Banner overview Authentication to Banner & 3 rd Party Apps Authorization to Banner & 3 rd Party Apps 1
Section 1 Higher Education Enterprise Resource Planning (ERP) system. Original vendor SunGard Higher Ed Now supported by Ellucian Ellucian serves 2,400+ higher education institutions globally 2
Banner INB Internet Native Banner The functional user Interface for accounting, human resources, and other administrative staff Banner SSB Self Service Banner The web-based interface to Banner functionality for students & Finance reporting functionality Includes multiple distinct systems or modules: Finance Human Resources Financial Aid Advancement List above is not exhaustive! 3
Distributed architecture generally includes: Application Server Database Server Job Scheduling Server Web Server (Luminis) This is not meant to be a comprehensive list only the basics Application Server Oracle Database 4
Many available for varied purposes Common 3 rd Party Apps: SciQuest E-Procurement Touchnet U.Commerce Authentication The process of identifying a user usually by a user name and password Authorization The function of specifying or granting access rights to resources in information systems 5
Section 2 When a user connects to Banner, that user also connects to the Oracle database All Banner INB accounts require individual Oracle database accounts. Banner SSB accounts do not work the same way. Banner INB authentication & authorization use Oracle database info & processes Security is configured by granting privileges to a User Profile in Oracle 6
Oracle uses a User Name & Password to identify a user Stored encrypted in the SYS.USER$ Table Authentication requires one Oracle privilege: CREATE_SESSION Step 1 Enter user name/password Step 2 Step 3 Oracle checks credentials Oracle checks privileges/security rights: Default Role(s) Directly granted privileges PUBLIC account privileges (granted to everyone) 7
Method 1: Direct Login Oracle Database Password Profiles VS Method 2: Web-Facing Portal Directory Service Password Policies Login to App Server directly via web browser Login to Luminis web server first, then connect to App Server 8
Banner Direct Login Page Oracle Credentials Uses the internet browser and Oracle Fusion Middleware Forms Service - a Java JRE Plug-in to display the Banner Forms in an Oracle Java Applet Example URL: http://appprd.examplecollege.edu:## #0/forms/frmservlet?config=prod 9
Active Directory Credentials or LDAP Luminis Web Server Login Banner Direct Login Page Oracle Credentials Luminis Web Server can use a directory service for user authentication Login requires directory service credentials Possible to configure as Single Sign-On or as another layer of network security. Direct login via Oracle credentials may still be required! 10
All paths to authentication should have proper controls if both methods are used! Method 1 Banner INB Method 2 DBA_PROFILES PROFILE RESOURCE_NAME RESOURCE LIMIT DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED PW Verify Function IF Function for password complexity V$PARAMETERS includes other security settings such as case sensitivity. 11
UAC can override other group policy settings Codes to consider: Value Description 512 Enabled Account 544 Enabled, Password Not Required 66048 Enabled, Password Doesn t Expire 66080 Enabled, Password Doesn t Expire & Not Required 12
Authentication for each 3 rd party application can vary. Must inquire about how authentication & security are configured. Also, consider network security such as Virtual Private Networks (VPN) SciQuest can be synchronized with Active Directory. Uses AD credentials for authentication Touchnet generally uses built-in security and authentication. Unique login URL for each user Unique Touchnet user IDs and passwords Touchnet has its own password controls 13
Look before you leap! Identifying relevant control points is key. Determine the layers of network security All Banner INB accounts can access the Oracle database directly increases risk! Section 3 Your system administrator has determined that your current activity is providing a level of enjoyment beyond that which is allowed on company time. Your enjoyment will now be disabled. You may continue with this activity, but you may not enjoy it. See your system administrator for more information. 14
