Banner VBS (FGAC):Concepts and Techniques

Real-world examples, with emphasis on how design can enhance security, functionality and ease of support.

– Russ Wade, Banner Security Specialist, Wichita State University

Why FGAC is important from a Student records standpoint.– Michelle Barger, Associate Registrar, Wichita State University

Banner VBS (FGAC):Concepts and Techniques

• Overview of Value Based Security (VBS) - Ellucian’simplementation of FGAC for Banner

• Process to create a VBS (FGAC) restriction for INB• Business Profile design to ensure FGAC managed access

is “restricted unless granted” rather than “granted unless restricted”

• Using Banner Class membership as criteria for FGAC restrictions

• Making FGAC criteria table-driven• Preventing users with Select Any Table privilege from

seeing sensitive data

2

Overview of Value Based Security (VBS) - Ellucian’simplementation of FGAC for Banner

• FGAC provides a row-level security mechanism

• It works by appending a WHERE predicate to SQL statements

• This “filters” what data can be seen or operated upon

• The Ellucian Support Center Banner General Documentation Library “Banner General Data Security Handbook” has

chapters on Value-Based Security and FGAC Reference that are very helpful

3

Process to create a FGAC (VBS) Restriction

• Banner VBS or FGAC is a useful tool for customizing access

• Requires caution since it changes the access behavior of tables underlying Banner forms and processes

• For this reason, realistic and complete testing is important

4

Careful definition of the business requirement and testing by content specialists is important for the success of FGAC development

Step in Process Effort Area with Primary Responsibility

1. Define Business Requirement 30% Functional Area

2. Research and Proof of Concept 20% Technical Area

3. Programming 15% Technical Area

4. Testing 35% Functional Area

5

Setup of a simple FGAC restriction

The first step is to define the Business Requirement for what you are going to develop the FGAC restriction for:

“Prevent anyone from deleting Holds.”

You might want this so there is a record of every hold ever placed to refer back to. People can release them, but not delete them.

6

Screen image of SOAHOLD Banner form

7

Identifying the table behind the form

8

Table is SPRHOLD

9

Banner General Menu displays FGAC Forms

INB General Menu>General>System Functions/Administration:

10

System Functions/Administration>Fine-Grained Access Control

11

FGAC Value Based Security Maintenance sub-folder

12

First setup task is to create a VBS (FGAC) Group

13

Create an entry in a validation table for the new VBS Group name using the GTVFGAC form

14

Create FGAC Domain validation table entry using GTVFDMN

15

Create FGAC Domain Driver Table Rules using GORFDMN

16

Create FGAC VBS Table Rules entry using GORFDPL

17

Request DBA to run GFVBSADDPOL.SQL to placeOracle FGAC policies on the table involved

As instructed in the Banner General Data Security Handbook:

“From SQL*Plus run the gfvbsaddpol.sql script while logged in with the BANINST1 User ID. You are prompted for a table name (you can use wild cards).

The gfvbsaddpol.sql script is located in the Banner General Plus directory.”

This places the following policies on the specified table:

OBJECT_OWNER OBJECT_NAME POLICY_NAME SEL INS UPD DEL

--------------- --------------- -------------------- --- --- --- ---

SATURN SPRHOLD GOKFGAC_SPRHOLD_INS NO YES NO NO

SATURN SPRHOLD GOKFGAC_SPRHOLD_SEL YES NO NO NO

SATURN SPRHOLD GOKFGAC_SPRHOLD_UPD NO NO YES NO

SATURN SPRHOLD GOKFGAC_SPRHOLD_DEL NO NO NO YES

18

Add the FGAC predicate for delete to HOLD_DELETE_PREVENTION_VBS using GOAFGAC form

19

FGAC WHERE Predicate appended to SQL

For example, the SQL submitted by the SOAHOLD form might be something like:

Delete from SPRHOLD where SPRHOLD_PIDM = 123456 and SPRHOLD_HLDD_CODE = 'RH';

The FGAC policy on the SPRHOLD table for the delete function would then append “1=2” as an AND condition:

Delete from SPRHOLD where SPRHOLD_PIDM = 123456 and SPRHOLD_HLDD_CODE = 'RH' and 1=2;

20

The “Access to Predicate” tab of the GOAFGAC form specifies when the FGAC restriction will be applied

21

Create a Business Profile for the Hold Delete Prevention FGAC restriction using the GTVFBPR form

22

Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC Business Profile to a user using GOAFBPR form

23

Returning to the GOAFGAC form where we originally saw the need for a Business Profile

