Upload
vuphuc
View
246
Download
4
Embed Size (px)
Citation preview
Banner VBS (FGAC):Concepts and Techniques
Real-world examples, with emphasis on how design can enhance security, functionality and ease of support.
– Russ Wade, Banner Security Specialist, Wichita State University
Why FGAC is important from a Student records standpoint.– Michelle Barger, Associate Registrar, Wichita State University
Banner VBS (FGAC):Concepts and Techniques
• Overview of Value Based Security (VBS) - Ellucian’simplementation of FGAC for Banner
• Process to create a VBS (FGAC) restriction for INB• Business Profile design to ensure FGAC managed access
is “restricted unless granted” rather than “granted unless restricted”
• Using Banner Class membership as criteria for FGAC restrictions
• Making FGAC criteria table-driven• Preventing users with Select Any Table privilege from
seeing sensitive data
2
Overview of Value Based Security (VBS) - Ellucian’simplementation of FGAC for Banner
• FGAC provides a row-level security mechanism
• It works by appending a WHERE predicate to SQL statements
• This “filters” what data can be seen or operated upon
• The Ellucian Support Center Banner General Documentation Library “Banner General Data Security Handbook” has
chapters on Value-Based Security and FGAC Reference that are very helpful
3
Process to create a FGAC (VBS) Restriction
• Banner VBS or FGAC is a useful tool for customizing access
• Requires caution since it changes the access behavior of tables underlying Banner forms and processes
• For this reason, realistic and complete testing is important
4
Careful definition of the business requirement and testing by content specialists is important for the success of FGAC development
Step in Process Effort Area with Primary Responsibility
1. Define Business Requirement 30% Functional Area
2. Research and Proof of Concept 20% Technical Area
3. Programming 15% Technical Area
4. Testing 35% Functional Area
5
Setup of a simple FGAC restriction
The first step is to define the Business Requirement for what you are going to develop the FGAC restriction for:
“Prevent anyone from deleting Holds.”
You might want this so there is a record of every hold ever placed to refer back to. People can release them, but not delete them.
6
Screen image of SOAHOLD Banner form
7
Identifying the table behind the form
8
Table is SPRHOLD
9
Banner General Menu displays FGAC Forms
INB General Menu>General>System Functions/Administration:
10
System Functions/Administration>Fine-Grained Access Control
11
FGAC Value Based Security Maintenance sub-folder
12
First setup task is to create a VBS (FGAC) Group
13
Create an entry in a validation table for the new VBS Group name using the GTVFGAC form
14
Create FGAC Domain validation table entry using GTVFDMN
15
Create FGAC Domain Driver Table Rules using GORFDMN
16
Create FGAC VBS Table Rules entry using GORFDPL
17
Request DBA to run GFVBSADDPOL.SQL to placeOracle FGAC policies on the table involved
As instructed in the Banner General Data Security Handbook:
“From SQL*Plus run the gfvbsaddpol.sql script while logged in with the BANINST1 User ID. You are prompted for a table name (you can use wild cards).
The gfvbsaddpol.sql script is located in the Banner General Plus directory.”
