Omicron Consulting 1500 Market Street Philadelphia, PA 19102 Directory Services and Your Enterprise RtPM Presented by: John Matranga CTO, Omicron Consulting

Omicron Consulting1500 Market StreetPhiladelphia, PA 19102

Directory Services andYour Enterprise RtPM

Presented by:John MatrangaCTO, Omicron Consulting


John [email protected]

OSIsoft UC 2004

AbstractYour company is rolling out Active Directory (AD), Novell Directory Services (NDS) or SunOne Directory Service or IBM SecureWay Directory.

What are directory services? What is AD and NDS? How do directory services fit with your PI Server and Portal infrastructure?These are the types of questions that John will cover as he outlines Directory Services and what role they play in moving your PI Server to an Enterprise Level RtPM Infrastructure.

DISCLAIMER:This talk is designed to be a primer, there will be some OSIsoft specifics for what is today. Also there will be some forward looking, non- OSIsoft endorsed ideas that will be used as examples.



OSIsoft UC 2004

AgendaDirectory Services

General OverviewUses Examples

LDAPHistoryUse

PI and Security - A few notesRtPortal and Directory Services

SPS OverviewRtPortal Issues

Q/A & Resources



OSIsoft UC 2004

Directories

Non-electronic DirectoriesPhone BookHealthcare Providers Parts Catalog

Electronic DirectoriesUsersWeb Sites (Yahoo List)Printer Resources



OSIsoft UC 2004

Directory Service Attributes

Special Purpose Database – Resource LookupNot Just a Normal Database, But Optimized

Write Few, Read Many TimesOften Contain Certain Types of Data

Servers, Printers, File Systems, Applications, Users, Profiles, Etc..

Not Designed For Complex QueriesHierarchically Organized Standard NamespaceRemote Access - LDAP



OSIsoft UC 2004

Drivers for a DirectorySingle Unified Security

THE Security Service (“The C/S” Subsystem) Single Source of UsersSingle Source of Role Based ProfilesAuthorization & Authentication

What & WhoDynamic Indirection

List Based Management – eg. Mail ListsRole Based Solutions

CostsMultiple Create/Update/Delete ListsNo Need for Specific Security DBAs

Integration



OSIsoft UC 2004

Domain Name System (DNS)Domain Name System (DNS)widgets.org

na.widgets.org euro.widgets.org asia.widgets.org

hq.n

a.w

idge

ts.o

rg

west central east uk german france japan australia new zealand

we.

na.w

idge

ts.o

rg

ce.n

a.w

idge

ts.o

rg

ea.n

a.w

idge

ts.o

rg

uk.e

uro.

wid

gets

.org

ge.e

uro.

wid

gets

.org

fr.e

uro.

wid

gets

.org

jp.a

sia.

wid

gets

.org

oz.a

sia.

wid

gets

.org

nz.a

sia.

wid

gets

.org

headquarters



OSIsoft UC 2004

Directory Architecture

Directory objects have attributes Object and attributes are protected by ACLs

RootRootRootRoot

UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications

MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel

Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101

Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101

DevicesDevicesDevicesDevices



OSIsoft UC 2004

Shared Folder Objects

A shared folder directory object abstracts a shared folder or Dfs volume

A UNC path points to the resource

OU OU OU

OU

Domain



OSIsoft UC 2004

Printer Objects

A printer directory object abstracts a shared printer

The printer object attributes include:The printer’s UNC pathPrinter model and capabilities

OU OU OU

Domain



OSIsoft UC 2004

Object Access

Access to directory objects is controlled via Access Control Lists (ACLs)Why is this important?

DirectoryObject

DirectoryObject

ACL

Sales Managersread access

Sales Managersread access



OSIsoft UC 2004

ACLsAccess Control Lists

Access – What can be done?Control – Who can do it?Lists – One to many

Role Based or User BasedAny number of Groups

Groups, Groups of what?Roles, Users, Points,Etc.

Central ManagementStandard Management SO?

Gets OSIsoft ‘out of the business’



OSIsoft UC 2004

Example Object ClassesUser

Given-Name, Address, Picture …Print-Queue

Print-Language, Print-Status …Computer

Operating-System …Organizational-Unit

Organizational-Unit-Name …Forward Looking OSIsoft

Points, Point Classes, Digital States, Calculations, etc.



OSIsoft UC 2004

What is Active Directory?

