Presentation is loading. Please wait.

Presentation is loading. Please wait.

Banner 7.0 FGAC for VBS and PII Rock Eagle 2005 – Admin Computing/Data Mgmt Track Thu., Oct. 27, 2005, 10:30 Presented by: John Morgan, SunGard SCT Higher.

Published byEgbert Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "Banner 7.0 FGAC for VBS and PII Rock Eagle 2005 – Admin Computing/Data Mgmt Track Thu., Oct. 27, 2005, 10:30 Presented by: John Morgan, SunGard SCT Higher."— Presentation transcript:

1 Banner 7.0 FGAC for VBS and PII Rock Eagle 2005 – Admin Computing/Data Mgmt Track Thu., Oct. 27, 2005, 10:30 Presented by: John Morgan, SunGard SCT Higher Education

2 2 www.sungardsct.com Agenda  Review B7.0 project goals and basics of what we delivered  Lets look under the hood more closely at FGAC....  Performance – we’ll examine a VBS rule and what the trace files look like  Do’s and don’t – how do you go about setting up VBS

3 3 www.sungardsct.com Introduction  Introduce Oracle Fine-Grained Access (FGAC) as a working tool in SCT Banner for row level security  This is being implemented in Banner 7.0  Scope of what FGAC will secure  Value Based Security (VBS)  Personally Identifiable Information (PII)

4 4 www.sungardsct.com FGAC  Fine Grained Access Control  A means of providing row level security based upon existing columns and tables in Banner  Not a SunGard SCT invention – it is Oracle functionality

5 5 www.sungardsct.com VBS  Value Based Security  Defined for individual users as needed  Row level security  A 7.0 replacement for existing General, Student and Financial Aid Value Based Security

6 6 www.sungardsct.com PII  Personally Identifiable Information.  PII secures General Person identifiable information, and is only on the selection of data – delivering PII on SPRIDEN  Philosophy of PII: User can access PII for records in their processing area (you can only view PII for Student Applicants if you work in Admissions)  When turned on, affects all users of the system. Certain users and program objects can be exempt.  PII and VBS do not require each other, can implement one or the other

7 7 www.sungardsct.com Domains in Banner  Area in Banner that has a common driving table. Example of a VBS domain is Student Admissions, the driver is SARADAP.  Some VBS domains may have multiple tables in addition to the driver table and all follow the restrictions based on rules defined for the driver.  PII domain determines where PIDM must exist. The domain driver for Admissions is SARADAP and the PIDM values must exist in this table for the user to have access.

8 8 www.sungardsct.com FGAC and Banner VBS Rules for domain on GOAFGAC GOKFGAC Package predicate functions Oracle Table Policy Banner Object, or other activity against table PII Rules for User domains on GOAFPUD

9 9 www.sungardsct.com Banner VBS Rules are SQL based

10 10 www.sungardsct.com FGAC and the Self-Service  FGAC works across the entire Oracle Database, including the Self-Service  Requires Oracle ID if FGAC is needed for parts of the self service that are administrative in nature (Faculty, Advancement, Finance..)  Uses GOAEACC to cross reference the Self-Service login ID and the Oracle ID

11 11 www.sungardsct.com You can disable FGAC  New page to identify Banner Objects that need to have FGAC off  Prevents data corruption  All ‘JOBS’ are delivered in FGAC exemption table GORFEOB

12 12 www.sungardsct.com Lets look under the hood.. Insert into saradap (saradap_pidm, …..) Values (1234, …..) 1. User inserts into saradap 2. FGAC executes GOKFGAC predicate function and retrieves predicate (new)saradap_coll_code = ‘AS’ and (new)saradap_resd_code = ‘M’ 4. Row inserted or oracle error message displayed 3. FGAC Appends Predicate to SQL statement

13 13 www.sungardsct.com Important facts about FGAC  Key to FGAC is that the predicate is dynamically appended to the executing SQL statement.  Only client requirement is defining the domain and business need and translating to a predicate.  Does not require extra Oracle license, and is already implemented in Banner starting with the Banner Menu Release 6.0.

