why must you never click on an email link?cms validates with siteminder policy server validity of...

SAP Confidential © 2011 SAP AG. All rights reserved. 1

Why must you never click on an email link?

SBOP Security Strategies

Paul Hearmon

PreSales ‘Data2Design’ Team

April 2013

Agenda

1. Types of Security

2. SBOP Security Model

3. SSO Strategies

4. Personalization

Strategies


„Security‟ covers many areas

Identification (Provisioning)

Importing external identities into BOE (BusinessObjects Enterprise)

Authentication

Proving who you say you are

Authorization

Determining what objects you can see, and what actions you can perform in BOE

Confidentiality (“Personalization”)

Determining what data (rows/columns/cells) you can see in the database

Auditing

Determining what information is being accessed, how it's being accessed and changed,

and who is performing these operations


Provisioning:

What external identities can we import into BOE?

BOE

MS

Active

Directory

LDAP

Database

Table


Authentication:

Proving who you say you are

BOE

MS

Active

Directory

LDAP

Database

Table


Authorization:

What can you see/do within BOE?

BOE

MS

Active

Directory

LDAP

Database

Table


Personalization (Confidentiality):

What data can you see in the database?

BOE

AUSTIN Dinner $10

AUSTIN Shirt $12

DALLAS Ring $30

DENVER Tie $10

AUSTIN Club $15

AUSTIN Dinner $10

AUSTIN Shirt $12

AUSTIN Club $15

Agenda



3. SSO Strategies

4. Personalization

Strategies


BIP Security Model

Identification (Provisioning)

BOE Accounts

BOE Security Plugins

Authentication

SSO

Authorization

The BOE Model: Access Control Lists (ACL)

Confidentiality (“Personalization”)


BOE - Identities

BOE Accounts

Nothing more than a „shell‟ that contains Aliases

Aliases

Can be „Enterprise‟

Created and managed within BOE system by BI Administrators

3rd Party

Imported from external identity management systems e.g. Active Directory, SAP

A BOE Account may contain multiple Aliases


Security Plug-ins Provide Provisioning, Authentication and Authorization

“Enterprise” Aliases / authentication

Default authentication mechanism

For customers who do not want to leverage an external system

Allows for hybrid security model

External integration with user directories

Active Directory

LDAP SunOne Directory Server, IBM Secureway, Novell eDirectory, Lotus Domino Directory

SAP, JD Edwards and Peoplesoft Role imports

Supports both authentication and authorization

Users authenticate using their external credentials (username and password)

Security can be applied to external groups for role based deployments


LDAP/AD Security Plug-In

Basic user authentication work flow for external directories

*AD CMS Security Plugin must run on Windows O/S

*


AD Security Plug-in

Much more powerful than the simple LDAP plug-in

Uses Windows ADSI rather than LDAP protocol

Supports multiple domains natively

Supports SSO into BOBJ clients

Out-of-the-box

No 3rd party IDM necessary

Supports down-to-the-database SSO in Kerberos-enabled databases

MS SQL Server

MS Analysis Services

Oracle RDBMS

HANA

Supports end-to-end SSO


Authentication required even for Offline Access


Authorization


CMC: Centralized Security for all Products

Centralized security reduces TCO

Single point of administration

Leverage 3rd party security databases – authentication and authorization

Delivers deployment scalability

Full range of security requirements

Group inheritance

Document

Row level

Actions are Audited

Business User

Developer


Security Model

Fine grained access control for authorization

Set rights using ACL‟s (Access Control Lists)

Centralized web based administration using CMC (Central Management Console)

Control access to resources

Set object level access

Can inherit from parent objects for simple administration

Control access to applications

Set system wide access for users to applications

Web, Desktop and CMC

Groups

Users

(Performed in LDAP)

Folders

Objects

Rights


Groups

© SAP 2009 / PARTNER SUMMIT

“Enterprise” Groups

Groups fall under two categories Content Access (Folders)

Functional Access (Applications)

Best Practice: Wrap mapped 3rd party groups with Enterprise Groups Maintains rights should external group disappear

Allows for hybrid security model Course-grained departmental groups mapped in from external sources

Fine-grained functional groups created & managed by BO Administrators


Object Level Rights

Security Right

Grants or denies access to a particular action

Granted, Denied, Inherited, and Undefined

Access Levels

Apply to all objects and enforced by the CMS (Central Management Server)