This places the following policies on the specified table:
OBJECT_OWNER OBJECT_NAME POLICY_NAME SEL INS UPD DEL
--------------- --------------- -------------------- --- --- --- ---
SATURN SPRHOLD GOKFGAC_SPRHOLD_INS NO YES NO NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_SEL YES NO NO NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_UPD NO NO YES NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_DEL NO NO NO YES
18
Add the FGAC predicate for delete to HOLD_DELETE_PREVENTION_VBS using GOAFGAC form
19
FGAC WHERE Predicate appended to SQL
For example, the SQL submitted by the SOAHOLD form might be something like:
Delete from SPRHOLD where SPRHOLD_PIDM = 123456 and SPRHOLD_HLDD_CODE = 'RH';
The FGAC policy on the SPRHOLD table for the delete function would then append “1=2” as an AND condition:
Delete from SPRHOLD where SPRHOLD_PIDM = 123456 and SPRHOLD_HLDD_CODE = 'RH' and 1=2;
20
The “Access to Predicate” tab of the GOAFGAC form specifies when the FGAC restriction will be applied
21
Create a Business Profile for the Hold Delete Prevention FGAC restriction using the GTVFBPR form
22
Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC Business Profile to a user using GOAFBPR form
23
Returning to the GOAFGAC form where we originally saw the need for a Business Profile
24
Attempting to remove (delete) record on SOAHOLD form
Resulting error displayed at bottom of page:
25
Errors displayed when FGAC restriction is violated and an operation is prevented
• FGAC - INSERT ERROR = Security violation, transaction not complete
• FGAC - DELETE ERROR = Delete Failed. Exactly one row must be deleted
• FGAC - UPDATE ERROR = Delete Failed. Exactly one row must be deleted
26
Summary of FGAC example setup steps
1. Create an entry in a validation table for the new VBS Group name using the GTVFGAC form
2. Create FGAC Domain validation table entry using GTVFDMN3. Create FGAC Domain Driver Table Rules using GORFDMN4. Create FGAC VBS Table Rules entry using GORFDPL5. Request DBA to run GFVBSADDPOL.SQL to place Oracle FGAC policies on
the table involved6. Add the FGAC predicate for delete to HOLD_DELETE_PREVENTION_VBS
using GOAFGAC form7. Create a Business Profile for the Hold Delete Prevention FGAC restriction
using the GTVFBPR form8. Assign the Business Profile to the FGAC Group for the select, insert,
update and/or delete operation on the GOAFGAC form9. Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC Business Profile to a
user using GOAFBPR form
27
Some Design Techniques
• Business Profile design to ensure FGAC managed access is “restricted unless granted” rather than “granted unless restricted”
• Using Banner Class membership as criteria for FGAC restrictions
• Making FGAC criteria table-driven
• Preventing users with Select Any Table privilege from seeing sensitive data
28
Diagram of typical Business Profile use
29
Diagram of “inclusive” access control scope Business Profile design
30
Identifying the user to apply FGAC criteria to
• The value of FGAC restrictions rests very much on its ability to enforce role-based access
• I would like to show you a way to determine who the user is and relate them to their data in Banner
31
Identifying the user to apply FGAC criteria to
The following selects the user name by which the current user is authenticated:
SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL
This can be used to select the user’s PIDM from the SPRIDEN table as follows:
SELECT SPRIDEN_PIDM FROM SPRIDENWHERE SPRIDEN_ID = (SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)AND SPRIDEN_CHANGE_IND IS NULL;
Once you have the PIDM, you can apply a variety of FGAC restrictions based upon the user’s Banner data
32
Using Banner Class membership as criteria for FGAC restrictions
• Remember our simple setup example FGAC predicate?
• What would be a good way to change this to exempt the Registrar and Associate Registrar from this restriction?
33
GURUCLS security table stores Banner Class membership
DESC GURUCLS;
Name Null? Type
------------------------------------------- -------- -------------------
GURUCLS_USERID NOT NULL VARCHAR2(30 CHAR)
GURUCLS_CLASS_CODE NOT NULL VARCHAR2(30 CHAR)
GURUCLS_ACTIVITY_DATE DATE
GURUCLS_USER_ID NOT NULL VARCHAR2(30 CHAR)
GURUCLS_COMMENTS VARCHAR2(4000 CHAR)
GURUCLS_DATA_ORIGIN VARCHAR2(30 CHAR)
GURUCLS_USERID stores the user’s Oracle Username
GURUCLS_CLASS_CODE stores Banner Class name the user is a member of
This gives us an opportunity to use the SESSION_USER to select the Banner Classes of the user who is logged in
34
FGAC Predicate with Banner Class as criteria
We can then use the following FGAC predicate to exempt users who have the BAN_STUDENT_REG_ADMIN Banner Class from the delete restriction:
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
This predicate only returns true when the user has the required Banner Class.
35
SESSION_USER is the name the user is authenticated with
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
36
SESSION_USER is used to select for requiredUSERID and Banner Class combination
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
37
What this looks like when implemented on the GOAFGAC form
38
Recap of the value of using Banner Class membership as criteria for FGAC restrictions
39
• Banner Classes already provide job role based user grouping that does not have to be duplicated using Business Profiles
• When we grant the forms access with Banner Classes, it automatically applies the appropriate FGAC restrictions
• This is both an efficiency and accuracy advantage
Making FGAC criteria table-driven
40
The solution for the following FGAC restriction involved use of a custom table for the criteria.
