View
224
Download
3
Category
Tags:
Preview:
Citation preview
Managing User Roles: A How-To Guide
Balancing SHPEntry and SHPCFG
Sherrie Pierson, SunGard Higher EducationTT9
Managing User Roles: A How-To Guide
Balancing SHPEntry and SHPCFG
• SHP – DegreeWorks “Shepherd” database tables, also referred to as “SHPDB”
• Manage your Users and their access to Services– User Class, assigned one or more Groups– Groups – a list of specific Keys– Individual Keys which grant access to a Service
04/20/23 2
Authentication vs. Authorization
• Authentication and Authorization are two different but related issues.
• Authentication is about various methods of SSO (single sign-on) such as CAS and LDAP – Users are authenticated when they log into DegreeWorks
• Authorization is about access to keys and services– Users are authorized to access services
• View an audit• Change a student’s plan• Delete a Note
SHPEntry and SHPCFG provide ways to authorize users, based on their assigned roles, to access specific services and functionality
04/20/23 3
Balancing SHPEntry and SHPCFG
• Core Access Control Concepts– Users and User Classes– Services– Keys and Keyrings– Groups
04/20/23 4
Balancing SHPEntry and SHPCFG
Users and User Classes• ADV, ADVX, AID, APP, ATHL, REG, STU• Each User in DegreeWorks has a User Class• A user bridged from Banner or PeopleSoft
automatically has the appropriate User Class stored in his DegreeWorks records
• A User is assigned to a Group when authenticated, based on his User Class
04/20/23 5
Balancing SHPEntry and SHPCFG
Services• Each component of business functionality is a
service• Services may be broad (an entire web page or
more) or narrow (a button which does something useful)
• Services are locked and keys are needed to access them
04/20/23 6
Balancing SHPEntry and SHPCFG
Keys and Key Rings• Each User has a Keyring with one or more keys• Keyrings are stored in the Passport table in
SHPDB• Keys give access to Services• When Users are authenticated, they acquire keys
that are either explicitly assigned (by User) or implicitly assigned (by Group)
04/20/23 7
Balancing SHPEntry and SHPCFG
Key Assignment• Explicit Assignment
– Accomplished by SHPEntry– Keys Assigned by Manual Data Entry– Inefficient for assignments to the masses– Very efficient for granular, specific control
• Implicit Assignment– Accomplished by the SHPCFG file– Keys Assigned by scripting methodology– Very efficient for assignments to the masses– Clumsy for granular, specific control
04/20/23 8
Balancing SHPEntry and SHPCFG
Groups• A User Class will typically have a Group of Keys
assigned• Groups are stored in SHPDB• A User will inherit the Group Keys from their User
Class, which will be combined with other keys they may have been assigned explicitly
04/20/23 9
Balancing SHPEntry and SHPCFG
• SHPCFG is delivered with DegreeWorks and must be maintained by clients
• SHPCFG resides on the DegreeWorks server so it is not easily accessible by DegreeWorks staff
• New Keys are added periodically; clients must add new Keys to SHPCFG if these Keys are not delivered as a member of a group
04/20/23 10
Balancing SHPEntry and SHPCFG
04/20/23 11
SHPCFG example: ADV User Class and Petitions
if (DGWUSERCLASS = "ADV") then
TIMEINC = 9999 #Infinity TIMEMAX = 9999
addgroup = SRNADV #See System Administrator's Guide for list of keys
addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students
#remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text
Balancing SHPEntry and SHPCFG
• SHPEntry:– web application, runs in java application server
(Tomcat, WebLogic)– allows a privileged User to add or remove
specific keys from Users or Groups– allows you to explicitly assign keys to users
• SHPCFG is limited to implicit assignment of keys (explicit key assignment is possible but not advised – this can be a maintenance nightmare)
04/20/23 12
Managing User Roles: A How-To Guide
04/20/23 13
Managing User Roles: A How-To Guide
04/20/23 14
Managing User Roles: A How-To Guide
04/20/23 15
SHPEntry example: ADV User Class
Managing User Roles: A How-To Guide
04/20/23 16
SHPEntry example: ADV User Class
Managing User Roles: A How-To Guide
04/20/23 17
SHPEntry example: ADV User Class
SHPCFG example: ADV User Class
04/20/23 18
Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes.
