Embed Size (px)
Citation preview
ImplementingImplementing Fine Grained Access Control Fine Grained Access Control
and Maskingand Masking
What is FGAC?What is FGAC?
Fine Grained Access Control (FGAC) in Oracle Fine Grained Access Control (FGAC) in Oracle 8i gives you the ability to dynamically attach, at 8i gives you the ability to dynamically attach, at runtime, a predicate (the WHERE clause) to all runtime, a predicate (the WHERE clause) to all queries issued against a database table or view. queries issued against a database table or view. (Expert One-on-One Oracle by Tom Kite)(Expert One-on-One Oracle by Tom Kite)
Other terms for FGAC are Row Level Security Other terms for FGAC are Row Level Security and Virtual Private Database (VPD).and Virtual Private Database (VPD).
FGAC is an Oracle feature that SCT has FGAC is an Oracle feature that SCT has implemented within the Banner framework.implemented within the Banner framework.
What is FGAC cont’dWhat is FGAC cont’d
FGAC can be implemented with or without FGAC can be implemented with or without Value Based Security.Value Based Security.
FGAC is implemented for specific tables, FGAC is implemented for specific tables, and works at both the form and table level.and works at both the form and table level.
Masking is Masking is NOTNOT FGAC. FGAC.
FGAC restricts access at the row levelFGAC restricts access at the row level
Quick Overview of how FGAC worksQuick Overview of how FGAC works
Assume FGAC has been implemented for table SPBPERS:Assume FGAC has been implemented for table SPBPERS:
User JSMITH has BAN_DEFAULT_M access to SPAPERS. We want User JSMITH has BAN_DEFAULT_M access to SPAPERS. We want him to see all people who are designated General Student on form him to see all people who are designated General Student on form GUASYST. To do this, we associate the SB_GENSTUDENT_PII with GUASYST. To do this, we associate the SB_GENSTUDENT_PII with JSMITH. When JSMITH queries a person in SPAPERS which has an JSMITH. When JSMITH queries a person in SPAPERS which has an SGBSTDN record, he will see and have access to this record.SGBSTDN record, he will see and have access to this record.
If JSMITH tries to query a person which does not have an SGBSTDN If JSMITH tries to query a person which does not have an SGBSTDN record, he will get into the form but will not see anything, as if the record, he will get into the form but will not see anything, as if the record does not exist at all.record does not exist at all.
This will carry over into SQL queries against SPBPERS.This will carry over into SQL queries against SPBPERS.
We are using FGAC on SPBPERS & GOBTPAC.We are using FGAC on SPBPERS & GOBTPAC.
Prior to implementing FGAC:Prior to implementing FGAC:
The most time consuming part for us was trying The most time consuming part for us was trying to nail down all the department heads to to nail down all the department heads to determine who can see what. determine who can see what. When we explained to users that we were going When we explained to users that we were going to restrict access to SPBPERS data based upon to restrict access to SPBPERS data based upon job function we received feedback that certain job function we received feedback that certain users would need to see a cross section of users would need to see a cross section of records and could not be limited.records and could not be limited.To sum up, the first step is to define Business To sum up, the first step is to define Business Profiles and assign users to the applicable Profiles and assign users to the applicable profiles.profiles.
Implementing FGACImplementing FGACStep 1: GTVFBPRStep 1: GTVFBPR
Create Business GroupsCreate Business Groups
Step 2AStep 2AGORFDMNGORFDMN
Check the Enable PII box for all PII(s) to be usedCheck the Enable PII box for all PII(s) to be used
Step 2B: GOAFBPIStep 2B: GOAFBPILink applicable PII(s) with Business ProfilesLink applicable PII(s) with Business Profiles
Step 3: GOAFBPRStep 3: GOAFBPRAssign Users to Business ProfilesAssign Users to Business Profiles
(This is ongoing maintenance)(This is ongoing maintenance)
Shows Business Profile Groups and associated PII Domains.
Step 4: GORFDPIStep 4: GORFDPI1. Make sure policies are enabled on form GORFDPI for SPBPERS and GOBTPAC and the 1. Make sure policies are enabled on form GORFDPI for SPBPERS and GOBTPAC and the Active Indicator is checked for these tables. Make sure the Active Indicator is unchecked for Active Indicator is checked for these tables. Make sure the Active Indicator is unchecked for SPRIDEN.. SPRIDEN.. 2. Log in as baninst1 and position in the links directory, run gfpiiaddpol.sql2. Log in as baninst1 and position in the links directory, run gfpiiaddpol.sql
Checking Exempt from PII will bypass FGAC processing for this user in all Banner Forms. FGAC will remain in place at the table level. (Defect or feature?)
Checking Cross Domain PII will allow user to by pass FGAC by entering through a search Form (SOAIDEN, etc).
In order to grant full database access to certain users we created a Business In order to grant full database access to certain users we created a Business Profile which has all PII Domains associated with it. This is needed for users Profile which has all PII Domains associated with it. This is needed for users who will need full SQL row access.who will need full SQL row access.
User IDs we have associated with the EXEMPT_FROM_FGA profile. User IDs we have associated with the EXEMPT_FROM_FGA profile. BANINST1 is a definite along with whatever USER ID performs table builds.BANINST1 is a definite along with whatever USER ID performs table builds.
Shows the predicate that is being used on each select statement issued against applicable FGAC table.
