Applica'on

of data-level security in Framework Manager

Presenters:

Jim Gross Texas Tech University (TTU) Darrel Pyle

Southern Methodist University (SMU)

Swetha Siripurapu
The University of Oklahoma (OU)

Jim Gross (formerly of Texas Tech University) Senior ERP Analyst Oce of InformaHon Technology Services Sam Houston State University Box 2449 Huntsville, TX 77341 jim.gross@shsu.edu

Texas Tech University Agenda What is data-level security? What is an example of data-level security? CreaHon of the Security Query Subject ApplicaHon of data-level security at Texas Tech University Pros/Cons of using Framework Manager to implement security? How is data-level security maintained?

What is data-level (row level) security and how is it dierent from other security Cognos? Object-level Security: Denes which users have access to folders, reports or packages. Data-level Security: Allows the user to only see their data within a query subject. Column Security: Denes whether a user has access to a eld in the query subject: e.g. SSN

What is an example of data-level security? Data-level security can be explained by giving the example of a sales department. The Sales Manager has access to all sales data for all regions; whereas, each sales person can only see the data for their sales region. (North, South, East, and West)

Crea'on of the Security Query Subject Expand security table to lowest level (7th) of the OrganizaHonal Hierarchy . #sq($account.defaultName)# macro used to acquire user name (eRaider) Filter the security query subject by the current user.

Applica'on of data-level security at Texas Tech Security Filter Property All_AuthenHcated - Group [TARGET_QS].[ORGN] in ([SECURITY_QS]. [ORGN])

Pros/Cons of using Framework Manager to implement data-level security?

PROs

Security is easily implemented / modied Security can be group or role based Can be based o exisHng security systems
CONs

Bypass of security through use of SQL objects in report studio

How will the data-level security maintained? The ideal is to have the business units maintain there own security needs through an applicaHon. If one does not exist, a simple web applicaHon can be created to assist in the process. Excel spreadsheet

Darrel Pyle Senior Business Systems Analyst Budgets Oce - BI/Data Warehousing Southern Methodist University P.O. Box 750505, Dallas, TX 75275-0505 dpyle@smu.edu

ApplicaHon of Data Level Security at SMU

Complexity: 9,614 DeptID values
6,335 acHve 3,279 historic DeptID values

394 Nodes in a ragged DeptID tree 125 Cognos users for the Financials package

ApplicaHon of Data Level Security at SMU

Several pieces working together: 1.DeptID tree in PeopleSoo Financials 2.Cognos Security page in PeopleSoo Financials 3.ETLs
i. FS_ORG_LVL - arens DeptID tree ii. FS_ORG_ROW_SEC applies security to DeptID level

4.Framework Manager 5.LDAP AuthenHcaHon

DeptID tree in PeopleSoo Financials

(ragged hierarchy)

Cognos Security page in PeopleSoo Financials

Financials System team is responsible for who receives access and the approval process Central locaHon for easy maintenance Financials System team sends a request to BI if the user does not currently have access to Cognos so that the necessary LDAP groups can be assigned.

Cognos Security page in PeopleSoo Financials MulHple nodes at various levels can be assigned with dierent security MulHple DeptIDs can be assigned with dierent security Security is applied from the lowest level (DeptID) to the upper level (TOTAL node) Lower level security overrides upper level security

Cognos Security page in PeopleSoo Financials

Table Structure (PS_U_DEPT_SECURITY): EMPLID* (equals LDAP username) DEPTID_NODE* tree node/DeptID value SEC_TYPE* species if DEPTID_NODE is a tree node or DeptID value ACCT_SEC_G_A excludes salary and benets accounts INCL_POSN allow access to posiHon data

* Key eld

 Nightly ETLs refresh row level security DeptID and Account tree ETLs are run prior Row level security ETL uses the DeptID tree in the warehouse to populate the lowest level of security (DeptID) This allows for both the Tree Node security and individual DeptID security to be applied DeptID security overrides any node security Lower level nodes override higher level nodes

Table Structure (FS_ORG_ROW_SEC): EMPLID*: (equals LDAP username) DEPTID*: DeptID value ACCT_SEC_G_A: exclude salary & benet accts ACCT_SEC_DESCR: descripHon for account security INCL_POSN: allow access to posiHon data POSN_SEC_DESCR: descripHon for posiHon security SEC_DESCR: overall security descripHon
* Key eld

