application of data-level security in framework manager - presentation
TRANSCRIPT
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
1/46
Applica'onofdata-levelsecurity
inFrameworkManagerPresenters:
JimGrossTexasTechUniversity(TTU)
DarrelPyleSouthernMethodistUniversity(SMU)
SwethaSiripurapuTheUniversityofOklahoma(OU)
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
2/46
JimGross(formerlyofTexasTechUniversity)
SeniorERPAnalyst
OfficeofInformaHonTechnologyServices
SamoustonStateUniversityBox2449untsville,TX77341
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
3/46
TexasTechUniversityAgenda
Whatisdata-levelsecurity? Whatisanexampleofdata-levelsecurity? CreaHonoftheSecurityQuerySubject ApplicaHonofdata-levelsecurityatTexas
TechUniversity Pros/ConsofusingFrameworkManagerto
implementsecurity?
owisdata-levelsecuritymaintained?
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
4/46
Whatisdata-level(rowlevel)securityandhow
isitdifferentfromothersecurityCognos?
Object-levelSecurity:Defineswhichusershaveaccesstofolders,reportsorpackages.Data-levelSecurity:Allowstheusertoonlyseetheirdatawithinaquerysubject.
ColumnSecurity:Defineswhetherauserhasaccesstoafieldinthequerysubject:e.g.SSN
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
5/46
Whatisanexampleofdata-levelsecurity?
Data-levelsecuritycanbeexplainedbygiving
theexampleofasalesdepartment.TheSalesManagerhasaccesstoallsalesdataforall
regions;whereas,eachsalespersoncanonly
seethedatafortheirsalesregion.(North,
South,East,andWest)
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
6/46
Crea'onoftheSecurityQuerySubject
Expandsecuritytabletolowestlevel(7th)oftheOrganizaHonalierarchy.
#sq($account.defaultName)#macrousedtoacquireusername(eRaider)
Filterthesecurityquerysubjectbythecurrentuser.
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
7/46
Applica'onofdata-levelsecurityatTexasTech
SecurityFilterProperty All_AuthenHcated-Group [TARGET_QS].[ORGN]in([SECURITY_QS].
[ORGN])
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
8/46
Pros/ConsofusingFrameworkManagerto
implementdata-levelsecurity?
PROs Securityiseasilyimplemented/modified SecuritycanbegrouporrolebasedCanbebasedoffexisHngsecuritysystems
CONs
BypassofsecuritythroughuseofSQLobjectsinreportstudio
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
9/46
Howwillthedata-levelsecuritymaintained?
TheidealistohavethebusinessunitsmaintainthereownsecurityneedsthroughanapplicaHon.
Ifonedoesnotexist,asimplewebapplicaHoncanbecreatedtoassistintheprocess.
Excelspreadsheet
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
10/46
DarrelPyle
SeniorBusinessSystemsAnalyst
BudgetsOffice-BI/DataWarehousing
SouthernMethodistUniversityP.O.Box750505,Dallas,TX75275-0505
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
11/46
ApplicaHonofDataLevelSecurityatSMU
Complexity:
9,614DeptIDvalues 6,335acHve 3,279historicDeptIDvalues
394NodesinaraggedDeptIDtree 125CognosusersfortheFinancialspackage
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
12/46
ApplicaHonofDataLevelSecurityatSMU
Severalpiecesworkingtogether:
1.DeptIDtreeinPeopleSoFinancials2.CognosSecuritypageinPeopleSoFinancials3.ETLs
i.
FS_ORG_LVL-flaensDeptIDtreeii. FS_ORG_ROW_SECappliessecuritytoDeptIDlevel
4.FrameworkManager5.LDAPAuthenHcaHon
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
13/46
DeptIDtreeinPeopleSoFinancials
(raggedhierarchy)
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
14/46
CognosSecuritypageinPeopleSoFinancials
FinancialsSystemteamisresponsibleforwhoreceivesaccessandtheapprovalprocess
CentrallocaHonforeasymaintenance FinancialsSystemteamsendsarequesttoBIif
theuserdoesnotcurrentlyhaveaccesstoCognossothatthenecessaryLDAPgroupscan
beassigned.