Business requirement:
Users may only insert or update Comment Types they have a maintenance qualifying Banner Class for.
SWRCMNT is a custom table created to store Banner Classes that qualify the user to maintain Comment Types
41
The following lists some entries of the SWRCMNT table to illustrate what type of information it provides:
PERSON COMMENT MAINTENANCE QUALIFYING BANNER CLASSES BY COMMENT TYPE
COMMENT TYPE CODE DESCRIPTION MAINTENANCE QUALIFYING BANNER CLASS
------------------ ------------------------------ -------------------------------
100 General Comment BAN_STUDENT_ACADEMIC_HISTORY
ADV College Advising Notes BAN_STUDENT_COMMENT_ADV_MAINT
GRA Graduate Admissions BAN_STUDENT_GR_ADM_ASSISTANTS
GAU Graduate School Degree Audit BAN_STUDENT_GR_ADM_DEAN
ADV College Advising Notes BAN_STUDENT_INQ_ADVISOR
INA International Admissions BAN_STUDENT_INTL_ADM_CLERK
OMA Offc of Multicultural Affairs BAN_STUDENT_OMA
DEC Deceased Indicator BAN_STUDENT_REG_DATA_ENTRY_SEC
FER FERPA Release BAN_STUDENT_REG_DATA_ENTRY_SEC
100 General Comment BAN_STUDENT_REG_GENERAL
FER FERPA Release BAN_STUDENT_REG_GENERAL
TRN Transcript Request Notes BAN_STUDENT_TRANS
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_BUDGET_SEC
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_CLERK
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_DEAN
Description of the SWRCMNT custom table
42
DESC WSUSTU.SWRCMNT;
Name Null? Type
------------------------------------ -------- ---------------
SWRCMNT_CMTT_CODE NOT NULL VARCHAR2(3)
SWRCMNT_CLASS_CODE NOT NULL VARCHAR2(30)
Person Comment FGAC Predicate
43
The following FGAC predicate allows users to any Comment Type they have a Banner Class for as specified in the SWRCMNT table:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
Person Comment FGAC Predicate
44
It looks for Comment Types in the custom SWRCMNT table that match what has been retrieved on the form:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
Person Comment FGAC Predicate
45
It then compares all of the current user’s Banner Class codes from the GURUCLS security table to the custom table Banner Class code that matches the Comment Type retrieved:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
Rationale for making FGAC criteria table-driven
46
• Using a custom table to store lengthy FGAC criteria simplifies the FGAC predicate
• Changes to the criteria can be made to the table rather than to the FGAC predicate
• This reduces the effort and risk of making these changes
• Tables that store FGAC criteria can be used to produce reports that document the setup
Preventing users with Select Any Table privilege from seeing sensitive data
47
Immunization information data is deemed sensitive enough to warrant hiding it from power users who have broad select access, but who do not need to see this data. This is reflected in the following business requirement.