SHPCFG method:
1. Have someone with access to the DW server add “remkey SDNTEDEL” to the DGWUSERCLASS = “ADV” section
2. Add another entry in SHPCFG adding the key back to specific users:
if (DGWSHPACCID = “ADV1") then
addkey = SDNTEDEL
3. Run “shpparse” and “webrestart”
SHPCFG example: ADV User Class
04/20/23 19
if (DGWUSERCLASS = "ADV") then TIMEINC = 9999 #Infinity TIMEMAX = 9999 addgroup = SRNADV #See System Administrator's Guide for list of keys addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students remkey = SDNTEDEL #Remove ability to delete notes #remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text
SHPCFG example: ADV User Class
04/20/23 20
# When assigning keys by specific user-ID use the if stmt# example below
if (DGWSHPACCID = “ADV1") then
addkey = SDNTEDEL # Ability to delete notes
Managing your users in SHPCFG can become a maintenance headache!
SHPEntry example: ADV User Class
04/20/23 21
Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes.
SHPEntry method:
1. An authorized user (with SHPEntry access) can remove the SDNTEDEL key from the SRNADV Group
2. Next, add the SDNTEDEL key to the Users who need access to this functionality
3. The next time an ADV user logs into DegreeWorks, he will receive a new Keyring based on the Keys in the SRNADV Group and any Keys added to his User record
SHPEntry example: ADV User Class
04/20/23 22
SHPEntry example: ADV User Class
04/20/23 23
SHPEntry example: ADV User Class
SHPEntry example: ADV User Class
04/20/23 24
SHPEntry example: ADV User Class
04/20/23 25
SHPEntry example: ADV User Class
04/20/23 26
SHPEntry example: ADV User Class
04/20/23 27
Did it work?
• Have the user log into DegreeWorks – do not log out• In SHPEntry, go to the Passports screen and sort by the
User’s User ID or DegreeWorks ID• Locate the most recent passport for your user and double-
click to see its details• Check the keys in the user’s key ring. These are the keys
assigned to the user during that specific login• Use the filter to display similar keys to verify the key
remains
SHPEntry example: ADV User Class
04/20/23 28
Checking the Passports - keep in mind that:
• A Passport is deleted when the user logs out• A Passport is not deleted if a user’s session times
out or a user kills the browser• Passports that are older than today are deleted
when the web daemons are restarted (webrestart)
Let’s walk through checking on a Passport where two Advisors log in: ADV1 who has the SDNTEDEL key, and ADV2 who does not
SHPEntry example: ADV User Class
04/20/23 29
ADV2 user is a member of SRNADV with no changes.
• Before removing SDNTEDEL from the SRNADV Group, ADV2 has the SDNTEDEL key in his keyring
• After removing the key from the Group, ADV2 loses SDNTEDEL from his keyring
ADV1 user is a member of SRNADV but we have added the SDNTEDEL key
• Even though the SRNADV Group does not have key SDNTEDEL, the ADV1 User still has this key in his keyring.
SHPEntry example: ADV User Class
04/20/23 30
SHPEntry example: ADV User Class
04/20/23 31
SHPEntry example: ADV User Class
04/20/23 32
SHPEntry example: ADV User Class
04/20/23 33
SHPEntry example: ADV User Class
04/20/23 34
SHPEntry example: ADV User Class
04/20/23 35
SHPEntry example: ADV User Class
04/20/23 36
We removed a Key from a Group which is equivalent with removing permission for a Key:
• Removing a Key from a Group deletes the Key from the Group.
• Removing permission for a Key keeps the Key in the Group but disallows access to all Users.
• Adding the Key to specific Users allows these Users access to the Service.
SHPEntry example: ADV User Class
04/20/23 37
SHPEntry example: ADV User Class
04/20/23 38
SHPEntry example: ADV User Class
04/20/23 39
Balancing SHPEntry and SHPCFG
04/20/23 40
The following keys are required for access to SHPEntry:– SHPENTRY– SHPGROUP– SHPLOGS– SHPPASS– SHPSET– SHPUSER
Balancing SHPEntry and SHPCFG
04/20/23 41
• DegreeWorks SHPEntry User Guide
• DegreeWorks Installation Guide
– Which new Keys have been added?
• SHPCFG Review and Configuration
• DegreeWorks Technical Guide
– Security
• Access Control (Authorization)
• List of Services and associated Keys
• List of Groups and associated Keys
• Users and User Classes
• Granting access to SureCode, Transit, etc.
Questions ?
Follow the DegreeWorks Symposium on Twitter !Tag your tweets with #degreeworks
Recommended