Академический Документы
Профессиональный Документы
Культура Документы
Swetha
Siripurapu
The
University
of
Oklahoma
(OU)
Jim Gross (formerly of Texas Tech University) Senior ERP Analyst Oce of InformaHon Technology Services Sam Houston State University Box 2449 Huntsville, TX 77341 jim.gross@shsu.edu
Texas Tech University Agenda What is data-level security? What is an example of data-level security? CreaHon of the Security Query Subject ApplicaHon of data-level security at Texas Tech University Pros/Cons of using Framework Manager to implement security? How is data-level security maintained?
What is data-level (row level) security and how is it dierent from other security Cognos? Object-level Security: Denes which users have access to folders, reports or packages. Data-level Security: Allows the user to only see their data within a query subject. Column Security: Denes whether a user has access to a eld in the query subject: e.g. SSN
What is an example of data-level security? Data-level security can be explained by giving the example of a sales department. The Sales Manager has access to all sales data for all regions; whereas, each sales person can only see the data for their sales region. (North, South, East, and West)
Crea'on of the Security Query Subject Expand security table to lowest level (7th) of the OrganizaHonal Hierarchy . #sq($account.defaultName)# macro used to acquire user name (eRaider) Filter the security query subject by the current user.
Applica'on of data-level security at Texas Tech Security Filter Property All_AuthenHcated - Group [TARGET_QS].[ORGN] in ([SECURITY_QS]. [ORGN])
Security
is
easily
implemented
/
modied
Security
can
be
group
or
role
based
Can
be
based
o
exisHng
security
systems
CONs
How will the data-level security maintained? The ideal is to have the business units maintain there own security needs through an applicaHon. If one does not exist, a simple web applicaHon can be created to assist in the process. Excel spreadsheet
Darrel Pyle Senior Business Systems Analyst Budgets Oce - BI/Data Warehousing Southern Methodist University P.O. Box 750505, Dallas, TX 75275-0505 dpyle@smu.edu
394 Nodes in a ragged DeptID tree 125 Cognos users for the Financials package
Financials System team is responsible for who receives access and the approval process Central locaHon for easy maintenance Financials System team sends a request to BI if the user does not currently have access to Cognos so that the necessary LDAP groups can be assigned.
Cognos Security page in PeopleSoo Financials MulHple nodes at various levels can be assigned with dierent security MulHple DeptIDs can be assigned with dierent security Security is applied from the lowest level (DeptID) to the upper level (TOTAL node) Lower level security overrides upper level security
Table
Structure
(PS_U_DEPT_SECURITY):
EMPLID*
(equals
LDAP
username)
DEPTID_NODE*
tree
node/DeptID
value
SEC_TYPE*
species
if
DEPTID_NODE
is
a
tree
node
or
DeptID
value
ACCT_SEC_G_A
excludes
salary
and
benets
accounts
INCL_POSN
allow
access
to
posiHon
data
*
Key
eld
Nightly ETLs refresh row level security DeptID and Account tree ETLs are run prior Row level security ETL uses the DeptID tree in the warehouse to populate the lowest level of security (DeptID) This allows for both the Tree Node security and individual DeptID security to be applied DeptID security overrides any node security Lower level nodes override higher level nodes
Table
Structure
(FS_ORG_ROW_SEC):
EMPLID*:
(equals
LDAP
username)
DEPTID*:
DeptID
value
ACCT_SEC_G_A:
exclude
salary
&
benet
accts
ACCT_SEC_DESCR:
descripHon
for
account
security
INCL_POSN:
allow
access
to
posiHon
data
POSN_SEC_DESCR:
descripHon
for
posiHon
security
SEC_DESCR:
overall
security
descripHon
*
Key
eld
Framework Manager Query Subjects Query subjects within the Framework Manager package lters the data prior to the user being able to pull in any data This includes the DeptID and Account hierarchies that the users are able to see
A Built-in funcHon in Framework Manager accomplishes the task by passing the LDAP userName to Cognos which is equal to the OPRID_SECURED value on the security table. The funcHon is: #sq($account.personalInfo.userName)#
FS_POSN_BUDG_FACT Query Subject Select FS_ORG_ROW_SEC.OPRID_SECURED, TBL.* From [BI].FS_POSN_BUDG_FACT TBL, [BI].FS_ORG_ROW_SEC FS_ORG_ROW_SEC, [BI].FS_ACCT_LVL ACCT Where TBL.ORG = FS_ORG_ROW_SEC.DEPTID and FS_ORG_ROW_SEC.OPRID_SECURED = #sq($account.personalInfo.userName)#
FS_POSN_BUDG_FACT Query Subject ConHnued AND TBL.ACCOUNT = ACCT.ACCOUNT AND FS_ORG_ROW_SEC.INCL_POSN = 'Y' AND ( ACCT.LEVEL3 <> 'SALARIES & BENEFITS' OR ( ACCT.LEVEL3 = 'SALARIES & BENEFITS' AND FS_ORG_ROW_SEC.ACCT_SEC_G_A = 'N'))
Row level and Column level security Object Level Security: Denes users that have access to folders and reports. Column level Security: Denes whether a user has access to a eld in the query subject: e.g. SSN Row level Security: Allows the user to only see their data within a query subject
Overview
Cognos
Calls
Procedure
Writes
Session Variables
Cognos
Runs
Reports
Calls
SQL Statements
Session Variables
Cognos calls procedure Open session command block on the data source conguraHon in Cognos Calls a security package in Oracle Sets session context for the Cognos user
<commandBlock>
<commands>
<sqlCommand>
<sql>
BEGIN
sys.security_package.create_context(#sq($account.personalInfo.userNam e)#);
END;
</sql>
</sqlCommand>
</commands>
</commandBlock>
SYS.security_package.create_context accepts userid and retrieves column and row level informaHon for the ID and sets session contexts Policies for the context are set for tables in ODS; they apply the access restricHons for the current user.
SQL statement to create Column level Policy -- MZT_STUDENT, SSN policy BEGIN DBMS_RLS.ADD_POLICY(OBJECT_SCHEMA => 'OUCUSTOM', OBJECT_NAME => 'MZT_STUDENT', POLICY_NAME => 'ODSMZTStuSSN', FUNCTION_SCHEMA => 'SYS', POLICY_FUNCTION => 'F_ODS_SECR_SSN_CHK', STATEMENT_TYPES => 'SELECT', POLICY_TYPE => DBMS_RLS.DYNAMIC, SEC_RELEVANT_COLS => 'TAX_ID', SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS); END;
QuesHons?
Jim Gross (formerly of Texas Tech University) Senior ERP Analyst Oce of InformaHon Technology Services Sam Houston State University Box 2449 Huntsville, TX 77341 jim.gross@shsu.edu Darrel Pyle Senior Business Systems Analyst Budgets Oce - BI/Data Warehousing Southern Methodist University P.O. Box 750505, Dallas, TX 75275-0505 dpyle@smu.edu Swetha Siripurapu IT Analyst II The University of Oklahoma swetha.neni@ou.edu