Examples: View, Edit, Modify rights, Schedule, …

Custom Rights

Apply to specific objects for which they are defined

Examples: Refresh Reports Data, Export Reports Data, Download Report Files

Custom Access Levels

Allow roles to be defined that align to your business

Agenda



3. SSO Strategies

4. Personalization

Strategies


Microsoft Impersonation:

AD Domain Controller to Your Workstation

AMERICAS\phearmon

AMERICAS

xxxxxxx xxxxxxx

Fg



Workstation to Server Propagation

AMERICAS

xxxxxxx xxxxxxx IE

IIS’ threads

AMERICAS\phearmon AMERICAS\phearmon

Fg



Server to Server Propagation

AMERICAS

xxxxxxx xxxxxxx IE

IIS’ threads

AMERICAS\phearmon AMERICAS\phearmon

DB M/W

AMERICAS\phearmon

Fg


„Silent Sign On‟ to Portal

Web

Server

`

Client Web App

Server

BOE

Server

http://myBI/InfoView

Allowing a user to go straight

through to the Home Page

without seeing a login page


Cross-site request forgery (CSRF)

http://infoview/BI/Launchpad?delete_all_my_reports=true


SSO Strategies

LogonToken / SessionToken

SiteMinder

Trusted Authentication

Active Directory SSO-into-the-Client (via Kerberos/Vintela)

Active Directory SSO-down-to-the-database (via Delegation/Kerberos)


SiteMinder

1. User requests Infoview URL through browser

2. User is redirected to Siteminder authentication page

3. User enters credentials which are verified with AD/LDAP

directory for web application access

4. LDAP responds that user credentials are valid

5. Siteminder returns token and UID

6. Siteminder agent enters token and UID in HTTP header and

authorizes access to Infoview application directory.

7. Web App Server creates Enterprise session with CMS

providing Siteminder token and UID.

8. CMS validates with Siteminder policy server validity of token

and UID

9. Siteminder policy server replies that token and UID are valid,

user is authorized in CMS

10. CMS does read-only lookup of user group membership

11. LDAP provides user group membership.

12. CMS returns requested objects to Web App Server

13. Web App Server returns Infoview page to user

14. Web Server returns HTML from InfoView to user.


Trusted Authentication

We delegate the responsibility of authentication to a third party

Typically a web server plug-in that talks to a identity management tool

Thereby 'Trusting' it to provide an authenticated username to us

We take the username and just log them in

no questions asked

No password needed

Or more accurately:

We bypass the authentication phase

But we still authorize the user (i.e. get their groups)

Trusted Authentication has proven to be very popular with our customers, including

many security-conscious banks who are quite comfortable using this feature in their

infrastructures.


Basic SAML Integration

BOE can act as a SAML Relying party

Consumes SAML Assertions

Scrapes Principal name from assertion

But currently unable to set rights within

BOE according to a Principal‟s Attributes

Agenda



3. SSO Strategies

4. Personalization

Strategies


Security revisited: SAP-based Personalization

Tight integration with SAP security and authorization roles

SSO via SAP logon ticket supported (or third party)

Authorization Roles applied to each user regardless of SSO mechanism

BOE

Dave

Mary

Paul

Susan

SAP: impersonate „Paul‟

userID=„Paul‟

AUSTIN Dinner $10

AUSTIN Shirt $12

DALLAS Ring $30

DENVER Tie $10

AUSTIN Club $15

AUSTIN Dinner $10

AUSTIN Shirt $12

AUSTIN Club $15

LDAP

SAP city=„AUSTIN‟


Row-Level Security: Non-SAP Personalization

Custom attributes stored in external authorization system

Additional attributes can be captured and used to set:

Groups within BOE (Authorization)

Custom database-level row-level restrictions (Access Restrictions)

Custom User Attributes

BOE

city=„CHICAGO‟

city=„NEW YORK‟

city=„AUSTIN‟

city=„DALLAS‟

city=„AUSTIN‟

city=„AUSTIN‟

AUSTIN Dinner $10

AUSTIN Shirt $12

DALLAS Ring $30

DENVER Tie $10

AUSTIN Club $15

AUSTIN Dinner $10

AUSTIN Shirt $12

AUSTIN Club $15

userID=„Paul‟


Dimensional Entitlement Tables

Personalization rules are maintained using tables in the database

BIP

„Paul‟ select * from table

where username = ‘Paul’