GORFEOBGORFEOBJob Submission process are placed here to exempt from FGAC. FYI, Job Job Submission process are placed here to exempt from FGAC. FYI, Job submission jobs which call database procedures will be processed under submission jobs which call database procedures will be processed under FGAC.FGAC.
Things to keep in mindThings to keep in mindIf a person is not a member of a PII domain they will have zero access to the table. All users If a person is not a member of a PII domain they will have zero access to the table. All users who should have access to the table need to be added to a domain. From here on out, when you who should have access to the table need to be added to a domain. From here on out, when you create a Banner account for a new employee or give some access to a specific form with PII create a Banner account for a new employee or give some access to a specific form with PII restrictions, you must add this person to an applicable domain. I added the GOAFBPR form to restrictions, you must add this person to an applicable domain. I added the GOAFBPR form to the GSASECR options menu, so as I give access Forms, I can then add to the Business Group.the GSASECR options menu, so as I give access Forms, I can then add to the Business Group.
If you do a select count(*) from spbpers, you will return the total of all rows. If you turn FGA on If you do a select count(*) from spbpers, you will return the total of all rows. If you turn FGA on for spbpers and are assigned to the student domain and do a select count(*) from spbpers, you for spbpers and are assigned to the student domain and do a select count(*) from spbpers, you will return the total for only students. Everyone at your institution needs to know this up front, this will return the total for only students. Everyone at your institution needs to know this up front, this can be misleading for statistical purposes. Therefore you will need to exclude certain master can be misleading for statistical purposes. Therefore you will need to exclude certain master user accounts from all PII processing to get accurate table statistics (example BANINST1, user accounts from all PII processing to get accurate table statistics (example BANINST1, WWW_USER). If you have customized table builds based on the FGA table, you will either need WWW_USER). If you have customized table builds based on the FGA table, you will either need to place into above referenced exclusion group or prior to builds turn off FGA, and turn back on to place into above referenced exclusion group or prior to builds turn off FGA, and turn back on when finished when finished example
SCT needs to add a PII to capture people without any GUASYST records. We created our own SCT needs to add a PII to capture people without any GUASYST records. We created our own PII to do this, will cover in the Technical presentation. PII to do this, will cover in the Technical presentation.
Since FGAC excludes entire rows, custom queries and reports will need to be reexamined. You Since FGAC excludes entire rows, custom queries and reports will need to be reexamined. You will want to make sure that all references to the table using FGAC be outer joined, otherwise will want to make sure that all references to the table using FGAC be outer joined, otherwise entire rows will be excluded.entire rows will be excluded.
FGA TechnicalFGA TechnicalCreating a custom PIICreating a custom PII
FGA TechnicalFGA Technical
FGA TechnicalFGA Technical
FGA TechnicalFGA Technical
FGA TechnicalFGA Technical
FGA TechnicalFGA Technical
BEGIN
gokfgac.p_turn_fgac_off;
Table build code
gokfgac.p_turn_fgac_on;
END;
MaskingMasking
Masking is an SCT feature for Oracle FormsMasking is an SCT feature for Oracle FormsYou may mask a column fully or partially (partially You may mask a column fully or partially (partially masking a varchar2 column requires a small form mod, masking a varchar2 column requires a small form mod, will cover this in technical presentation).will cover this in technical presentation).Masking is all or nothing. Once Masking is enabled for a Masking is all or nothing. Once Masking is enabled for a user every record will be masked, unlike FGAC where user every record will be masked, unlike FGAC where you can grant access to certain records and restrictions you can grant access to certain records and restrictions on others. I have an RPE(#:1-G3JR6) to allow the same on others. I have an RPE(#:1-G3JR6) to allow the same type of functionality for Masking.type of functionality for Masking.Because Masking is an Oracle Form feature, Masking Because Masking is an Oracle Form feature, Masking will not carry over into SQL queries.will not carry over into SQL queries.
Quick Overview of how Masking worksQuick Overview of how Masking works
Assume spbpers_ssn has been masked on form SPAPERS for user Assume spbpers_ssn has been masked on form SPAPERS for user JSMITH and he has BAN_DEFAULT_M:JSMITH and he has BAN_DEFAULT_M:
When JSMITH enters into SPAPERS he will be able to see all columns When JSMITH enters into SPAPERS he will be able to see all columns except SSN, which will be masked. He will be able to update all except SSN, which will be masked. He will be able to update all columns except SSN. Every record he queries in SPAPERS will have columns except SSN. Every record he queries in SPAPERS will have the SSN masked, there is no PII processing. Masking is all or nothing.the SSN masked, there is no PII processing. Masking is all or nothing.
Masking does not carry over into SQL, and each form a user has Masking does not carry over into SQL, and each form a user has access to must be set up to Mask. We are masking SSN (birthdate access to must be set up to Mask. We are masking SSN (birthdate soon) on SPAPERS, SPAIDEN, APAIDEN & APSABIO.soon) on SPAPERS, SPAIDEN, APAIDEN & APSABIO.
We are using a combination of FGAC and Masking on Personal Data.We are using a combination of FGAC and Masking on Personal Data.
GORDMCLGORDMCLHere you list the Form Item/s to be Masked on a particular Form.Here you list the Form Item/s to be Masked on a particular Form.
GORDMSKGORDMSKEstablish Masking RulesEstablish Masking Rules
Masking TechnicalMasking Technical
Masking TechnicalMasking Technical
Masking TechnicalMasking Technical
Masking TechnicalMasking Technical
Masking TechnicalMasking Technical