14 14 www.sungardsct.com Context variables  Underlining Oracle capability  Session global variables  We use them through VBS to store constructed predicates and other information necessary for processing  Serves as a cache to improve performance of VBS  Example of built in context variable is userenv  Sys_context(‘Userenv’, ‘user’)

15 15 www.sungardsct.com How to manage context variables  At start of GOKFGAC define context area CREATE OR REPLACE CONTEXT g$_vbsi_context USING gokfgac;  Store context values dbms_session.set_context('g$_vbsi_context', ’saradap_insert_predicate’,d_predicate );  Retrieve context values SYS_CONTEXT ('g$_vbsi_context', p_table_predicate, 4000)

16 16 www.sungardsct.com Performance  Build simple select statement Select saradap_term_code_entry, saradap_pidm, saradap_coll_code_1, saradap_levl_code From saradap Order by saradap_coll_code_1  Add simple VBS Predicate saradap_coll_code_1 = ‘AS’

17 17 www.sungardsct.com How to see predicate in action  Select predicate from v$vpd_policy where object_name = ‘SARADAP’  Need to execute this query while predicate is still cached PREDICATE ------------------------------------------------------------------------------ ((/* SB_ADMISSIONS_VBS */ (( /* ADMISS_ARTS*/ (SARADAP_COLL_CODE_1 = 'AS')))))

18 18 www.sungardsct.com Run sql_trace and explain plan from SQLPlus  SQL> set autotrace on explain  SQL> ALTER SESSION SET SQL_TRACE TRUE;  SQL> Select saradap_term_code_entry, saradap_pidm, saradap_coll_code_1, saradap_levl_code From saradap Order by saradap_coll_code_1;  Execution Plan ---------------------------------------------------------- 0 SELECT STATEMENT Optimizer=RULE 1 0 SORT (ORDER BY) 2 1 TABLE ACCESS (FULL) OF 'SARADAP'  View tkprof output VBS_traceoutput_withpolicy.txtVBS_traceoutput_withpolicy.txt

19 19 www.sungardsct.com Looking at the TKProf Output  General Idea of what the totals mean  Non Recursive totals: These are from the SQL statements you coded in your program  Select * from saradap;  All Recursive totals: The SQL statements initiated by Oracle for the plan, FGAC. Other contributing factors are compile time for invalid packages.

20 20 www.sungardsct.com Lets repeat those tests without the policy  Drop the policy – use General plus script GFGACDROPPOL.sql  Verify no rows found from v$vpd_policy query  Execution Plan ---------------------------------------------------------- 0 SELECT STATEMENT Optimizer=RULE 1 0 SORT (ORDER BY) 2 1 TABLE ACCESS (FULL) OF 'SARADAP'  Trace Output without policy VBS_traceoutput_nopolicy.txtVBS_traceoutput_nopolicy.txt

21 21 www.sungardsct.com Performance Summary  VBS adds minimal overhead with calls to GOKFGAC to parse predicate  Tkprof output shows the following additional calls  gokfgac package call  Select for context variable if object is exempt from VBS  Three cursors against the rules tables for retrieving predicate data

22 22 www.sungardsct.com 10g – what has this added to FGAC  Possible performance issues with FGAC and VLDBs  “Secret” parameter _dynamic_rls_policies  NOT recommended for VBS  10g introduces policy-level options for policy_type  STATIC  SHARED_STATIC  CONTEXT_SENSITIVE  SHARED_CONTEXT_SENSITIVE  DYNAMIC  During 10g testing, CONTEXT_SENSITIVE determined to be best for performance/functionality

23 23 www.sungardsct.com Do’s & Don’ts when setting up VBS  Start by using the analysis worksheet used in the release guide examples  Define business case – functional business need should drive rules  Define table for which rules will be written  Define all tables for which rule needs to apply  Identify all Banner objects that use those tables  Build test plan  Here is an example VBS Analysis Template.docVBS Analysis Template.doc

24 24 www.sungardsct.com Walkthru the analysis for address type VBS  Identify business case  Admissions can only select, update, insert & delete if address type is PA, PR, MA  Spraddr_atyp_code in (‘PR’,’PA’,’MA’)  Payroll can only select, update, insert & delete if address type is W2, PR, HO  Spraddr_atyp_code in (‘W2’,’PR’,’HO’)