I am

Paul

BIP passes a ‘claim’ (typically the username) that was

given to it down to the database within the SQL

WHERE clause

Paul can only

see Product

„XYZ‟


Database Metadata Oracle VPN, Teradata Query Banding

Personalization rules are maintained using database metadata

BIP

„Paul‟ Logon/Impersonate ‘Paul’

I am

Paul

BIP logs on/impersonates the user’s identity, and the

rules (maintained by the DBAs) filter the user’s

perspective of the data

Paul can only

see Product

„XYZ‟


BI Tools Metadata

Personalization rules are maintained in the BI Tool‟s metadata

BIP


where product = ‘XYZ’

I am

Paul

BIP constructs the necessary SQL WHERE clause to

restrict the data

Paul can only

see Product

„XYZ‟


Claims-based Assertions

Personalization rules are maintained in an external IdM

BIP


where product = ‘XYZ’

I am

Paul

BIP is given the entitlements (possibly using SAML),

then constructs the necessary SQL WHERE clause to

restrict the data

Identity

Management

System

Paul can only

see Product

„XYZ‟


Personalization Strategy Types

Maintained in the database - in database tables

Simple to manage by authorized users via a data-driven GUI or via ETL jobs

Linked into the BI Tool‟s semantic layer

Open (can be used by any query tool)

Maintained in the database‟s metadata

Managed by the DBAs

Transparent to the BI Tool

Open (can be used by any query tool that supports Stored Procedures invoked at login)

Maintained in the BI Tool‟s metadata

Managed by the BI Administrators

Closed: only available to the query tool

Maintained somewhere else?

IdM (Identity Management System)?

Assertions are „Pushed‟ down into BOE at logon time ( Claims-based / SAML )


Universe Personalization Strategies

Dimensional Entitlement Tables BO_USER Attribute

Custom User Attributes

Data Security Profiles/Business Security Profiles

„Universe Access Restrictions‟ (XI 3.x) a.k.a. „Universe Overrides‟

Windows Impersonation powerful but doesn‟t work for scheduled reports

Database personalization SAP BW AA7 (Analysis Authorization 7)

Oracle VPD, Oracle Proxy

DB/2

Teradata Query Banding (Trusted Sessions)

Secondary Credentials (DBUSER & DBPASS)


Other Personalization Strategies

BI Publisher Personalization using BO Profile rules

Useful for external delivery options

VTS (View Time Security) Legacy Crystal Reports feature

Both operate on static, cached information

Relies on BI Engine to perform personalization


Dimensional Entitlement Tables

Simple, Single-domain Multi-domain

USER ACCESS

Al NW

Alice SW

Alice SE

Alice NE

Jerry SW

Jerry NW

Applied to a single Dimension only

USER DOMAIN ACCESS

Alice Office SW

Alice Office SE

Alice Office NE

Ed Channel C

Ed Channel D

Ed Product F

Emma Office NE

Jerry Office SW

Jerry Office NW

Jerry Channel F

Jerry Channel E

Max Product BU

Max Product BL

Maintains entitlements to multiple Dimensions in a single table


Dimensional Entitlements – Universe Integration

Allows us to easily integrate the Universe into your existing entitlement rules

SEC_ENTITLEMENTS

WHERE region IN

(SELECT access FROM sec_entitlements WHERE user = @variable(‘$BO_USER$’) )

1. You build a Universe Object* (e.g. “Store Name”) that includes the WHERE clause above

*Actually, this would be performed as a self-join on the dimensional table, so that all objects based on that table have the

restriction applied – but people tend to find it easier to visualize the process if I begin by applying it to an object




SEC_ENTITLEMENTS

2. The special variable @variable(‘$BOUSER$’) is

replaced at run-time with the user‟s BOBJ Account

name e.g. “ALICE”

„ALICE‟

WHERE region IN

(SELECT access FROM sec_entitlements WHERE user = )

@variable(‘$BO_USER$’))




SEC_ENTITLEMENTS

3. The sub-SELECT returns all the entitlements for Alice

(i.e. “SW, SE, NE”)

WHERE region IN

(SELECT access FROM sec_entitlements WHERE user = ) „ALICE‟ („SW‟, „SE‟, „NE‟)


