in</strong>dividual user’s exempt, cross doma<strong>in</strong><br />
search status. Repeat until all users of the system<br />
are entered.<br />
– Check the active <strong>in</strong>dicator on the entry <strong>in</strong> GORFDPI<br />
to activate PII.<br />
24
Def<strong>in</strong>e PII Doma<strong>in</strong><br />
SKYBRIDGE GLOBAL<br />
• GTVFDMN – PII Doma<strong>in</strong> Code Validation<br />
• Preface each doma<strong>in</strong> with the product abbreviation<br />
G(eneral),<br />
S(tudent), etc…and<br />
B(anner), followed by the<br />
entity name and PII. Example: SB_OUTCOME_PII<br />
25
Enable PII Doma<strong>in</strong><br />
SKYBRIDGE GLOBAL<br />
• Enable PII Doma<strong>in</strong> <strong>in</strong> GORFDMN<br />
26
Def<strong>in</strong>e Tables <strong>in</strong> the PII Doma<strong>in</strong><br />
SKYBRIDGE GLOBAL<br />
• Enter the PII tables <strong>in</strong> GORFDPI<br />
– PII function delivered: GOKFGAC.F_FIND_PII_DOMAIN.<br />
27
Create Policies<br />
SKYBRIDGE GLOBAL<br />
• Execute the BANINST1 db trigger GOTVBSI0.SQL<br />
to turn PII on<br />
• Run: @gen$exe:gfvbsaddpol@<br />
and/or gfgacdroppol<br />
as BANINST1<br />
28
FGAC <strong>in</strong> <strong>Banner</strong><br />
SKYBRIDGE GLOBAL<br />
• These steps make up the VBS creation process.<br />
– Def<strong>in</strong>e & enable PII doma<strong>in</strong>s<br />
– Def<strong>in</strong>e PII tables<br />
– Have DBA Create policy on PII table and turn PII on<br />
– Def<strong>in</strong>e Bus<strong>in</strong>ess Profiles and PII assignments<br />
– Set up <strong>in</strong>dividual user’s exempt, cross doma<strong>in</strong><br />
search status. Repeat until all users of the system<br />
are entered.<br />
– Check the active <strong>in</strong>dicator on the entry <strong>in</strong> GORFDPI<br />
to activate PII.<br />
29
Assign<strong>in</strong>g PII doma<strong>in</strong>s<br />
SKYBRIDGE GLOBAL<br />
• GOAFPUD – Assign PII doma<strong>in</strong> to users <strong>in</strong>dividually<br />
30
Bus<strong>in</strong>ess Profiles for PII<br />
SKYBRIDGE GLOBAL<br />
• GTVFBPR, GOAFBPR – Def<strong>in</strong>e PII Bus<strong>in</strong>ess Profiles<br />
31
Assign<strong>in</strong>g PII doma<strong>in</strong>s<br />
SKYBRIDGE GLOBAL<br />
• GOAFPUD – Assign PII doma<strong>in</strong> to users by Bus<strong>in</strong>ess Profile<br />
32
Turn<strong>in</strong>g GOKFGAC FGAC off for processes<br />
SKYBRIDGE GLOBAL<br />
• New page to identify objects that are excluded<br />
from GOKFGAC FGAC process<strong>in</strong>g<br />
– Prevent data corruption<br />
• All JOBS def<strong>in</strong>ed <strong>in</strong> GUBOBJS are delivered as<br />
‘exempt’.<br />
• Exemptions <strong>in</strong>cludes PII and VBS<br />
• Option not available on the Self Service yet<br />
33
Turn<strong>in</strong>g GOKFGAC FGAC off for processes<br />
SKYBRIDGE GLOBAL<br />
34
Trouble shoot<strong>in</strong>g<br />
SKYBRIDGE GLOBAL<br />
35
Error Report<strong>in</strong>g<br />
SKYBRIDGE GLOBAL<br />
• <strong>Banner</strong> Forms show message<br />
on h<strong>in</strong>t l<strong>in</strong>e. Open display<br />
error to see Oracle error.<br />
36
Error report<strong>in</strong>g<br />
SKYBRIDGE GLOBAL<br />
• Reports show Oracle Error (ORA 28113 Predicate<br />
Syntax Error)<br />
• Self Service show error on new error page<br />
• Oracle Bug<br />
– Error with Update and Delete are not reported. Oracle does<br />
not note the access restriction and returns record updated<br />
successfully.<br />
– APIs are programmed to show an error when this happens<br />
(However, not all tables have API’s)<br />
37
API message for failed update, delete<br />
SKYBRIDGE GLOBAL<br />
38
SkyBridge Global, Inc.<br />
Connect<strong>in</strong>g your bus<strong>in</strong>ess with technology<br />
Questions and Answers<br />
www.skybridgeglobal.com<br />
© 2004 SkyBridge Global, Inc. All rights reserved. Proprietary and Confidential.
SkyBridge Global, Inc.<br />
Connect<strong>in</strong>g your bus<strong>in</strong>ess with technology<br />
Thank you for your participation<br />
Shelly W<strong>in</strong>gfield<br />
sw<strong>in</strong>gfield@skybridgeglobal.com<br />
www.skybridgeglobal.com<br />
© 2004 SkyBridge Global, Inc. All rights reserved. Proprietary and Confidential.