Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing User Roles: A How-To Guide

Published byLinda Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing User Roles: A How-To Guide"— Presentation transcript:

1 Managing User Roles: A How-To Guide
Balancing SHPEntry and SHPCFG Sherrie Pierson, SunGard Higher Education TT9

2 Managing User Roles: A How-To Guide
Balancing SHPEntry and SHPCFG SHP – DegreeWorks “Shepherd” database tables, also referred to as “SHPDB” Manage your Users and their access to Services User Class, assigned one or more Groups Groups – a list of specific Keys Individual Keys which grant access to a Service 4/24/2017

3 Authentication vs. Authorization
Authentication and Authorization are two different but related issues. Authentication is about various methods of SSO (single sign-on) such as CAS and LDAP Users are authenticated when they log into DegreeWorks Authorization is about access to keys and services Users are authorized to access services View an audit Change a student’s plan Delete a Note SHPEntry and SHPCFG provide ways to authorize users, based on their assigned roles, to access specific services and functionality 4/24/2017

4 Balancing SHPEntry and SHPCFG
Core Access Control Concepts Users and User Classes Services Keys and Keyrings Groups 4/24/2017

5 Balancing SHPEntry and SHPCFG
Users and User Classes ADV, ADVX, AID, APP, ATHL, REG, STU Each User in DegreeWorks has a User Class A user bridged from Banner or PeopleSoft automatically has the appropriate User Class stored in his DegreeWorks records A User is assigned to a Group when authenticated, based on his User Class 4/24/2017

6 Balancing SHPEntry and SHPCFG
Services Each component of business functionality is a service Services may be broad (an entire web page or more) or narrow (a button which does something useful) Services are locked and keys are needed to access them 4/24/2017

7 Balancing SHPEntry and SHPCFG
Keys and Key Rings Each User has a Keyring with one or more keys Keyrings are stored in the Passport table in SHPDB Keys give access to Services When Users are authenticated, they acquire keys that are either explicitly assigned (by User) or implicitly assigned (by Group) 4/24/2017

8 Balancing SHPEntry and SHPCFG
Key Assignment Explicit Assignment Accomplished by SHPEntry Keys Assigned by Manual Data Entry Inefficient for assignments to the masses Very efficient for granular, specific control Implicit Assignment Accomplished by the SHPCFG file Keys Assigned by scripting methodology Very efficient for assignments to the masses Clumsy for granular, specific control 4/24/2017

9 Balancing SHPEntry and SHPCFG
Groups A User Class will typically have a Group of Keys assigned Groups are stored in SHPDB A User will inherit the Group Keys from their User Class, which will be combined with other keys they may have been assigned explicitly 4/24/2017

10 Balancing SHPEntry and SHPCFG
SHPCFG is delivered with DegreeWorks and must be maintained by clients SHPCFG resides on the DegreeWorks server so it is not easily accessible by DegreeWorks staff New Keys are added periodically; clients must add new Keys to SHPCFG if these Keys are not delivered as a member of a group 4/24/2017

11 Balancing SHPEntry and SHPCFG
SHPCFG example: ADV User Class and Petitions if (DGWUSERCLASS = "ADV") then TIMEINC = 9999 #Infinity TIMEMAX = 9999 addgroup = SRNADV #See System Administrator's Guide for list of keys addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students #remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text 4/24/2017

12 Balancing SHPEntry and SHPCFG
web application, runs in java application server (Tomcat, WebLogic) allows a privileged User to add or remove specific keys from Users or Groups allows you to explicitly assign keys to users SHPCFG is limited to implicit assignment of keys (explicit key assignment is possible but not advised – this can be a maintenance nightmare) 4/24/2017

13 Managing User Roles: A How-To Guide
4/24/2017

14 Managing User Roles: A How-To Guide
4/24/2017

15 Managing User Roles: A How-To Guide
SHPEntry example: ADV User Class 4/24/2017

16 Managing User Roles: A How-To Guide
SHPEntry example: ADV User Class 4/24/2017

17 Managing User Roles: A How-To Guide
SHPEntry example: ADV User Class 4/24/2017

18 SHPCFG example: ADV User Class
Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes. SHPCFG method: Have someone with access to the DW server add “remkey SDNTEDEL” to the DGWUSERCLASS = “ADV” section Add another entry in SHPCFG adding the key back to specific users: if (DGWSHPACCID = “ADV1") then addkey = SDNTEDEL Run “shpparse” and “webrestart” 4/24/2017

19 SHPCFG example: ADV User Class
if (DGWUSERCLASS = "ADV") then TIMEINC = 9999 #Infinity TIMEMAX = 9999 addgroup = SRNADV #See System Administrator's Guide for list of keys addkey = SDSTUANY #Student Search remkey = SDSTUMY #Remove My Students remkey = SDNTEDEL #Remove ability to delete notes #remkey = SDPETADD #Add Petitions #remkey = SDPETDEL #Delete Petitions #remkey = SDPETMOD #Modify Petitions #remkey = SDPETMYS #My Petitions #remkey = SDPETVEW #View all Petitions #remkey = SDNTECHG # Notes free text 4/24/2017

20 SHPCFG example: ADV User Class
# When assigning keys by specific user-ID use the if stmt # example below if (DGWSHPACCID = “ADV1") then addkey = SDNTEDEL # Ability to delete notes Managing your users in SHPCFG can become a maintenance headache! 4/24/2017