Framework Manager Query Subjects Query subjects within the Framework Manager package lters the data prior to the user being able to pull in any data This includes the DeptID and Account hierarchies that the users are able to see

 A Built-in funcHon in Framework Manager accomplishes the task by passing the LDAP userName to Cognos which is equal to the OPRID_SECURED value on the security table. The funcHon is: #sq($account.personalInfo.userName)#

 This funcHon is applied to the following query subjects:

FS_ORG_LVL FS_ORG_LVL for PosiHons FS_ACCT_LVL FS_POSN_BUDG_FACT

FS_ORG_LVL Query Subject

Select FS_ORG_ROW_SEC.OPRID_SECURED, TBL.* from [BI].FS_ORG_LVL TBL, [BI].FS_ORG_ROW_SEC FS_ORG_ROW_SEC Where TBL.DEPTID = FS_ORG_ROW_SEC.DEPTID and FS_ORG_ROW_SEC.OPRID_SECURED = #sq($account.personalInfo.userName)#

FS_ACCT_LVL Query Subject

Select ACCT.* from [BI].FS_ACCT_LVL ACCT Where ACCT.LEVEL3 <> 'SALARIES & BENEFITS' OR ACCT.LEVEL3 = ( SELECT 'SALARIES & BENEFITS' G_A_LVL FROM [BI].FS_ORG_ROW_SEC WHERE FS_ORG_ROW_SEC.OPRID_SECURED = #sq($account.personalInfo.userName)# AND ACCT_SEC_G_A = 'N AND rownum() = 1)

FS_ORG_LVL for PosiHons Query Subject

Select FS_ORG_ROW_SEC.OPRID_SECURED, TBL.* from [BI].FS_ORG_LVL TBL, [BI].FS_ORG_ROW_SEC FS_ORG_ROW_SEC Where TBL.DEPTID = FS_ORG_ROW_SEC.DEPTID and FS_ORG_ROW_SEC.INCL_POSN = 'Y and FS_ORG_ROW_SEC.OPRID_SECURED = #sq($account.personalInfo.userName)#

FS_POSN_BUDG_FACT Query Subject Select FS_ORG_ROW_SEC.OPRID_SECURED, TBL.* From [BI].FS_POSN_BUDG_FACT TBL, [BI].FS_ORG_ROW_SEC FS_ORG_ROW_SEC, [BI].FS_ACCT_LVL ACCT Where TBL.ORG = FS_ORG_ROW_SEC.DEPTID and FS_ORG_ROW_SEC.OPRID_SECURED = #sq($account.personalInfo.userName)#

FS_POSN_BUDG_FACT Query Subject ConHnued AND TBL.ACCOUNT = ACCT.ACCOUNT AND FS_ORG_ROW_SEC.INCL_POSN = 'Y' AND ( ACCT.LEVEL3 <> 'SALARIES & BENEFITS' OR ( ACCT.LEVEL3 = 'SALARIES & BENEFITS' AND FS_ORG_ROW_SEC.ACCT_SEC_G_A = 'N'))

 Swetha Siripurapu IT Analyst II The University of Oklahoma swetha.neni@ou.edu

Row level and Column level security Object Level Security: Denes users that have access to folders and reports. Column level Security: Denes whether a user has access to a eld in the query subject: e.g. SSN Row level Security: Allows the user to only see their data within a query subject

Overview Cognos
Calls

Procedure

Writes

Session Variables

Cognos

Runs

Reports

Calls

SQL Statements

Session Variables

 Cognos calls procedure Open session command block on the data source conguraHon in Cognos Calls a security package in Oracle Sets session context for the Cognos user

Open Session command block:

<commandBlock> <commands> <sqlCommand> <sql> BEGIN sys.security_package.create_context(#sq($account.personalInfo.userNam e)#); END; </sql> </sqlCommand> </commands> </commandBlock>

 SYS.security_package.create_context accepts userid and retrieves column and row level informaHon for the ID and sets session contexts Policies for the context are set for tables in ODS; they apply the access restricHons for the current user.

