managing user roles: a how-to guide balancing shpentry and shpcfg sherrie pierson, sungard higher...

Managing User Roles: A How-To Guide

Balancing SHPEntry and SHPCFG

Sherrie Pierson, SunGard Higher EducationTT9



• SHP – DegreeWorks “Shepherd” database tables, also referred to as “SHPDB”

• Manage your Users and their access to Services– User Class, assigned one or more Groups– Groups – a list of specific Keys– Individual Keys which grant access to a Service

04/20/23 2

Authentication vs. Authorization

• Authentication and Authorization are two different but related issues.

• Authentication is about various methods of SSO (single sign-on) such as CAS and LDAP – Users are authenticated when they log into DegreeWorks

• Authorization is about access to keys and services– Users are authorized to access services

• View an audit• Change a student’s plan• Delete a Note

SHPEntry and SHPCFG provide ways to authorize users, based on their assigned roles, to access specific services and functionality

04/20/23 3


• Core Access Control Concepts– Users and User Classes– Services– Keys and Keyrings– Groups

04/20/23 4


Users and User Classes• ADV, ADVX, AID, APP, ATHL, REG, STU• Each User in DegreeWorks has a User Class• A user bridged from Banner or PeopleSoft

automatically has the appropriate User Class stored in his DegreeWorks records

• A User is assigned to a Group when authenticated, based on his User Class

04/20/23 5


Services• Each component of business functionality is a

service• Services may be broad (an entire web page or

more) or narrow (a button which does something useful)

• Services are locked and keys are needed to access them

04/20/23 6


Keys and Key Rings• Each User has a Keyring with one or more keys• Keyrings are stored in the Passport table in

SHPDB• Keys give access to Services• When Users are authenticated, they acquire keys

that are either explicitly assigned (by User) or implicitly assigned (by Group)

04/20/23 7


Key Assignment• Explicit Assignment

– Accomplished by SHPEntry– Keys Assigned by Manual Data Entry– Inefficient for assignments to the masses– Very efficient for granular, specific control

• Implicit Assignment– Accomplished by the SHPCFG file– Keys Assigned by scripting methodology– Very efficient for assignments to the masses– Clumsy for granular, specific control

04/20/23 8


Groups• A User Class will typically have a Group of Keys

assigned• Groups are stored in SHPDB• A User will inherit the Group Keys from their User

Class, which will be combined with other keys they may have been assigned explicitly

04/20/23 9


• SHPCFG is delivered with DegreeWorks and must be maintained by clients

• SHPCFG resides on the DegreeWorks server so it is not easily accessible by DegreeWorks staff

• New Keys are added periodically; clients must add new Keys to SHPCFG if these Keys are not delivered as a member of a group

04/20/23 10


04/20/23 11

SHPCFG example: ADV User Class and Petitions

if (DGWUSERCLASS = "ADV") then

TIMEINC = 9999 #Infinity TIMEMAX = 9999

addgroup = SRNADV #See System Administrator's Guide for list of keys

addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students

#remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text


• SHPEntry:– web application, runs in java application server

(Tomcat, WebLogic)– allows a privileged User to add or remove

specific keys from Users or Groups– allows you to explicitly assign keys to users

• SHPCFG is limited to implicit assignment of keys (explicit key assignment is possible but not advised – this can be a maintenance nightmare)

04/20/23 12


04/20/23 13


04/20/23 14


04/20/23 15

SHPEntry example: ADV User Class


04/20/23 16



04/20/23 17


SHPCFG example: ADV User Class

04/20/23 18

Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes.

SHPCFG method:

1. Have someone with access to the DW server add “remkey SDNTEDEL” to the DGWUSERCLASS = “ADV” section

2. Add another entry in SHPCFG adding the key back to specific users:

if (DGWSHPACCID = “ADV1") then

addkey = SDNTEDEL

3. Run “shpparse” and “webrestart”


04/20/23 19

if (DGWUSERCLASS = "ADV") then TIMEINC = 9999 #Infinity TIMEMAX = 9999 addgroup = SRNADV #See System Administrator's Guide for list of keys addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students remkey = SDNTEDEL #Remove ability to delete notes #remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text


04/20/23 20

# When assigning keys by specific user-ID use the if stmt# example below

if (DGWSHPACCID = “ADV1") then

addkey = SDNTEDEL # Ability to delete notes

Managing your users in SHPCFG can become a maintenance headache!


04/20/23 21

Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes.

SHPEntry method:

1. An authorized user (with SHPEntry access) can remove the SDNTEDEL key from the SRNADV Group

2. Next, add the SDNTEDEL key to the Users who need access to this functionality

3. The next time an ADV user logs into DegreeWorks, he will receive a new Keyring based on the Keys in the SRNADV Group and any Keys added to his User record


04/20/23 22


04/20/23 23



04/20/23 24


04/20/23 25


04/20/23 26


04/20/23 27

Did it work?

• Have the user log into DegreeWorks – do not log out• In SHPEntry, go to the Passports screen and sort by the

User’s User ID or DegreeWorks ID• Locate the most recent passport for your user and double-

click to see its details• Check the keys in the user’s key ring. These are the keys

assigned to the user during that specific login• Use the filter to display similar keys to verify the key

remains


04/20/23 28

Checking the Passports - keep in mind that:

• A Passport is deleted when the user logs out• A Passport is not deleted if a user’s session times

out or a user kills the browser• Passports that are older than today are deleted

when the web daemons are restarted (webrestart)

Let’s walk through checking on a Passport where two Advisors log in: ADV1 who has the SDNTEDEL key, and ADV2 who does not


04/20/23 29

ADV2 user is a member of SRNADV with no changes.

• Before removing SDNTEDEL from the SRNADV Group, ADV2 has the SDNTEDEL key in his keyring

• After removing the key from the Group, ADV2 loses SDNTEDEL from his keyring

ADV1 user is a member of SRNADV but we have added the SDNTEDEL key

• Even though the SRNADV Group does not have key SDNTEDEL, the ADV1 User still has this key in his keyring.


04/20/23 30


04/20/23 31


04/20/23 32


04/20/23 33


04/20/23 34


04/20/23 35


04/20/23 36

We removed a Key from a Group which is equivalent with removing permission for a Key:

• Removing a Key from a Group deletes the Key from the Group.

• Removing permission for a Key keeps the Key in the Group but disallows access to all Users.

• Adding the Key to specific Users allows these Users access to the Service.


04/20/23 37


04/20/23 38


04/20/23 39


04/20/23 40

The following keys are required for access to SHPEntry:– SHPENTRY– SHPGROUP– SHPLOGS– SHPPASS– SHPSET– SHPUSER


04/20/23 41

• DegreeWorks SHPEntry User Guide

• DegreeWorks Installation Guide

– Which new Keys have been added?

• SHPCFG Review and Configuration

• DegreeWorks Technical Guide

– Security

• Access Control (Authorization)

• List of Services and associated Keys

• List of Groups and associated Keys

• Users and User Classes

• Granting access to SureCode, Transit, etc.

Questions ?

Follow the DegreeWorks Symposium on Twitter !Tag your tweets with #degreeworks

managing user roles: a how-to guide balancing shpentry and shpcfg sherrie pierson, sungard higher...

Documents

user classa user

user classesserviceskeys

user classesadv

stueach user

shpdba user

adv user class

group keys

appropriate user class