Business Requirement:
Restrict select, insert, update and delete access to the GORIMMU immunization information table using the GOAIMMU form or when accessing the tables directly to users who have one of the following Banner Classes:
BAN_GENERAL_IMMUNIZATION_ADMIN
BAN_GENERAL_IMMUNIZATION_MAINT
BAN_GENERAL_IMMUNIZATION_QUERY
The following FGAC predicate exempts only the users with the specified Banner Classes
48
This FGAC predicate is implemented for select, insert, update and delete
49
Miscellaneous Topics
50
• Using the GOIFGAC form to see the FGAC predicate generated by the system for a particular user
• Example of a FGAC restriction having a large domain
• Restricting Banner Self-Service Access using FGAC
• Documenting FGAC restrictions
Using the GOIFGAC form to see the FGAC predicate generated by the system for a particular user
51
It is always a good thing to see the FGAC predicate the system generates, just to be sure it is as you envisioned
You may do this by granting query access to the GOIFGAC form to a test user, and then logging on as that user and viewing the predicate for the domain you are interested in
Click on the FGAC Icon to see the FGAC predicate generated by the system for a particular user
52
Icon
Enter the Table Name of interest and next block to display the FGAC predicate
53
In this case, the FGAC predicate for the SPRHOLD Delete operation is displayed
Schedule maintenance as an example of a FGAC restriction having a large domain
Domain Validation
Code
Domain
Driver
Table
Domain
Policy
Tables Driver SQL
SB_SCHEDULE_VBS SSBSECT SSBSECT
SB_SCHEDULE_VBS SSBSECT SSBDESC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBDESC_CRN AND
SSBSECT_TERM_CODE = SSBDESC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBFSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBFSEC_CRN AND
SSBSECT_TERM_CODE = SSBFSEC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBOVRR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBOVRR_CRN AND
SSBSECT_TERM_CODE = SSBOVRR_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBSSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBSSEC_CRN AND
SSBSECT_TERM_CODE = SSBSSEC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSRATTR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSRATTR_CRN AND
SSBSECT_TERM_CODE = SSRATTR_TERM_CODE
54
Following lists the Schedule domain table and 5 or the 34 Child tables:
These tables are all involved in the Schedule function and must be included in the FGAC restriction
Code to join the SSBDESC table with the SSBSECT driver table
EXISTS
(SELECT 'X' FROM SSBSECT
WHERE SSBSECT_CRN = SSBDESC_CRN
AND SSBSECT_TERM_CODE = SSBDESC_TERM_CODE
This joins SSBDESC to the SB_SCHEDULE_VBS domain and makes it subject to the FGAC restriction for Schedule maintenance
Note that the closing parenthesis is omitted
55
Restricting Banner Self-Service Access using FGAC
FGAC functions on the Banner Self-Service products. To create the cross reference between a self-service login ID and a Banner ID, you must code the person on the GOAEACC form:
DESC GOBEACC;
Name Null? Type
------------------------------------------ -------- -----------------
GOBEACC_PIDM NOT NULL NUMBER(8)
GOBEACC_USERNAME NOT NULL VARCHAR2(30 CHAR)
GOBEACC_USER_ID NOT NULL VARCHAR2(30 CHAR)
GOBEACC_ACTIVITY_DATE NOT NULL DATE
GOBEACC_SURROGATE_ID NUMBER(19)
GOBEACC_VERSION NUMBER(19)
GOBEACC_DATA_ORIGIN VARCHAR2(30 CHAR)
GOBEACC_VPDI_CODE VARCHAR2(6 CHAR)
56
Restricting Banner Self-Service Access using FGAC
The GOBTPAC table can be used to find a user’s PIDM using the name they logged into Self-Service Banner with:
DESC GOBTPAC;
Name Null? Type
------------------------------------------ -------- ------------------
GOBTPAC_PIDM NOT NULL NUMBER(8)
GOBTPAC_PIN_DISABLED_IND NOT NULL VARCHAR2(1 CHAR)
GOBTPAC_USAGE_ACCEPT_IND NOT NULL VARCHAR2(1 CHAR)
GOBTPAC_ACTIVITY_DATE NOT NULL DATE
GOBTPAC_USER NOT NULL VARCHAR2(30 CHAR)
GOBTPAC_PIN VARCHAR2(256 CHAR)
GOBTPAC_PIN_EXP_DATE DATE
GOBTPAC_EXTERNAL_USER VARCHAR2(30 CHAR)
GOBTPAC_QUESTION VARCHAR2(90 CHAR)
GOBTPAC_RESPONSE VARCHAR2(30 CHAR)
GOBTPAC_INSERT_SOURCE VARCHAR2(8 CHAR)
GOBTPAC_LDAP_USER VARCHAR2(255 CHAR)
57
Documenting FGAC Restrictions
Since FGAC restrictions can be fairly involved and you do not typically work with them frequently, I would recommend maintaining some form of fairly detailed documentation
There is a worksheet provided in the Ellucian FGAC documentation that you may want to use
58
Questions and Session Participant
Experiences with FGAC
59