 Code for column level security from sys.security_package

BEGIN SELECT SEMI_SENSITIVE_IND, SENSITIVE_IND, GRADE_IND, PASSPORT_IND, SSN_IND INTO V_SEMI, V_SENS, V_GRADE, V_PASS, V_SSN FROM OUCUSTOM.SECR_COL_LVL WHERE USERNAME = UPPER(p_user); DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'SEMI_SENSITIVE_IND', V_SEMI); DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'SENSITIVE_IND', V_SENS); DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'GRADE_IND', V_GRADE); DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'PASSPORT_IND', V_PASS); DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'SSN_IND', V_SSN); EXCEPTION WHEN OTHERS THEN NULL; END;

 Code for row level security from sys.security_package

BEGIN SELECT DEPT_LIST INTO V_DEPTS FROM OUCUSTOM.SECR_ROW_LVL WHERE USERNAME = UPPER(p_user); IF V_DEPTS IS NOT NULL THEN DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'DEPT_LIST', V_DEPTS); END IF; EXCEPTION WHEN OTHERS THEN DBMS_SESSION.SET_CONTEXT('ODS_COL_CONTEXT', 'DEPT_LIST', '----'); END;

Table structure for Column level security table

Sample data from column level security tables

Table structure for Row level security table

Sample data from row level security tables

SQL statement to create Column level Policy -- MZT_STUDENT, SSN policy BEGIN DBMS_RLS.ADD_POLICY(OBJECT_SCHEMA => 'OUCUSTOM', OBJECT_NAME => 'MZT_STUDENT', POLICY_NAME => 'ODSMZTStuSSN', FUNCTION_SCHEMA => 'SYS', POLICY_FUNCTION => 'F_ODS_SECR_SSN_CHK', STATEMENT_TYPES => 'SELECT', POLICY_TYPE => DBMS_RLS.DYNAMIC, SEC_RELEVANT_COLS => 'TAX_ID', SEC_RELEVANT_COLS_OPT => DBMS_RLS.ALL_ROWS); END;

SSN policy funcHon F_ODS_SECR_SSN_CHK

CREATE OR REPLACE FUNCTION sys.F_ODS_SECR_SSN_CHK (V_SCHEMA IN VARCHAR2, V_OBJECT VARCHAR2) RETURN VARCHAR2 IS V_PREDICATE VARCHAR2(2000) := '0 = 1'; v_ind varchar2(1); BEGIN -- Acquire indicator from context select sys_context('ODS_COL_CONTEXT', 'SSN_IND') into v_ind from dual; if v_ind = 'Y' then return '0 = 1'; else return null; end if; END F_ODS_SECR_SSN_CHK;

SQL to create row-level policy

-- MZT_STUDENT, row-level policy BEGIN DBMS_RLS.ADD_POLICY(OBJECT_SCHEMA => 'OUCUSTOM', OBJECT_NAME => 'MZT_STUDENT', POLICY_NAME => 'ODSMZTStuRLS', FUNCTION_SCHEMA => 'SYS', POLICY_FUNCTION => 'F_ODS_SECR_RLS', statement_types => 'SELECT,UPDATE,INSERT,DELETE', update_check => TRUE, enable => TRUE, staHc_policy => FALSE); END;

Row-level policy funcHon F_ODS_SECR_RLS

CREATE OR REPLACE FUNCTION sys.F_ODS_SECR_RLS (V_SCHEMA IN VARCHAR2, V_OBJECT VARCHAR2) RETURN VARCHAR2 IS v_list varchar2(1000) := null; BEGIN -- Acquire indicator from context select replace(sys_context('ODS_COL_CONTEXT', 'DEPT_LIST'), ',', '|') into v_list from dual; if v_list is null then return '1 = 1'; else return 'REGEXP_LIKE(student_department_list, ' || chr(39) || v_list || chr(39) || ')'; end if; END F_ODS_SECR_RLS;

Table with records before applying security

 Records aoer applying column level security

 Records aoer applying row level security

QuesHons?

Jim Gross (formerly of Texas Tech University) Senior ERP Analyst Oce of InformaHon Technology Services Sam Houston State University Box 2449 Huntsville, TX 77341 jim.gross@shsu.edu Darrel Pyle Senior Business Systems Analyst Budgets Oce - BI/Data Warehousing Southern Methodist University P.O. Box 750505, Dallas, TX 75275-0505 dpyle@smu.edu Swetha Siripurapu IT Analyst II The University of Oklahoma swetha.neni@ou.edu