21 SHPEntry example: ADV User Class
Access to the Notes functionality is delivered in the SRNADV Group, but we don’t want to allow all Advisors to be able to delete Notes. SHPEntry method: An authorized user (with SHPEntry access) can remove the SDNTEDEL key from the SRNADV Group Next, add the SDNTEDEL key to the Users who need access to this functionality The next time an ADV user logs into DegreeWorks, he will receive a new Keyring based on the Keys in the SRNADV Group and any Keys added to his User record 4/24/2017

22 SHPEntry example: ADV User Class
4/24/2017

23 SHPEntry example: ADV User Class
4/24/2017

24 SHPEntry example: ADV User Class
4/24/2017

25 SHPEntry example: ADV User Class
4/24/2017

26 SHPEntry example: ADV User Class
4/24/2017

27 SHPEntry example: ADV User Class
Did it work? Have the user log into DegreeWorks – do not log out In SHPEntry, go to the Passports screen and sort by the User’s User ID or DegreeWorks ID Locate the most recent passport for your user and double-click to see its details Check the keys in the user’s key ring. These are the keys assigned to the user during that specific login Use the filter to display similar keys to verify the key remains 4/24/2017

28 SHPEntry example: ADV User Class
Checking the Passports - keep in mind that: A Passport is deleted when the user logs out A Passport is not deleted if a user’s session times out or a user kills the browser Passports that are older than today are deleted when the web daemons are restarted (webrestart) Let’s walk through checking on a Passport where two Advisors log in: ADV1 who has the SDNTEDEL key, and ADV2 who does not 4/24/2017

29 SHPEntry example: ADV User Class
ADV2 user is a member of SRNADV with no changes. Before removing SDNTEDEL from the SRNADV Group, ADV2 has the SDNTEDEL key in his keyring After removing the key from the Group, ADV2 loses SDNTEDEL from his keyring ADV1 user is a member of SRNADV but we have added the SDNTEDEL key Even though the SRNADV Group does not have key SDNTEDEL, the ADV1 User still has this key in his keyring. 4/24/2017

30 SHPEntry example: ADV User Class
4/24/2017

31 SHPEntry example: ADV User Class
4/24/2017

32 SHPEntry example: ADV User Class
4/24/2017

33 SHPEntry example: ADV User Class
4/24/2017

34 SHPEntry example: ADV User Class
4/24/2017

35 SHPEntry example: ADV User Class
4/24/2017

36 SHPEntry example: ADV User Class
We removed a Key from a Group which is equivalent with removing permission for a Key: Removing a Key from a Group deletes the Key from the Group. Removing permission for a Key keeps the Key in the Group but disallows access to all Users. Adding the Key to specific Users allows these Users access to the Service. 4/24/2017

37 SHPEntry example: ADV User Class
4/24/2017

38 SHPEntry example: ADV User Class
4/24/2017

39 SHPEntry example: ADV User Class
4/24/2017

40 Balancing SHPEntry and SHPCFG
The following keys are required for access to SHPEntry: SHPENTRY SHPGROUP SHPLOGS SHPPASS SHPSET SHPUSER 4/24/2017

41 Balancing SHPEntry and SHPCFG
DegreeWorks SHPEntry User Guide DegreeWorks Installation Guide Which new Keys have been added? SHPCFG Review and Configuration DegreeWorks Technical Guide Security Access Control (Authorization) List of Services and associated Keys List of Groups and associated Keys Users and User Classes Granting access to SureCode, Transit, etc. 4/24/2017

42 Follow the DegreeWorks Symposium on Twitter !
Questions ? Follow the DegreeWorks Symposium on Twitter ! Tag your tweets with #degreeworks

Download ppt "Managing User Roles: A How-To Guide"

Similar presentations

ImageNow at LaSalle University Julie Riganati 215.951.5129.

ImageNow at LaSalle University Julie Riganati
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
Working with Delegations Version 2.0 ADAM Training Session.

Working with Delegations Version 2.0 ADAM Training Session.
Researching Efficiently and Cost Effectively on Lexis Advance™ and Lexis.com 1.

Researching Efficiently and Cost Effectively on Lexis Advance™ and Lexis.com 1.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
HORIZONT 1 ProcMan ® The Handover Process Manager Product Presentation HORIZONT Software for Datacenters Garmischer Str. 8 D- 80339 München Tel ++49(0)89.

HORIZONT 1 ProcMan ® The Handover Process Manager Product Presentation HORIZONT Software for Datacenters Garmischer Str. 8 D München Tel ++49(0)89.
User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.

User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Reference and Instruction Automated Statistics Gathering and Reporting System Members: Patrick Chen (pyc7) Soo-Yung Cho (sc444) Gregg Herlacher (gah24)

Reference and Instruction Automated Statistics Gathering and Reporting System Members: Patrick Chen (pyc7) Soo-Yung Cho (sc444) Gregg Herlacher (gah24)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Terminal Server © N. Ganesan, Ph.D.. Reference Thin-Client Concept Thin-Client concept tutorial.

Terminal Server © N. Ganesan, Ph.D.. Reference Thin-Client Concept Thin-Client concept tutorial.
Using UPT: Set up Application & Create caArray Users Fan Lin, Ph. D. Molecular Analysis Tools Knowledge Center Columbia University and The Broad Institute.

Using UPT: Set up Application & Create caArray Users Fan Lin, Ph. D. Molecular Analysis Tools Knowledge Center Columbia University and The Broad Institute.
© Tech Mahindra & Mahindra Satyam 2012 -Folder access SSA Phase II.

© Tech Mahindra & Mahindra Satyam Folder access SSA Phase II.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
ShelterPoint™ Data-Entry Workflows. ShelterPoint v5.2.3.

ShelterPoint™ Data-Entry Workflows. ShelterPoint v5.2.3.

Similar presentations

Ads by Google