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
15/46
CognosSecuritypageinPeopleSoFinancials
MulHplenodesatvariouslevelscanbeassignedwithdifferentsecurity
MulHpleDeptIDscanbeassignedwithdifferentsecurity
Securityisappliedfromthelowestlevel(DeptID)totheupperlevel(TOTALnode)
Lowerlevelsecurityoverridesupperlevelsecurity
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
16/46
CognosSecuritypageinPeopleSoFinancials
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
17/46
TableStructure(PS_U_DEPT_SECURITY):
EMPLID*(equalsLDAPusername)DEPTID_NODE*treenode/DeptIDvalueSEC_TYPE*specifiesifDEPTID_NODEisatreenodeorDeptIDvalue
ACCT_SEC_G_AexcludessalaryandbenefitsaccountsINCL_POSNallowaccesstoposiHondata*Keyfield
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
18/46
NightlyETLsrefreshrowlevelsecurity DeptIDandAccounttreeETLsarerunprior RowlevelsecurityETLusestheDeptIDtreein
thewarehousetopopulatethelowestlevelof
security(DeptID)
ThisallowsforboththeTreeNodesecurityandindividualDeptIDsecuritytobeapplied
DeptIDsecurityoverridesanynodesecurity Lowerlevelnodesoverridehigherlevelnodes
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
19/46
TableStructure(FS_ORG_ROW_SEC):
EMPLID*:(equalsLDAPusername) DEPTID*:DeptIDvalue ACCT_SEC_G_A:excludesalary&benefitaccts ACCT_SEC_DESCR:descripHonforaccountsecurity INCL_POSN:allowaccesstoposiHondata POSN_SEC_DESCR:descripHonforposiHonsecurity SEC_DESCR:overallsecuritydescripHon
*Keyfield
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
20/46
FrameworkManagerQuerySubjects
QuerysubjectswithintheFrameworkManagerpackagefiltersthedatapriortotheuserbeingabletopullinanydata
ThisincludestheDeptIDandAccounthierarchiesthattheusersareabletosee
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
21/46
ABuilt-infuncHoninFrameworkManageraccomplishesthetaskbypassingtheLDAP
userNametoCognoswhichisequaltothe
OPRID_SECUREDvalueonthesecuritytable.
ThefuncHonis:
#sq($account.personalInfo.userName)#
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
22/46
ThisfuncHonisappliedtothefollowingquerysubjects:
FS_ORG_LVLFS_ORG_LVLforPosiHonsFS_ACCT_LVLFS_POSN_BUDG_FACT
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
23/46
FS_ORG_LVLQuerySubject
Select
FS_ORG_ROW_SEC.OPRID_SECURED,
TBL.*from
[BI].FS_ORG_LVLTBL,
[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC
Where
TBL.DEPTID=FS_ORG_ROW_SEC.DEPTID
andFS_ORG_ROW_SEC.OPRID_SECURED=
#sq($account.personalInfo.userName)#
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
24/46
FS_ACCT_LVLQuerySubject
SelectACCT.*
from[BI].FS_ACCT_LVLACCT
Where
ACCT.LEVEL3'SALARIES&BENEFITS'
ORACCT.LEVEL3=(
SELECT'SALARIES&BENEFITS'G_A_LVLFROM
[BI].FS_ORG_ROW_SEC
WEREFS_ORG_ROW_SEC.OPRID_SECURED=
#sq($account.personalInfo.userName)#
ANDACCT_SEC_G_A='NANDrownum()=1)
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
25/46
FS_ORG_LVLforPosiHonsQuerySubject
Select
FS_ORG_ROW_SEC.OPRID_SECURED,TBL.*
from[BI].FS_ORG_LVLTBL,
[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC
Where
TBL.DEPTID=FS_ORG_ROW_SEC.DEPTID
andFS_ORG_ROW_SEC.INCL_POSN='Y
andFS_ORG_ROW_SEC.OPRID_SECURED=
#sq($account.personalInfo.userName)#
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
26/46
FS_POSN_BUDG_FACTQuerySubject
Select
FS_ORG_ROW_SEC.OPRID_SECURED,
TBL.*From[BI].FS_POSN_BUDG_FACTTBL,
[BI].FS_ORG_ROW_SECFS_ORG_ROW_SEC,
[BI].FS_ACCT_LVLACCT
WhereTBL.ORG=FS_ORG_ROW_SEC.DEPTID
andFS_ORG_ROW_SEC.OPRID_SECURED=
#sq($account.personalInfo.userName)#
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
27/46
FS_POSN_BUDG_FACTQuerySubjectConHnued
ANDTBL.ACCOUNT=ACCT.ACCOUNT
ANDFS_ORG_ROW_SEC.INCL_POSN='Y'
AND(
ACCT.LEVEL3'SALARIES&BENEFITS'
OR(
ACCT.LEVEL3='SALARIES&BENEFITS'
ANDFS_ORG_ROW_SEC.ACCT_SEC_G_A='N'))
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
28/46
SwethaSiripurapu
ITAnalystII
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
29/46
RowlevelandColumnlevelsecurity
ObjectLevelSecurity:Definesusersthathaveaccesstofoldersandreports.ColumnlevelSecurity:Defineswhetherauserhasaccesstoafieldinthequerysubject:e.g.
SSN
RowlevelSecurity:Allowstheusertoonlyseetheirdatawithinaquerysubject
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
30/46
Overview
Cognos ProcedureSessionVariables
Cognos ReportsSQLStatements
SessionVariables
Calls Writes
Runs Calls
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
31/46
Cognoscallsprocedure Opensessioncommandblockonthedata
sourceconfiguraHoninCognos CallsasecuritypackageinOracle SetssessioncontextfortheCognosuser
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
32/46
OpenSessioncommandblock:
BEGIN
sys.security_package.create_context(#sq($account.personalInfo.userNam
e)#);
END;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
33/46
SYS.security_package.create_contextacceptsuseridandretrievescolumnandrowlevel
informaHonfortheIDandsetssession
contexts
PoliciesforthecontextaresetfortablesinODS;theyapplytheaccessrestricHonsforthecurrentuser.
