A SECURITY MODEL THAT WORKS FOR YOU!

Transcription

2 Jeri Hale, University of Texas at Dallas Director of IR Quality, Compliance, and Accessibility at UTD with over 27 years experience in security, internal controls, implementations, process design, business analysis, and development. Designed Security, Integrations, and HCM custom applications at UTD. Currently responsible for compliance reviews, audit coordination, and quality consulting for all enterprise applications. Ben Dai, Tunabear Consulting, Inc. Principle Consultant for Tunabear Consulting, Ben s extensive PeopleSoft experience, along with MBA, CPA, and HUB certifications give him unique perspective and insight. Under Ben s direction and hands-on efforts, Tunabear developed many of the customizations and integrations needed for the security model.

3 Enrollment: 17,800 Among top ranked schools management/geosciences & best value Ranked 29 th in world s most outstanding young universities (Times Higher Education) Executive MBA Ranked #1 in Texas and #10 in USA (Financial Times)

4 Boutique Consultancy with User Experience Methodology for tight communication links Usability Assessments Key Milestones Customer Satisfaction Role on the Security Implementation: Web Services (Inbound Integrations) PeopleCode Role Rules Outbound Integrations App Engine Dynrole & Data Storage Solutions

5 PeopleSoft 9.0/9.1 Enterprise Portal FMS / SCM HCM / Global Payroll Campus Solutions PeopleTools Linux DB Server NT Application Server/Web Server Oracle Database Business Intelligence Enterprise Edition Higher Ed Constituency Hub Identity Manager Server Technology Linux DB NT Application/Web SciQuest Higher Markets

6 UT Dallas security model overview for business/student applications "computing cloud UT Dallas critical control objectives: Accessibility Auditability Administrative feasibility Functional/Technical Methods meeting control objectives Portal as single point of entry for security administration and computing cloud

7 THE CHALLENGE THE COMPUTING CLOUD

8

9 TECHNICAL/FUNCTIONAL How do we secure it? USER EXPERIENCE How do we maintain it? AUDITABILITY How do we control and track changes? EFFICIENCY How do we keep it clean? ADMINISTRATION How can we AFFORD effective security and controls?

10 Situation Shared HCM/FMS Databases at UT System Domain UTD-Specific Portal/Campus Solutions Varied User Types Technical(Developers/Batch IDs) Functional (Super Users and Functional Processes) Departmental (Campus-Based Department Users) End-Users (Self Service) Systems (Sys Adm / Integrations) Other Campuses Technical Challenges Campus-specific User IDs Campus-specific authentication services Campus-specific Portal Content Multiple EmplIDs for Campus & Shared HCM/FMS Campus-specific Row Security Campus-specific Process Schedules Campus-specific Primary Permissions Campus-specific Business Processes Campus-specific IT and Security Policies Campus-specific Dynamic Role Criteria

11 THE SOLUTION THE SECURITY MODEL

12 Web Services communicates between two electronic devices over the Internet usually includes a broker that looks for web-based messages formatted in XML protocol Digital Certificate brokers encryption keys using web services for Secure Socket Layer (SSL) communications over the server Lightweight Directory Access Protocol(LDAP) accesses and maintains distributed directories on web services LDAP Attributes identifies attributes associated with an LDAP account that grant it access to various internet services

13 User Profile Defines PeopleSoft user accounts Roles Identifies PeopleSoft object permissions for a user Permission lists Grants access to PeopleSoft objects Dynamic roles Assigns roles using programs and web services

14 Security Model UT Dallas s conceptual model for securing its enterprise application systems within the cloud Golden Roles Role-based (rather than access-based) roles. These are the roles we centralized on the portal Role System Identifier identifies systems to which the Golden Roles pertain Role Map maps PeopleSoft roles to standard roles in hosted systems (i.e., SciQuest/OBIEE) Constituent Roles sources roles from LDAP attributes

15 Accessible Auditable Security Model Design Administratively Feasible

16 Easy Signon - LDAP Authentication/Single Sign-on Across Domains Role-Based Roles = Assigned Duties Desktop Single set of roles OR ability to map to a single set of roles across all systems in the computing cloud Provisions standardized across all systems based on campus business process requirements Permissions attached to roles within each database Auto-Provisioning Access assigned based on users identifying information (Employee Applicant Student Alumni)