Oracle database security structures serve as building blocks Oracle security configuration can either strengthen or undermine security Banner uses Role-based security Banner Roles = Oracle Roles Containers for Oracle system privileges Can be password-protected A Banner Class is used to group Roles & database objects together in one container 15
Banner CLASS Role (Oracle Privs.) OBJECTS However, Banner objects can also be directly granted outside of a class; increases risk of security being undermined. BANNER CLASS Role Access Level Banner Object/Form BAN_DEFAULT_M Read/Write FOMPROF BAN_DEFAULT_M Read/Write FAAINVE BAN_DEFAULT_Q Read Only GSASECR Banner Classes are containers for Role/Object assignments 16
Users are assigned to Classes to streamline security management Banner Class User User User User Oracle roles are used in two different capacities in Banner (1) Banner Classes When associated with objects in a Banner Class For Navigational Security (2) Default Roles Controls default privileges upon login Oracle security construct BAN_DEFAULT USR_DEFAULT 17
Banner roles for Classes & Navigational Security: BAN_DEFAULT_M* Full read/write access BAN_DEFAULT_Q* Read-only access *These roles are created upon Banner installation with an encrypted password that no human knows! Banner-created Default Roles USR_DEFAULT_M Full read/write access USR_DEFAULT_Q Read-only access USR_DEFAULT_CONNECT Ability to connect to the database/banner only; provides no navigational access *Note none of these roles are password protected; more on that soon! 18
USR/BAN_DEFAULT_M CREATE SESSION SELECT ANY TABLE EXECUTE ANY PROCEDURE SELECT ANY SEQUENCE UPDATE ANY TABLE SELECT ANY DICTIONARY DELETE ANY TABLE INSERT ANY TABLE LOCK ANY TABLE USR/BAN_DEFAULT_Q CREATE SESSION SELECT ANY TABLE Read only Access USR_DEFAULT_CONNECT CREATE SESSION Connect Only These privileges provide full write access. Step 1 Step 2 Navigate to a Banner form Banner Checks for an Oracle role E.g. BAN_DEFAULT_M Step 3 Step 4 Step 5 Banner Checks for the object Banner Decrypts Oracle Role Password This activates the role s privileges only for that object Access to object granted based on Role s privileges E.g. BAN_DEFAULT_M = full read/write access 19
Banner security manuals recommend that all users be assigned one Default Role USR_DEFAULT_CONNECT Assigning powerful roles as Default can create security risks Roles that are Password Protected in Oracle (11g) must be invoked at an SQL prompt, even if assigned as DEFAULT SET ROLE Statement with the password No user can manually invoke the BAN_DEFAULT roles because no one knows the system-generated passwords. 20
BAN_DEFAULT_M as a Default Role? Low Risk! BAN_DEFAULT roles are passwordprotected w/ system-generated, encrypted passwords. USR_DEFAULT_M as a user s default role? Risky! Grants the user full write access to everything in Banner/Oracle that is not protected within another schema A Schema is owned by a database user & has the same name as that user. 21
BANSECR = default Banner security administration account Only BANSECR can access or execute the GSASECR (Security Maintenance) form Distributed Security Administrators can also access GSASECR Depends upon the application! Example: Touchnet & SciQuest use internal security structure 22
Obtain security data for Banner/Oracle Key Tables Include: Table Name DBA_USERS DBA_ROLE_PRIVS GUVUACC Description Listing of Database Accounts/Status All database accounts/default roles Object Access by User View = All Banner Accounts, Classes, Objects, & Roles Obtain 3 rd Party App security data May require coordination with the vendor Determine who has access to BANSECR Evaluate accounts assigned USR_DEFAULT_M or _Q as a Default Role Evaluate users with access to make changes on other security forms like FOMPROF, Finance Security Maintenance Form 23
User Authorization Documentation Consider how the entity documents user access: By Role/Object or by Class? Consider whether specific access levels (i.e. classes) are requested and that requests are not for access like an existing user. Periodic Review/Reauthorizatioin Consider auditing how management monitors Banner access: Review of classes granted to users Review of terminated user access Review of objects granted directly to users 24
Banner & Oracle are tightly coupled creates security enhancements & risks. Banner security can be bypassed through poor Oracle database security Third-party applications may require extra audit effort to understand; don t forget about SOC/SSAE 16 Audit Reports! Questions? Jeff White Jeff.White@cot.tn.gov Timothy Hollar Tim.Hollar@cot.tn.gov 25