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
34/46
Codeforcolumnlevelsecurityfromsys.security_packageBEGIN
SELECTSEMI_SENSITIVE_IND,SENSITIVE_IND,GRADE_IND,PASSPORT_IND,SSN_IND
INTOV_SEMI,V_SENS,V_GRADE,V_PASS,V_SSN
FROMOUCUSTOM.SECR_COL_LVL
WEREUSERNAME=UPPER(p_user);
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SEMI_SENSITIVE_IND',V_SEMI);
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SENSITIVE_IND',V_SENS);
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','GRADE_IND',V_GRADE);
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','PASSPORT_IND',V_PASS);
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','SSN_IND',V_SSN);
EXCEPTION
WENOTERSTEN
NULL;
END;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
35/46
Codeforrowlevelsecurityfromsys.security_packageBEGIN
SELECTDEPT_LISTINTOV_DEPTS
FROMOUCUSTOM.SECR_ROW_LVL
WEREUSERNAME=UPPER(p_user);
IFV_DEPTSISNOTNULLTEN
DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','DEPT_LIST',V_DEPTS);
ENDIF;
EXCEPTION
WENOTERSTENDBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT','DEPT_LIST','----');
END;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
36/46
TablestructureforColumnlevelsecuritytable
Sampledatafromcolumnlevelsecuritytables
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
37/46
TablestructureforRowlevelsecuritytable
Sampledatafromrowlevelsecuritytables
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
38/46
SQLstatementtocreateColumnlevelPolicy
--MZT_STUDENT,SSNpolicy
BEGINDBMS_RLS.ADD_POLICY(OBJECT_SCEMA=>'OUCUSTOM',
OBJECT_NAME=>'MZT_STUDENT',
POLICY_NAME=>'ODSMZTStuSSN',FUNCTION_SCEMA=>'SYS',
POLICY_FUNCTION=>'F_ODS_SECR_SSN_CK',
STATEMENT_TYPES=>'SELECT',
POLICY_TYPE=>DBMS_RLS.DYNAMIC,
SEC_RELEVANT_COLS=>'TAX_ID',
SEC_RELEVANT_COLS_OPT=>DBMS_RLS.ALL_ROWS);
END;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
39/46
SSNpolicyfuncHonF_ODS_SECR_SSN_CKCREATEORREPLACEFUNCTIONsys.F_ODS_SECR_SSN_CK
(V_SCEMAINVARCAR2,V_OBJECTVARCAR2)
RETURNVARCAR2IS
V_PREDICATEVARCAR2(2000):='0=1';
v_indvarchar2(1);
BEGIN
--Acquireindicatorfromcontext
selectsys_context('ODS_COL_CONTEXT','SSN_IND')intov_indfromdual;
ifv_ind='Y'then
return'0=1';
else
returnnull;
endif;
ENDF_ODS_SECR_SSN_CK;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
40/46
SQLtocreaterow-levelpolicy--MZT_STUDENT,row-levelpolicy
BEGINDBMS_RLS.ADD_POLICY(OBJECT_SCEMA=>'OUCUSTOM',
OBJECT_NAME=>'MZT_STUDENT',
POLICY_NAME=>'ODSMZTStuRLS',FUNCTION_SCEMA=>'SYS',
POLICY_FUNCTION=>'F_ODS_SECR_RLS',
statement_types=>'SELECT,UPDATE,INSERT,DELETE',
update_check=>TRUE,
enable=>TRUE,
staHc_policy=>FALSE);END;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
41/46
Row-levelpolicyfuncHonF_ODS_SECR_RLSCREATEORREPLACEFUNCTIONsys.F_ODS_SECR_RLS
(V_SCEMAINVARCAR2,V_OBJECTVARCAR2)
RETURNVARCAR2IS
v_listvarchar2(1000):=null;BEGIN
--Acquireindicatorfromcontext
selectreplace(sys_context('ODS_COL_CONTEXT','DEPT_LIST'),',','|')intov_listfromdual;
ifv_listisnullthen
return'1=1';
elsereturn'REGEXP_LIKE(student_department_list,'||chr(39)||v_list||chr(39)||')';
endif;
ENDF_ODS_SECR_RLS;
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
42/46
Tablewithrecordsbeforeapplyingsecurity
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
43/46
Recordsaerapplyingcolumnlevelsecurity
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
44/46
Recordsaerapplyingrowlevelsecurity
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
45/46
QuesHons?
-
7/29/2019 Application of Data-level Security in Framework Manager - Presentation
46/46
JimGross(formerlyofTexasTechUniversity)
SeniorERPAnalyst
OfficeofInformaHonTechnologyServices
SamoustonStateUniversity
Box2449untsville,TX77341
DarrelPyle
SeniorBusinessSystemsAnalyst
BudgetsOffice-BI/DataWarehousing
SouthernMethodistUniversity
P.O.Box750505,Dallas,TX75275-0505
SwethaSiripurapu
ITAnalystII
TheUniversityofOklahoma