Integrate 'Oracle Forms', 'Oracle Reports', 'Oracle Discoverer' with Oracle Single Sign On', 'Oracle Internet Directory' and 'Virtual Private Database' for the Luxembourg communities. How to make sure that a user can only use the products he is allowed to use and see only the data he is allowed to see using 1 username/password login.
Integrating it all at sigi Agenda Introduction VDS Computing Sigi Project Constraints Solution ORACLE-VDS Application structure overview Issues not covered with standard Oracle Example of a logon procedure Advantages of this solution
VDS Computing: History Since 1982 7 55 employees Turnover from 1.5 6.0 million Euro International Focus VDS- Computing Luxembourg sàrl VDS- Computing UK Ltd. ISO 9001 certified
VDS Computing: Services Consulting Analysis Development Project Management Installation Training Support Outsourcing
VDS Computing: Products Software Financial and logistics Software on Oracle : Piton Business Intelligence Turn-key Development on Oracle Hardware Design Implementation Management
Presentation of SIGI
Project Constraints Centralised IT Infrastructure Secure network between Cities and the Datacenter Secure Data(Base) (account- and budget info) Intuitive and Open Applications Rich User Interface Cutting Edge Technology
Solution ORACLE-VDS Database ORACLE 9i Enterprise Edition (EE) Virtual Private Database Advanced Security Option (Enterprise Users) Application Server ORACLE 10g EE Single Sign On Oracle Internet Directory (LDAP) Thin Client: MS Internet Explorer Forms, Reports and Discoverer Services Oracle Portal XML-Interface RAD Development Tools Designer, Forms et Reports
Application Architecture Application Server IAS Database Data Filters by VPD Scheme: Read Scheme Upd. LDAP Directory Forms Reports Data PORTAL GESCOM Other Applications Discoverer Business Logic Authentification Read Access ASO
Application Architecture Oracle Portal Intra- or Internet website builder/publisher. No programming skills needed. Oracle Forms Build and run OLAP-applications Moved from character based via client/server Now 3-tier architecture
Application Architecture Oracle Reports Reporting tool. Run using a report server (with possibility to run in batch) Possibility to e-mail the result or retrieve it from a repository via the web. Oracle Discoverer Business Intelligence tool Design without DB-knowledge Design without extra programs using a java applet.
Application Architecture SSO : Single Sign On Authenticate once, then authenticate automatically for different products. OID : Oracle Internet Directory A standard (LDAP) way to hold security data. Virtual Private Database Limit user acces on record level. Allow a user only to see what he is allowed to see without extra programming.
Security issues NOT solved with standard Oracle Forms / reports menu Definition who can use which forms is maintained inside the application Definition who can run which report is maintained inside the application
Example of a Logon Procedure User : Marcel DUPONT of the city SEPTFONTAINES Log into portal Login : mdupont.septfontaines Password SSO : abcdefgh1 Result: User gets the portal pages he is allowed to see
Example of a Logon Procedure User clicks on the URL to start the forms application. Based on the SSO info, forms checks if the user is allowed to start the application The resource information is retrieved from the OID Resource information : Database logon information for forms.
Example of a Logon Procedure Resource: Login : mdupont.septfontaines Password : ##### (secret) Database : REC1 Forms application starts and logs onto the DB In the database mdupont.septfontaines is unkown as a schema user : ASO is activated.
Example of a Logon Procedure Advanced Security Option : The database asks the OID if the user mdupont.septfontaines is allowed to log into the DB with the password ##### The OID replies ok and map this user to the schema recdev The user is connected to the DB.
Example of a Logon Procedure The logon in the DB fires a logon trigger Using the ASO info (mdupont) the OID is interrogated to find his community (septfontaines). The context is set to activate the VPD. Virtual Private Database For Each select/insert/update/delete statement an additional where community= septfontaines is added
Example of a Logon Procedure The forms application is started User sees only info he is allowed to see User can start reports (also using ASO and VPD because the same logon-info is used) User can see the reports he has run with the results The user can only see his reports (Reports server is also SSO enabled.) The user can start a discoverer report
Example of a Logon Procedure Discoverer AS10G Rel2. Is started User logs into the database as the discoverer user SSO information is available during the DB logon Using the SSO info (mdupont) the OID is interrogated to find his community (septfontaines). The context is set to activate the VPD. The user can only interrogate info from his community.
Advantages of this solution Central standard security maintenance. Security is independent from development (developer doesn t have to think about security) Application security is maintained in the OID, not in Forms/reports. Data security is maintained in the DB using VPD Data security setup is done automatically
Advantages of this solution Integration with other front-ends with guaranteed security. MS office integration possible : ODBC connection to get info from the DB (with VPD active).net integration possible MS Active Directory integration possible
Le progiciel de GEStion COMmunale du Luxembourg
Historique du projet Situation de départ : 100 sites délocalisés Développement de GESCOM autour de la plate-forme propriétaire HP3000 Novembre 2001 : annonce par HP de l arrêt du HP3000 programmé au 31 décembre 2006 Nouveau projet GESCOM : 2002 : pilotes architecture et développement 2003 et 2004 : réécriture 2005 : finalisation et début de la migration
Organisation de GESCOM Une architecture applicative sécurisée Gestion des utilisateurs au travers un LDAP Sécurité d accès aux données confiée à la DB Applications avec un point d entrée unique Portail applicatif avec SSO Des solutions de Reporting performantes Déploiement facilité (Browser, Acrobat Reader)
Bilans Bilan technique Démarches imposées par les SSO et VPD Bénéfices immédiats grâce aux SSO et VPD Bilan utilisateurs SSO avec Modules intégrés Sécurité rassurante et transparente Bilan financier Charge importante pour la mise au point de l architecture Largement récupéré lors du développement et de la maintenance
Questions - Réponses