A SECURITY MODEL THAT WORKS FOR YOU! SEPTEMBER 13, 2012 @2011 COPYRIGHT JERI HALE- UT DALLAS ALL RIGHTS RESERVED
Jeri Hale, University of Texas at Dallas Director of IR Quality, Compliance, and Accessibility at UTD with over 27 years experience in security, internal controls, implementations, process design, business analysis, and development. Designed Security, Integrations, and HCM custom applications at UTD. Currently responsible for compliance reviews, audit coordination, and quality consulting for all enterprise applications. Ben Dai, Tunabear Consulting, Inc. Principle Consultant for Tunabear Consulting, Ben s extensive PeopleSoft experience, along with MBA, CPA, and HUB certifications give him unique perspective and insight. Under Ben s direction and hands-on efforts, Tunabear developed many of the customizations and integrations needed for the security model.
Enrollment: 17,800 Among top ranked schools management/geosciences & best value Ranked 29 th in world s most outstanding young universities (Times Higher Education) Executive MBA Ranked #1 in Texas and #10 in USA (Financial Times)
Boutique Consultancy with User Experience Methodology for tight communication links Usability Assessments Key Milestones Customer Satisfaction Role on the Security Implementation: Web Services (Inbound Integrations) PeopleCode Role Rules Outbound Integrations App Engine Dynrole & Data Storage Solutions
PeopleSoft 9.0/9.1 Enterprise Portal FMS / SCM HCM / Global Payroll Campus Solutions PeopleTools Linux DB Server NT Application Server/Web Server Oracle Database Business Intelligence Enterprise Edition Higher Ed Constituency Hub Identity Manager Server Technology Linux DB NT Application/Web SciQuest Higher Markets
UT Dallas security model overview for business/student applications "computing cloud UT Dallas critical control objectives: Accessibility Auditability Administrative feasibility Functional/Technical Methods meeting control objectives Portal as single point of entry for security administration and computing cloud
THE CHALLENGE THE COMPUTING CLOUD
TECHNICAL/FUNCTIONAL How do we secure it? USER EXPERIENCE How do we maintain it? AUDITABILITY How do we control and track changes? EFFICIENCY How do we keep it clean? ADMINISTRATION How can we AFFORD effective security and controls?
Situation Shared HCM/FMS Databases at UT System Domain UTD-Specific Portal/Campus Solutions Varied User Types Technical(Developers/Batch IDs) Functional (Super Users and Functional Processes) Departmental (Campus-Based Department Users) End-Users (Self Service) Systems (Sys Adm / Integrations) Other Campuses Technical Challenges Campus-specific User IDs Campus-specific authentication services Campus-specific Portal Content Multiple EmplIDs for Campus & Shared HCM/FMS Campus-specific Row Security Campus-specific Process Schedules Campus-specific Primary Permissions Campus-specific Business Processes Campus-specific IT and Security Policies Campus-specific Dynamic Role Criteria
THE SOLUTION THE SECURITY MODEL
Web Services communicates between two electronic devices over the Internet usually includes a broker that looks for web-based messages formatted in XML protocol Digital Certificate brokers encryption keys using web services for Secure Socket Layer (SSL) communications over the server Lightweight Directory Access Protocol(LDAP) accesses and maintains distributed directories on web services LDAP Attributes identifies attributes associated with an LDAP account that grant it access to various internet services
User Profile Defines PeopleSoft user accounts Roles Identifies PeopleSoft object permissions for a user Permission lists Grants access to PeopleSoft objects Dynamic roles Assigns roles using programs and web services
Security Model UT Dallas s conceptual model for securing its enterprise application systems within the cloud Golden Roles Role-based (rather than access-based) roles. These are the roles we centralized on the portal Role System Identifier identifies systems to which the Golden Roles pertain Role Map maps PeopleSoft roles to standard roles in hosted systems (i.e., SciQuest/OBIEE) Constituent Roles sources roles from LDAP attributes
Accessible Auditable Security Model Design Administratively Feasible
Easy Signon - LDAP Authentication/Single Sign-on Across Domains Role-Based Roles = Assigned Duties Desktop Single set of roles OR ability to map to a single set of roles across all systems in the computing cloud Provisions standardized across all systems based on campus business process requirements Permissions attached to roles within each database Auto-Provisioning Access assigned based on users identifying information (Employee Applicant Student Alumni)