17

18

19

20 Database Audit Triggers for role assignments Writes ANY change to an audit table (Online or SQL updates) Downside on same database looking at Oracle Governance, Risk, and Compliance Platform for this purpose LDAP data logged upon login Expired IDs archived before role removal Logon Logs archived before purged Access/Role assignment reports for entire cloud from Portal Electronic justification for Role-Based Access

21 Automate User Creation and Constituent (SS) Role Assignment at Signon Centralize Security Administration Single Task for Role Assignment Across the Cloud Row Security Roles Dynamic Role Assignment Based on Jobcode, Dept Mgr ID, Project Team, Chartfield Attributes, etc. Role Grant for Functional Roles Extends administrative capabilities to functional security administrators

22

23 THE DETAILS HOW WE DID IT

24

25 User Creation/Updates with Signon PeopleCode Log Tables Multiple User Types using ID Type Table Role System Identifiers User Sync Messaging Dynamic Role Rules: PeopleCode Role Rules with Web Services to access criteria in source systems Query Rules - Criteria Inside Portal Custom AE Dynrole Process Sciquest Signon XML Portal Content Reference Links Dynamically assigned OBIEE SQL Access to Portal Database

26 1) LDAP Authentication (signon PeopleCode) 2) Creates User Profile 3) User Types = Different ID s Human Capital Management Campus Solutions 4) PeopleSoft SSO (cross-domain webserver alias)

27

28

29 INITIAL PROVISIONING HCM HECH - Person Data/ Relationships OIM - NetID & Address) LDAP - Access Attributes Campus Solutions Portal - Role Assignment R O L E S Y S I D HCM - User Profiles/ Constituent Roles FMS - User Profiles/ Constituent Roles Campus Sol User Profiles/ Constituent Roles OBIEE (Applicable Users/Roles)

30 SECONDARY PROVISIONING HCM Empl Status, JobCode Position, Dept, etc. Request System: Manual Role & Row Sec Requests FMS- Chartfield Attribute, Project Team, etc. W E B S E R V I C E S CS Prog/Plan Status, Class Instructor, etc. Portal - Role Assignment R O L E S Y S I D HCM - User Profiles/ Constituent Roles FMS - User Profiles/ Constituent Roles Campus Sol User Profiles/ Constituent Roles OBIEE (Applicable Users/Roles)

31 Clone user sync message for each system Correct EmplID for Correct System Uses Role System Identifiers to filter by target Sends manually and automatically assigned roles Sends changes to user profile locks, password changes, rowsecclass, and primary permissions

32 LDAP Attributes to mapped to Constituent Roles used for Self Service and assigned/updated during Signon Dynamic role assignment Based on attributes in Psoft tables (Job Data, Student Data, Project Data, etc.) Custom Web Services among systems deliver assignment criteria Dynamic role assignment customization -- ONLY updates when someone s roles should be changed Large files with many changes are messaged to Portal, where dynamic role rules run

33 Hourly on the half hour: Job data refreshed from Job Record Hourly on the hour: PeopleCode Rules with custom web services Query Rules against Job Record/Role System IDs

34

35 Required Users in Temp Table (as delivered) Identify required changes against RoleUser (mod) Assign only changes Trigger User Sync messages Routing based on Role System Identifier

36 PeopleSoft Roles Mapped to Sciquest Roles Employees are Shoppers Web Service to FMS Identifies Approvers and accessible Cost Centers XML sends User Info, SciQuest Role (functional access), Cost Centers (row access) Creates Sciquest User

37

38 Dynamically assigned based on Role-System IDs Limits required security maintenance for Portal Content References Query rules inserted at signon and updated on the hour

39

40 Universal interface utilizing standard XML SOA model Disparate systems working as one Powerful Flexible and scalable, secure and synchronous

41 Beyond Single Sign On Disparate Applications working seamlessly External vs. Internal Bottom line that defines success SOA, Web Services, Cloud -- User does not have to know where they are, just WHAT THEY ARE DOING

42 HECH/OIM Testing with the Model no test Active Directory Load Testing Message Queues - User Sign-on vs. Dynamic Role Dynamic Role locks on User Profile Logging for Finding out PURGE the logs, app message queues, archive tables, audit tables, process scheduler Rebuild audit triggers when move from one environment to another Timeouts across domains

43