Microsoft’s Network Resource PlatformActive Directory is an integral part of Windows 2000 Server that delivers essential network operating system services:

Focal point for management of network elements (users, applications, devices, etc.) Trusted repository of security data for authentication and authorizationOpen platform for application development and integration with other systems



OSIsoft UC 2004

Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy

Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy

Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy

A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability

ActiveActiveDirectoryDirectory

ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific

directory info directory info • PolicyPolicy

Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy

InternetInternet

Firewall ServicesFirewall Services• ConfigurationConfiguration• Security PolicySecurity Policy• VPN policyVPN policy

OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce

Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy

E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book

Windows 2000 Active Directory

Active Directory provides a focal point for management, security and interoperability



OSIsoft UC 2004

So Now We Have A Directory

Now what?

OU OU OU

OU

OU OU OU

OU

OU OU OU

OU

Directory



OSIsoft UC 2004

Directory Access - LDAP

Open Standard, Originally Defactoby Major Network Players

Came From X.500:1990 - CCITTISO 9594, Data Communications Network Directory, Recommendations X.500-X.521DAP, then add “L”

Lightweight DirectoryAccess Protocol

Directory

LDAPServer

LDAPClient TCP/IP



OSIsoft UC 2004

LDAP ‘Models’Information

Describes the structure of information stored in an LDAP directory.

NamingDescribes how information in an LDAP directory is organized and identified.

FunctionalDescribes what operations can be performed on the information stored in an LDAP directory.

SecurityDescribes how the information in an LDAP directory can be protected from unauthorized access.



OSIsoft UC 2004

PI Security Document1. Overview2. Computer System Security

2.1 Physical Security2.2 File System2.3 Auditing2.4 User Database

3. PI Server Security3.1 Concepts3.2 Firewall Table3.3 Trust Table3.4 Users and Groups3.5 Backing Up the PI

Server

4. Procedures4.1 Enabling Auditing4.2 Configuring the

Windows Event Log4.3 Establishing Minimum

Audit Settings4.4 Secure Boot Settings4.5 Password

Management4.6 Requiring Login for

Piconfig at the Console4.7 Disabling the PI

Default User4.8 Users and Groups

http://support.osisoft.com/PIServer/WhitePapers/PI Security Best Practices.doc


RtPortal and Directories



OSIsoft UC 2004

OverviewRtWebParts Is Built Upon

Windows SharePoint ServicesWindows Server 2003IIS

RtWebParts Fits InOffice SharePoint Portal Server 2003

Windows Server 2003IIS

Windows Server 2003File AccessUser Authorization For Files & Resources

IISBasic Authentication Over HTTPSWindows Authentication – Internal

AD for Roles etcSPS Details

AD Tree Import and Synchronization treeRules For Targeting



OSIsoft UC 2004

SPS Overview User or Role BasedToday

File DirsFiles

PortalSites/ AreasPages

Rights To Change Page

DesignModifyPublic ViewPersonal View



OSIsoft UC 2004

SPS Site SettingsUsers and ACL RightsSame As For Files



OSIsoft UC 2004

New Site



OSIsoft UC 2004

Security On The SecurityAs One Would Expect



OSIsoft UC 2004

Excel IntegrationEmbed Actual Excel Spreadsheets Into The PortalHave Excel Drive Other Items On The Page (Trend Below)Allows For Direct, Secure Editing Of Spreadsheet (With Rights)Can Be Used For What-if An Analysis



OSIsoft UC 2004

Sample Portal PagePersonalizedPage AccessResourceAccessPI Data Access



OSIsoft UC 2004

KPI ExampleParts Can Be Driven From PI, Relational, Web Services Sources Of DataCan Keep User “ID” OR Share



OSIsoft UC 2004

Application Integration Example

Data Access (User Context)Custom WebPartsCan Be DrivenFrom ThePortal



OSIsoft UC 2004

Applications Page

Integrated Security To THE Network DirectoryPlant Applications Menu – See What You GetRole Based Application AccessADAMNo Need For Extra Administration



OSIsoft UC 2004

Questions and InformationJohn Matranga

CTO Omicron [email protected]

Other ReferencesPI Security Whitepaper

http://support.osisoft.com/PIServer/WhitePapers/PI Security Best Practices.doc

Microsoft http://www.microsoft.com/AD

LDAP (Open Standard, IBM Site for Good Overview)http://www.redbooks.ibm.com/redbooks/SG244986.html

SharePointSharePoint Portal Server Administrator's Guide (Online)

Documents

Omicron Consulting 1500 Market Street Philadelphia, PA 19102 Directory Services and Your Enterprise RtPM Presented by: John Matranga CTO, Omicron Consulting