Database Audit Triggers for role assignments Writes ANY change to an audit table (Online or SQL updates) Downside on same database looking at Oracle Governance, Risk, and Compliance Platform for this purpose LDAP data logged upon login Expired IDs archived before role removal Logon Logs archived before purged Access/Role assignment reports for entire cloud from Portal Electronic justification for Role-Based Access
Automate User Creation and Constituent (SS) Role Assignment at Signon Centralize Security Administration Single Task for Role Assignment Across the Cloud Row Security Roles Dynamic Role Assignment Based on Jobcode, Dept Mgr ID, Project Team, Chartfield Attributes, etc. Role Grant for Functional Roles Extends administrative capabilities to functional security administrators
THE DETAILS HOW WE DID IT
User Creation/Updates with Signon PeopleCode Log Tables Multiple User Types using ID Type Table Role System Identifiers User Sync Messaging Dynamic Role Rules: PeopleCode Role Rules with Web Services to access criteria in source systems Query Rules - Criteria Inside Portal Custom AE Dynrole Process Sciquest Signon XML Portal Content Reference Links Dynamically assigned OBIEE SQL Access to Portal Database
1) LDAP Authentication (signon PeopleCode) 2) Creates User Profile 3) User Types = Different ID s Human Capital Management Campus Solutions 4) PeopleSoft SSO (cross-domain webserver alias)
INITIAL PROVISIONING HCM HECH - Person Data/ Relationships OIM - NetID & Email Address) LDAP - Access Attributes Campus Solutions Portal - Role Assignment R O L E S Y S I D HCM - User Profiles/ Constituent Roles FMS - User Profiles/ Constituent Roles Campus Sol User Profiles/ Constituent Roles OBIEE (Applicable Users/Roles)
SECONDARY PROVISIONING HCM Empl Status, JobCode Position, Dept, etc. Request System: Manual Role & Row Sec Requests FMS- Chartfield Attribute, Project Team, etc. W E B S E R V I C E S CS Prog/Plan Status, Class Instructor, etc. Portal - Role Assignment R O L E S Y S I D HCM - User Profiles/ Constituent Roles FMS - User Profiles/ Constituent Roles Campus Sol User Profiles/ Constituent Roles OBIEE (Applicable Users/Roles)
Clone user sync message for each system Correct EmplID for Correct System Uses Role System Identifiers to filter by target Sends manually and automatically assigned roles Sends changes to user profile locks, password changes, rowsecclass, and primary permissions
LDAP Attributes to mapped to Constituent Roles used for Self Service and assigned/updated during Signon Dynamic role assignment Based on attributes in Psoft tables (Job Data, Student Data, Project Data, etc.) Custom Web Services among systems deliver assignment criteria Dynamic role assignment customization -- ONLY updates when someone s roles should be changed Large files with many changes are messaged to Portal, where dynamic role rules run
Hourly on the half hour: Job data refreshed from Job Record Hourly on the hour: PeopleCode Rules with custom web services Query Rules against Job Record/Role System IDs
Required Users in Temp Table (as delivered) Identify required changes against RoleUser (mod) Assign only changes Trigger User Sync messages Routing based on Role System Identifier
PeopleSoft Roles Mapped to Sciquest Roles Employees are Shoppers Web Service to FMS Identifies Approvers and accessible Cost Centers XML sends User Info, SciQuest Role (functional access), Cost Centers (row access) Creates Sciquest User
Dynamically assigned based on Role-System IDs Limits required security maintenance for Portal Content References Query rules inserted at signon and updated on the hour
Universal interface utilizing standard XML SOA model Disparate systems working as one Powerful Flexible and scalable, secure and synchronous
Beyond Single Sign On Disparate Applications working seamlessly External vs. Internal Bottom line that defines success SOA, Web Services, Cloud -- User does not have to know where they are, just WHAT THEY ARE DOING
HECH/OIM Testing with the Model no test Active Directory Load Testing Message Queues - User Sign-on vs. Dynamic Role Dynamic Role locks on User Profile Logging for Finding out PURGE the logs, app message queues, archive tables, audit tables, process scheduler Rebuild audit triggers when move from one environment to another Timeouts across domains