Basics to Know and Best Practices to Do Security 101 – Basics to Know and Best Practices to Do
Security 101 – Basics to Know and Best Practices to Do By Amy O’Neel InfoSol, Inc.
How To Apply Security © InfoSol 2018
Basic - How To Apply STEP 1: Select User Security ON object © InfoSol 2018
Basic - How To Apply STEP 2: Select or Add Group and Assign Security © InfoSol 2018
Basic - How To Apply STEP 3: Assign by Access Level …. Or…. © InfoSol 2018
Basic - How To Apply STEP 3b: … Assign by individual granular rights © InfoSol 2018
Definitions © InfoSol 2018
Basic #1 - Definitions No Access / Access / Denied © InfoSol 2018
Basic #2 - Definitions Explicit vs Inherited © InfoSol 2018
Basic #3 - Definitions By Group or by Individual © InfoSol 2018
Basic #4 - Definitions General Right or Object Specific Right © InfoSol 2018
Basic Rules (1-4) Summarized No Access / Access / Denied Explicit vs Inherited By Group or by Individual General Right or Object Specific Right © InfoSol 2018
Basic #5 – Inheritance On Object Only or On Sub-Objects Too Turn off Inheritance © InfoSol 2018
Basic #6 – Inheritance Model Groups – Hierarchy Viewer, Developer, Admin Folders - Flat Viewer X Viewer Developer, Admin © InfoSol 2018
The Matrix © InfoSol 2018
Matrix Security BOTH Group Inheritance and Folder Inheritance Explicit Rights Setting Override © InfoSol 2018
Matrix Security – Check Membership Member Of Does not show hierarchy of groups © InfoSol 2018
Matrix Security – Everyone Group Everyone is a member of the Everyone Group Example of On Object Only setting that gets around inheritance issue © InfoSol 2018
Matrix Security – Consider the Rules No Access / Access / Denied Explicit vs Inherited By Group or by Individual General Right or Object Specific Right © InfoSol 2018
Matrix Security - Suggestions UGH!!!! Use Hierarchy Groups and Flat Folders Separate Application Security from Content Security Use Custom Access Levels Document Security © InfoSol 2018
SAP/LDAP/AD Groups as Subgroups SAP / LDAP / Active Directory Good Practice: Drop these automatic groups into a BO group Apply Security with the BO groups © InfoSol 2018
Matrix Security – Access Levels Create Meaningful Access Levels Refresh wo Schedule View Only Top Level Full Control wo Folder Addition Webi Power User Modify Once with Upgrades Start from Existing Access Levels when Applicable © InfoSol 2018
BTW on Access Levels…. Type – Specific Rights Denied Edit General + Granted Edit Crystal Reports = Granted Edit Crystal but not Webi Great for add objects to a folder but not create subfolders Advanced vs Access Levels Advanced right will override Access Level EXCEPT it cannot override a type-specific right setting in an Access Level Only in play when group/folder level inheritance is the same © InfoSol 2018
Matrix Security – Security Auditing Security Query to find out to which objects a user or group has access Access Right Specific Query Builder CMS Universe/Reports …. Better but cumbersome © InfoSol 2018
Matrix Security – Security Auditing Security Query © InfoSol 2018
Matrix Security – Security Auditing More Robust Tools Needed Consider 360Eyes for Security Auditing © InfoSol 2018
Matrix Security – Security Auditing More Robust Tools Needed Consider 360Eyes for Security Auditing © InfoSol 2018
Matrix Security – 360View Security Application on Matrix Made Easy © InfoSol 2018
Delegation © InfoSol 2018
Delegated Administrators Ownership rights added in 4.x “….. On objects they own” Special case use for Delegated Admins and User Specific Shared Folders © InfoSol 2018
Action for delegated administrator Rights required by the delegated administrator Create new users Add right on the top-level Users folder Creat new groups Add right on the top-level User Groups folder Delete any controlled groups, as well as individual users in those groups Delete right on relevant groups Delete only users that the delegated administrator creates Owner Delete right on the top-level Users folder Delete only users and groups that the delegated administrator creates Owner Delete right on the top-level User Groups folder Manipulate only users that the delegated creates (including adding those users to those groups) Owner Edit and Owner Securely Modify Rights right on the top-level Users folder Manipulate only groups that the delegated administrator creates (including adding users to those groups) Owner Edit and Owner Securely Modify Rights on the top-level User Groups folder Modify passwords for users in their controlled groups Edit Password right on relevant groups Modify passwords only for principals the delegated administrator Owner Edit Password right on top-level Users folder, or on relevant Groups Note Setting the Owner Edit Password right on a group takes effect on a user only when you add the user to the relevant group. Modify user names, description, other attributes, and reassign users to different groups Edit right on relevant groups users to different groups, but only for users that the delegated administrator creates Owner Edit right on top-level Users folder, or on relevant Groups Setting the Owner Edit right on relevant groups takes effect on a user only when you add the user to the relevant group. © InfoSol 2018
Helpdesk “Administrators” © InfoSol 2018
Helpdesk “Administrators” Not many user-specific rights with CMC © InfoSol 2018
CMC Tab Customization © InfoSol 2018
CMC Tab Customization © InfoSol 2018
“Security” by Button Removal (aka Customizations) © InfoSol 2018
Customizations vs Security © InfoSol 2018
Speaking of Customizations… Customizations are not Security When using Customizations for display, also apply security Often Customizations are in multiple places Rigorous Testing Recommended © InfoSol 2018
Customizations vs Security © InfoSol 2018
Customizations vs Security No Inheritance w/ Customization Better to Use Security © InfoSol 2018
Everyone Group Cannot Set their Preferences and/or Customization On Everyone Group – Only CMC Tab Configuration © InfoSol 2018
Senior Technical Consultant …And Lots More Questions? Thank you Amy O’Neel Senior Technical Consultant InfoSol © InfoSol 2018
Thank You!