24

Attempting to remove (delete) record on SOAHOLD form

Resulting error displayed at bottom of page:

25

Errors displayed when FGAC restriction is violated and an operation is prevented

• FGAC - INSERT ERROR = Security violation, transaction not complete

• FGAC - DELETE ERROR = Delete Failed. Exactly one row must be deleted

• FGAC - UPDATE ERROR = Delete Failed. Exactly one row must be deleted

26

Summary of FGAC example setup steps

1. Create an entry in a validation table for the new VBS Group name using the GTVFGAC form

2. Create FGAC Domain validation table entry using GTVFDMN3. Create FGAC Domain Driver Table Rules using GORFDMN4. Create FGAC VBS Table Rules entry using GORFDPL5. Request DBA to run GFVBSADDPOL.SQL to place Oracle FGAC policies on

the table involved6. Add the FGAC predicate for delete to HOLD_DELETE_PREVENTION_VBS

using GOAFGAC form7. Create a Business Profile for the Hold Delete Prevention FGAC restriction

using the GTVFBPR form8. Assign the Business Profile to the FGAC Group for the select, insert,

update and/or delete operation on the GOAFGAC form9. Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC Business Profile to a

user using GOAFBPR form

27

Some Design Techniques

• Business Profile design to ensure FGAC managed access is “restricted unless granted” rather than “granted unless restricted”

• Using Banner Class membership as criteria for FGAC restrictions

• Making FGAC criteria table-driven

• Preventing users with Select Any Table privilege from seeing sensitive data

28

Diagram of typical Business Profile use

29

Diagram of “inclusive” access control scope Business Profile design

30

Identifying the user to apply FGAC criteria to

• The value of FGAC restrictions rests very much on its ability to enforce role-based access

• I would like to show you a way to determine who the user is and relate them to their data in Banner

31

Identifying the user to apply FGAC criteria to

The following selects the user name by which the current user is authenticated:

SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL

This can be used to select the user’s PIDM from the SPRIDEN table as follows:

SELECT SPRIDEN_PIDM FROM SPRIDENWHERE SPRIDEN_ID = (SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)AND SPRIDEN_CHANGE_IND IS NULL;

Once you have the PIDM, you can apply a variety of FGAC restrictions based upon the user’s Banner data

32

Using Banner Class membership as criteria for FGAC restrictions

• Remember our simple setup example FGAC predicate?

• What would be a good way to change this to exempt the Registrar and Associate Registrar from this restriction?

33

GURUCLS security table stores Banner Class membership

DESC GURUCLS;

Name Null? Type

------------------------------------------- -------- -------------------

GURUCLS_USERID NOT NULL VARCHAR2(30 CHAR)

GURUCLS_CLASS_CODE NOT NULL VARCHAR2(30 CHAR)

GURUCLS_ACTIVITY_DATE DATE

GURUCLS_USER_ID NOT NULL VARCHAR2(30 CHAR)

GURUCLS_COMMENTS VARCHAR2(4000 CHAR)

GURUCLS_DATA_ORIGIN VARCHAR2(30 CHAR)

GURUCLS_USERID stores the user’s Oracle Username

GURUCLS_CLASS_CODE stores Banner Class name the user is a member of

This gives us an opportunity to use the SESSION_USER to select the Banner Classes of the user who is logged in

34

FGAC Predicate with Banner Class as criteria

We can then use the following FGAC predicate to exempt users who have the BAN_STUDENT_REG_ADMIN Banner Class from the delete restriction:

-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class

(EXISTS

(SELECT 'X' FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'

)

)

-- Prevents SPRHOLD Table delete if condition above evaluates false

This predicate only returns true when the user has the required Banner Class.

35

SESSION_USER is the name the user is authenticated with

-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class

(EXISTS

(SELECT 'X' FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'

)

)

-- Prevents SPRHOLD Table delete if condition above evaluates false

36

SESSION_USER is used to select for requiredUSERID and Banner Class combination

-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class

(EXISTS

(SELECT 'X' FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'

)

)

-- Prevents SPRHOLD Table delete if condition above evaluates false

37

What this looks like when implemented on the GOAFGAC form

38

Recap of the value of using Banner Class membership as criteria for FGAC restrictions

39

• Banner Classes already provide job role based user grouping that does not have to be duplicated using Business Profiles

• When we grant the forms access with Banner Classes, it automatically applies the appropriate FGAC restrictions

• This is both an efficiency and accuracy advantage

Making FGAC criteria table-driven

40

The solution for the following FGAC restriction involved use of a custom table for the criteria.