25 25 www.sungardsct.com Set up domains  GTVFDMN domain for GB_SPRADDR_VBS  Naming convention  Domain rule GORFDMN – type VBS  Policy tables GORFDPL  What about managing the list of values from STVATYP  If you are going to restrict select on a validation table, you need to also restrict tables with same code value.  Will need separate domain for STVATYP and rules will be parallel to those set up for SPRADDR_ATYP_CODE and SPRTELE_ATYP_CODE.  Create policy for SPRADDR

26 26 www.sungardsct.com Creating Policies  Run PLUS scripts GFVBSADDPOl.sql or GFPIIADDPOL.sql from SQLPlus prompt  Creates policies for tables in GORFDPL (VBS) and GORFDPI (PII)  Run PLUS script GFGACDROPPOL.sql to drop policy for table  Only one policy per database activity (select, insert, update, delete) and table required  Must use BANINST1 ID to create policy  Policy creation not a forms function because of the requirement to use BANINST1  Owner of policy must equal owner of package

27 27 www.sungardsct.com Query Policy in SQLPlus Column object format a12 Column policy format a15 Column package format a12 Column function format a14 select object_name "Object",policy_name "Policy", package "Package", Function "Function", Sel "Sel“,Ins "Ins",Upd "Upd",Del "Del" from dba_policies where object_name = 'SARADAP' Object Policy Package Function Sel Ins Upd Del ---------- -------------------- ---------- ------------- --- --- --- --- SARADAP GOKFGAC_SARADAP_DEL GOKFGAC F_DELETE_FNC NO NO NO YES SARADAP GOKFGAC_SARADAP_INS GOKFGAC F_INSERT_FNC NO YES NO NO SARADAP GOKFGAC_SARADAP_SEL GOKFGAC F_SELECT_FNC YES NO NO NO SARADAP GOKFGAC_SARADAP_UPD GOKFGAC F_UPDATE_FNC NO NO YES NO

28 28 www.sungardsct.com Set up VBS Rules on GOAFGAC  Code value for VBS rule on GTVFGAC  Assigning restrictions  State business case as a positive  Good: ‘MHockett can select, update,delete,insert addresses if the address type is MA,PA,PR’  Awkward: ‘MHockett cannot select, update,delete, insert addresses if the address type is something other than MA, PA, PR’.  DML access cannot be greater than select  If you restrict select; you also need to restrict insert, update and delete  Create business profile to save time entering rule assignments

29 29 www.sungardsct.com The And – Or Trap  Plan VBS rules globally AND ( (/*Domain 1 */ ((/*Group 1*/ (Predicate 1 AND Predicate 2 AND Predicate 3)) OR (/*Group 2*/ (Predicate 4 AND Predicate 5)) ) ) OR (/*Domain 2*/ (/*Group 3*/…)) )  Predicates within a single Group Rule for the same domain are AND ‘d together  Predicates from different Groups for the same domain are OR’d together  Predicates parsed from different domains are OR ‘d

30 30 www.sungardsct.com The And – Or Trap  Example of predicates within a single Group Rule for the same domain are AND ‘d together: GOAFGAC Group 1:  Predicate1 for domain SB_ADMISSIONS_VBS is SARADAP_RESD_CODE = ‘M’  Predicate 2 for domain SB_ADMISSIONS_VBS is SARADAP_APST_CODE = ‘C’ The parser is going to AND the two predicates together: SARADAP_RESD_CODE = ‘M’ AND SARADAP_APST_CODE = ‘C’ What will happen if Predicate 2 is SARADAP_RESD_CODE= ‘R’?

31 31 www.sungardsct.com Status of policy and predicate

32 32 www.sungardsct.com Tips for looking at predicates  Domain name and rule name are included in predicate as comments (( /* SB_ADMISSIONS_VBS */ (( /* ADMISS_ARTS*/ (SARADAP_COLL_CODE_1 = 'AS')))))

33 33 www.sungardsct.com Test performance of predicate  Important step in setting up VBS  Copy predicate from GOIFGAC and paste in sample SQL statement  Select ‘x’ from saradap where (( /* SB_ADMISSIONS_VBS */ (( /* ADMISS_ARTS*/ (SARADAP_COLL_CODE_1 = 'AS')))))  Run explain plan using ID that does not have VBS restriction, or after policy has been dropped  Capture traces for Forms that are on impacted object list  Look at trace before policy is created, and again after

34 34 www.sungardsct.com Error messages in Banner  Banner Forms show nice message on hint line. Open display error to see Oracle error.