Custom User Attributes BI 4.0 FP3 (SP4+) Enhancement

New Page in the CMC to list and administer Custom User Attributes

Populated from

LDAP attribute (‘city’)

Populated from

CMC or SDK


Custom User Attributes BI 4.0 FP3 (SP4+) Enhancement

Value of Custom User Attributes for each user is displayed in the CMC,

in the user properties dialog

Administrator can explicitly enter the value for

Custom User Attributes defined in the CMS

repository

Values retrieved from LDAP and SAP data

source are displayed

Values can be used to pass down parameters to

entitlement tables

Entitlement tables no longer have to be defined

at „user‟ granularity (can now be much higher)


Access Restrictions (XI 3.x)

Allows us to define entitlement rules directly into our Semantic Layer


Data Security Profiles (BI 4.x)

Data Security Profiles can be defined only for relational

universes

Data Security Profiles are the equivalent of classic

universe access restrictions

Connection Data Security Profile

Replaces a connection by another one

In case of multi-source universe, each connection can be

independantly replaced.

Ability to drill into connection folders

1.

2. 3.


Business Security Profiles (BI 4.x)

A Business Security Profile can be used to define what user/group can see in query panel .

It can be used to grant or deny :

• Business layer views

• Business layer objects

Denied views and objects are not displayed in the Query Panel

Views

Objects


Data/Business Security Profiles - Benefits

Can be set individually or at group level

Faster than Dimensional Entitlement Tables

Incur less load on the database since the entitlements are set directly in the semantic

layer (i.e. already „known‟) and do not need to be discovered via a sub-SELECT before

every query.

Can be programmatically created/modified via the

„BI Platform Enterprise SDK‟


Business Views‟ VTS (View Time Security)

A Crystal Decisions concept

Implemented using Business Views

A report instance is refreshed against the database using no personalization rules

Filtering of the data is performed on-the-fly at view time

Think: Similar to „Publisher‟ but filtering performed at view time rather than in batch

Limitations

Only available for CR and none of the other content types on the BI Platform

Uses deprecated functionality (i.e. Business Views)

No formal sizing guidelines from Product Group

Users view a potentially stale snapshot of the data (i.e. a filtered report instance)

Undecided (as of May 2013) when will be ported into .UNX Universes

Certainly not in the BI 4.1 timeframe


Oracle VPD

Oracle/Universe DBMS_SESSION

With an ORACLE database you can use connection initialization to take

advantage of fined-grained access control (also known as Virtual Private

Database – VPD).

The Oracle security context is defined using Oracle‟s CLIENT_IDENTIFIER

session variable to filter the data returned to the user.

The DBAs get to define what rights to rows and columns that user has)


Oracle VPD – How BIP Uses It

Fires off a stored procedure immediately upon connecting to the Oracle

instance using the ConnectInit Universe parameter.

We can use it to set the identity of the user for that particular session

Everyone logs on under a generic account, say 'scott/tiger', then fires off a

stored procedure to say, 'actually this is Paul„.


Secondary Credentials (DBUSER & DBPASS)

Limited practical value

Ask yourself, “How will you keep the DBPASS variable in synch as the

user‟s database credentials expire?”

• Yes, you can set the DBPASS programmatically using the SBOP Enterprise SDK, but

with what?

• Obtaining the user‟s password is a tough obstacle

• Obtaining it programmatically is almost always impossible. IdMs will allow you to reset a user‟s

password, but rarely retrieve it (except for SiteMinder).

• Asking the users to keep them in-sync is impractical


Explorer Personalization Strategies

Explorer can use Personalization InfoSpaces to dynamically filter user result

sets at run-time

BWA: Combination of one Analysis Authorization Object + Personalization

InfoSpaces

HANA: Analytic Privileges


Advanced Personalization – Column Masking

Two approaches

„All or Nothing‟ Two columns; one masked, one unmasked

„Row-by-row‟ UNIONed

123-45-6789

xxx-xx-6789


Windows Impersonation:

End-to-End SSO & Personalization

Web

Server

(optional)

`

Client Web App

Server

BOE

Server

DB

Server

Fred Dinner $10

Fred Shirt $12

Wilma Ring $30

Barney Tie $10

Fred Club $15

“Fred”

Fred Dinner $10

Fred Shirt $12

Fred Club $15

Thank you!

Paul Hearmon

[email protected]

why must you never click on an email link?cms validates with siteminder policy server validity of...

Documents