Business requirement:

Users may only insert or update Comment Types they have a maintenance qualifying Banner Class for.

SWRCMNT is a custom table created to store Banner Classes that qualify the user to maintain Comment Types

41

The following lists some entries of the SWRCMNT table to illustrate what type of information it provides:

PERSON COMMENT MAINTENANCE QUALIFYING BANNER CLASSES BY COMMENT TYPE

COMMENT TYPE CODE DESCRIPTION MAINTENANCE QUALIFYING BANNER CLASS

------------------ ------------------------------ -------------------------------

100 General Comment BAN_STUDENT_ACADEMIC_HISTORY

ADV College Advising Notes BAN_STUDENT_COMMENT_ADV_MAINT

GRA Graduate Admissions BAN_STUDENT_GR_ADM_ASSISTANTS

GAU Graduate School Degree Audit BAN_STUDENT_GR_ADM_DEAN

ADV College Advising Notes BAN_STUDENT_INQ_ADVISOR

INA International Admissions BAN_STUDENT_INTL_ADM_CLERK

OMA Offc of Multicultural Affairs BAN_STUDENT_OMA

DEC Deceased Indicator BAN_STUDENT_REG_DATA_ENTRY_SEC

FER FERPA Release BAN_STUDENT_REG_DATA_ENTRY_SEC

100 General Comment BAN_STUDENT_REG_GENERAL

FER FERPA Release BAN_STUDENT_REG_GENERAL

TRN Transcript Request Notes BAN_STUDENT_TRANS

UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_BUDGET_SEC

UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_CLERK

UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_DEAN

Description of the SWRCMNT custom table

42

DESC WSUSTU.SWRCMNT;

Name Null? Type

------------------------------------ -------- ---------------

SWRCMNT_CMTT_CODE NOT NULL VARCHAR2(3)

SWRCMNT_CLASS_CODE NOT NULL VARCHAR2(30)

Person Comment FGAC Predicate

43

The following FGAC predicate allows users to any Comment Type they have a Banner Class for as specified in the SWRCMNT table:

-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type

(EXISTS

(SELECT 'X' FROM WSUSTU.SWRCMNT

WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE

AND SWRCMNT_CLASS_CODE IN

(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

)

)

)

-- Prevents SPRCMNT table insert and update if each condition above fails

Person Comment FGAC Predicate

44

It looks for Comment Types in the custom SWRCMNT table that match what has been retrieved on the form:

-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type

(EXISTS

(SELECT 'X' FROM WSUSTU.SWRCMNT

WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE

AND SWRCMNT_CLASS_CODE IN

(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

)

)

)

-- Prevents SPRCMNT table insert and update if each condition above fails

Person Comment FGAC Predicate

45

It then compares all of the current user’s Banner Class codes from the GURUCLS security table to the custom table Banner Class code that matches the Comment Type retrieved:

-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type

(EXISTS

(SELECT 'X' FROM WSUSTU.SWRCMNT

WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE

AND SWRCMNT_CLASS_CODE IN

(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS

WHERE GURUCLS_USERID IN

(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)

)

)

)

-- Prevents SPRCMNT table insert and update if each condition above fails

Rationale for making FGAC criteria table-driven

46

• Using a custom table to store lengthy FGAC criteria simplifies the FGAC predicate

• Changes to the criteria can be made to the table rather than to the FGAC predicate

• This reduces the effort and risk of making these changes

• Tables that store FGAC criteria can be used to produce reports that document the setup

Preventing users with Select Any Table privilege from seeing sensitive data

47

Immunization information data is deemed sensitive enough to warrant hiding it from power users who have broad select access, but who do not need to see this data. This is reflected in the following business requirement.

Business Requirement:

Restrict select, insert, update and delete access to the GORIMMU immunization information table using the GOAIMMU form or when accessing the tables directly to users who have one of the following Banner Classes:

BAN_GENERAL_IMMUNIZATION_ADMIN

BAN_GENERAL_IMMUNIZATION_MAINT

BAN_GENERAL_IMMUNIZATION_QUERY

The following FGAC predicate exempts only the users with the specified Banner Classes

48

This FGAC predicate is implemented for select, insert, update and delete

49

Miscellaneous Topics

50

• Using the GOIFGAC form to see the FGAC predicate generated by the system for a particular user

• Example of a FGAC restriction having a large domain

• Restricting Banner Self-Service Access using FGAC

• Documenting FGAC restrictions

Using the GOIFGAC form to see the FGAC predicate generated by the system for a particular user