35 35 www.sungardsct.com ORACLE and Error Codes  Oracle’s behavior does not return an error message if an update/delete is attempted on a table where the user has full select privileges. This is Oracle Bug 2952900.  APIs interrogate ROWCOUNT for possible error DELETE FROM gorcmdd WHERE ROWID = p_rowid; IF (SQL%ROWCOUNT != 1) THEN RAISE_APPLICATION_ERROR(gb_common_strings.ERR_CODE, gb_common.f_err_msg_add_delim (dml_common.DML_DELETE_FAILED)); END IF;

36 36 www.sungardsct.com Raised Error from API

37 37 www.sungardsct.com Test all objects identified in analysis sheet  Create data with restricted values  Create address for individual with types W2, PR and HO to test our previous payroll office address restriction  Apply rule to sample User  Logon as User with the VBS restrictions  Try query, insert, update and delete on all objects listed on impacted objects list  Remove rule from sample User – or drop policy  Logon again and review all objects again

38 38 www.sungardsct.com Summary  Using FGAC has a great deal of flexibility to application security  Infrastructure built to support business needs

39 39 www.sungardsct.com Questions & Answers ?

40 40 www.sungardsct.com Thank You! John Morgan jmorgan@sungardsct.com

41 41 www.sungardsct.com SunGard, the SunGard logo, SCT, and Banner, Campus Pipeline, Luminis, PowerCAMPUS, SCT Matrix, SCT Plus, and SCT PocketRecruiter are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders. © SunGard 20045

Download ppt "Banner 7.0 FGAC for VBS and PII Rock Eagle 2005 – Admin Computing/Data Mgmt Track Thu., Oct. 27, 2005, 10:30 Presented by: John Morgan, SunGard SCT Higher."

Similar presentations

Implementing Fine Grained Access Control and Masking

Implementing Fine Grained Access Control and Masking
AN INTRODUCTION TO PL/SQL Mehdi Azarmi 1. Introduction PL/SQL is Oracle's procedural language extension to SQL, the non-procedural relational database.

AN INTRODUCTION TO PL/SQL Mehdi Azarmi 1. Introduction PL/SQL is Oracle's procedural language extension to SQL, the non-procedural relational database.
Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.

Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Evaluation Code 304 Wednesday, 10:30 am – 11:30 am March 31, 2004 Multiple PIDM Prevention Presented by: Steve Ikler Product Manager SCT Banner General.

Evaluation Code 304 Wednesday, 10:30 am – 11:30 am March 31, 2004 Multiple PIDM Prevention Presented by: Steve Ikler Product Manager SCT Banner General.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
A Guide to SQL, Seventh Edition. Objectives Understand the concepts and terminology associated with relational databases Create and run SQL commands in.

A Guide to SQL, Seventh Edition. Objectives Understand the concepts and terminology associated with relational databases Create and run SQL commands in.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Web Tailor Basics.

Web Tailor Basics.
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.

A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Argos - Moving into the Community Presented by: Bruce Knox University of Arkansas Division of Agriculture Cooperative Extension Service March 23, 2009.

Argos - Moving into the Community Presented by: Bruce Knox University of Arkansas Division of Agriculture Cooperative Extension Service March 23, 2009.
Admission Self Service Kimberly A Saving-Sherman SunGard SCT.

Admission Self Service Kimberly A Saving-Sherman SunGard SCT.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –

Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
Using PII to Support Multi- College FA Processing Presented by SMCCD/SIG.

Using PII to Support Multi- College FA Processing Presented by SMCCD/SIG.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
WebCAPP Kimberly A Saving-Sherman SunGard SCT. 2 Agenda u WebCAPP Preview u Self Service for Students u Self Service for Faculty & Advisor u WebCAPP Implementation.

WebCAPP Kimberly A Saving-Sherman SunGard SCT. 2 Agenda u WebCAPP Preview u Self Service for Students u Self Service for Faculty & Advisor u WebCAPP Implementation.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Similar presentations

Ads by Google