51

It is always a good thing to see the FGAC predicate the system generates, just to be sure it is as you envisioned

You may do this by granting query access to the GOIFGAC form to a test user, and then logging on as that user and viewing the predicate for the domain you are interested in

Click on the FGAC Icon to see the FGAC predicate generated by the system for a particular user

52

Icon

Enter the Table Name of interest and next block to display the FGAC predicate

53

In this case, the FGAC predicate for the SPRHOLD Delete operation is displayed

Schedule maintenance as an example of a FGAC restriction having a large domain

Domain Validation

Code

Domain

Driver

Table

Domain

Policy

Tables Driver SQL

SB_SCHEDULE_VBS SSBSECT SSBSECT

SB_SCHEDULE_VBS SSBSECT SSBDESC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBDESC_CRN AND

SSBSECT_TERM_CODE = SSBDESC_TERM_CODE

SB_SCHEDULE_VBS SSBSECT SSBFSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBFSEC_CRN AND

SSBSECT_TERM_CODE = SSBFSEC_TERM_CODE

SB_SCHEDULE_VBS SSBSECT SSBOVRR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBOVRR_CRN AND

SSBSECT_TERM_CODE = SSBOVRR_TERM_CODE

SB_SCHEDULE_VBS SSBSECT SSBSSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBSSEC_CRN AND

SSBSECT_TERM_CODE = SSBSSEC_TERM_CODE

SB_SCHEDULE_VBS SSBSECT SSRATTR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSRATTR_CRN AND

SSBSECT_TERM_CODE = SSRATTR_TERM_CODE

54

Following lists the Schedule domain table and 5 or the 34 Child tables:

These tables are all involved in the Schedule function and must be included in the FGAC restriction

Code to join the SSBDESC table with the SSBSECT driver table

EXISTS

(SELECT 'X' FROM SSBSECT

WHERE SSBSECT_CRN = SSBDESC_CRN

AND SSBSECT_TERM_CODE = SSBDESC_TERM_CODE

This joins SSBDESC to the SB_SCHEDULE_VBS domain and makes it subject to the FGAC restriction for Schedule maintenance

Note that the closing parenthesis is omitted

55

Restricting Banner Self-Service Access using FGAC

FGAC functions on the Banner Self-Service products. To create the cross reference between a self-service login ID and a Banner ID, you must code the person on the GOAEACC form:

DESC GOBEACC;

Name Null? Type

------------------------------------------ -------- -----------------

GOBEACC_PIDM NOT NULL NUMBER(8)

GOBEACC_USERNAME NOT NULL VARCHAR2(30 CHAR)

GOBEACC_USER_ID NOT NULL VARCHAR2(30 CHAR)

GOBEACC_ACTIVITY_DATE NOT NULL DATE

GOBEACC_SURROGATE_ID NUMBER(19)

GOBEACC_VERSION NUMBER(19)

GOBEACC_DATA_ORIGIN VARCHAR2(30 CHAR)

GOBEACC_VPDI_CODE VARCHAR2(6 CHAR)

56

Restricting Banner Self-Service Access using FGAC

The GOBTPAC table can be used to find a user’s PIDM using the name they logged into Self-Service Banner with:

DESC GOBTPAC;

Name Null? Type

------------------------------------------ -------- ------------------

GOBTPAC_PIDM NOT NULL NUMBER(8)

GOBTPAC_PIN_DISABLED_IND NOT NULL VARCHAR2(1 CHAR)

GOBTPAC_USAGE_ACCEPT_IND NOT NULL VARCHAR2(1 CHAR)

GOBTPAC_ACTIVITY_DATE NOT NULL DATE

GOBTPAC_USER NOT NULL VARCHAR2(30 CHAR)

GOBTPAC_PIN VARCHAR2(256 CHAR)

GOBTPAC_PIN_EXP_DATE DATE

GOBTPAC_EXTERNAL_USER VARCHAR2(30 CHAR)

GOBTPAC_QUESTION VARCHAR2(90 CHAR)

GOBTPAC_RESPONSE VARCHAR2(30 CHAR)

GOBTPAC_INSERT_SOURCE VARCHAR2(8 CHAR)

GOBTPAC_LDAP_USER VARCHAR2(255 CHAR)

57

Documenting FGAC Restrictions

Since FGAC restrictions can be fairly involved and you do not typically work with them frequently, I would recommend maintaining some form of fairly detailed documentation

There is a worksheet provided in the Ellucian FGAC documentation that you may want to use

58

Questions and Session Participant

Experiences with FGAC

59