Cache Security 1Katherine Reid, Mike Moulckers
Goals • Understand Cache security model • How to apply it to a simple web application
Academy Agenda • Introduction • Authentication • Authorization • Auditing
Configuration Details • Username and Password:    – User: Admin    – Password: academy
Introduction
Security Components1. Authentication2. Authorization3. Auditing
Security Configuration At Install • Determines the initial configuration                                            Minima...
System Management Portal   • Portal redesigned for 2011.1      – Granular security
System wide settings
Exercise 1: Password Validation • Test password validation and explore examples of what it   can be used for.
Demo: ZEN Application
Exercise 2: Creating a User • Create a user to use in the Inventory application.
User Profile
Authentication
Authentication          What is authentication?
Authentication Methods• Unauthenticated• Password• Operating System• LDAP• Delegated Authentication• Kerberos
Unauthenticated • No username or password required. • Always logged in as ‘UnknownUser’.
Cache Password Authentication • Simple • Easy to set up for a single instance • User data stored in local instance
OS Authentication • User identified to Caché by OS user identity • User authenticates to the OS using the native mechanism...
LDAP• Already in use at many sites.• Allows centralized user storage.
Delegated • User-defined authentication mechanism • Re-use existing custom/legacy authentication code for new,   modern ap...
Kerberos • Most secure authentication type. • Used by Windows. • Requires a Kerberos Domain Controller    – eg, Windows Do...
Services
Service Detail
Authentication Options
Exercise 3: Authentication Types • Change the authentication types allowed in the Inventory   application to make users ha...
Authorization
Authorization          What is authorization?
Terminology • Asset: something that is protected:    – A Caché database    – Caché SQL connection    – Ability to perform ...
Terminology • Resource: something which protects an asset:    –   Database Resource (i.e. %DB_Samples)    –   Administrati...
Terminology • Permission: allows you to perform an action    – Read (R): View (but not change) the contents of a resource ...
Terminology • Privilege: grants permission to do something with a resource   protecting one or more assets    – A privileg...
More about Privileges… • Privileges can be made Public. • Effectively, this is equivalent to all users holding that privil...
Exercise 4: Public Resource • Weve decided that all authenticated users of our system   should be allowed to run this appl...
Roles • Role: a named collection of privileges    –   Multiple users typically need the same set of privileges.    –   Set...
Exercise 5: Roles and Resources • We will add code to our Inventory application to individually   control access to the fu...
Three ways to get Roles... • At user login • Granted by an application • Code stored in CACHESYS can set $Roles
Application Roles • Everyone running the application gets application roles
Exercise 6: Application Roles • Instead of having database access in the roles, we will have   the application give this t...
Matching Roles • Only the users who have the first role get the second role.
Exercise 7: Matching Roles • We may not want all users to be able to access all the data   on entering the application. De...
Granular Security in the SMP
Granular Security in the SMP
Exercise 8: Granular Security in the SMP • Demonstrate the new granular security in the System   Management Portal
Auditing
Why Audit? • Allows monitoring of system • Deterrent
What events are audited? • System defined events • User defined events
Where is it kept? • Audit data is stored in a database called CACHEAUDIT. • Protected by the %DB_CACHEAUDIT resource.    –...
Exercise 9: Viewing the Audit Log • We demonstrate using the audit log to see what has   happened on the system.
What’s in an audit record?
Join the Global Summit Community We’ve established an online community where you can:    •   talk about the Global Summit ...
Questions?
Upcoming SlideShare
Loading in …5
×

Cache Security- The Basics

524 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
524
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cache Security- The Basics

  1. 1. Cache Security 1Katherine Reid, Mike Moulckers
  2. 2. Goals • Understand Cache security model • How to apply it to a simple web application
  3. 3. Academy Agenda • Introduction • Authentication • Authorization • Auditing
  4. 4. Configuration Details • Username and Password: – User: Admin – Password: academy
  5. 5. Introduction
  6. 6. Security Components1. Authentication2. Authorization3. Auditing
  7. 7. Security Configuration At Install • Determines the initial configuration Minimal settings for Caché Services and Security Normal • Changes: Locked Down – System-wide settings – User accounts – Service properties
  8. 8. System Management Portal • Portal redesigned for 2011.1 – Granular security
  9. 9. System wide settings
  10. 10. Exercise 1: Password Validation • Test password validation and explore examples of what it can be used for.
  11. 11. Demo: ZEN Application
  12. 12. Exercise 2: Creating a User • Create a user to use in the Inventory application.
  13. 13. User Profile
  14. 14. Authentication
  15. 15. Authentication What is authentication?
  16. 16. Authentication Methods• Unauthenticated• Password• Operating System• LDAP• Delegated Authentication• Kerberos
  17. 17. Unauthenticated • No username or password required. • Always logged in as ‘UnknownUser’.
  18. 18. Cache Password Authentication • Simple • Easy to set up for a single instance • User data stored in local instance
  19. 19. OS Authentication • User identified to Caché by OS user identity • User authenticates to the OS using the native mechanism • Only available for server-side processes – Terminal
  20. 20. LDAP• Already in use at many sites.• Allows centralized user storage.
  21. 21. Delegated • User-defined authentication mechanism • Re-use existing custom/legacy authentication code for new, modern applications. • Code is in the ZAUTHENTICATE routine. • The authentication code can be any user-defined: • Caché ObjectScript • Embedded SQL • Class Method(s) • $ZF callout code.
  22. 22. Kerberos • Most secure authentication type. • Used by Windows. • Requires a Kerberos Domain Controller – eg, Windows Domain Controller
  23. 23. Services
  24. 24. Service Detail
  25. 25. Authentication Options
  26. 26. Exercise 3: Authentication Types • Change the authentication types allowed in the Inventory application to make users have to provide a username and password to log in.
  27. 27. Authorization
  28. 28. Authorization What is authorization?
  29. 29. Terminology • Asset: something that is protected: – A Caché database – Caché SQL connection – Ability to perform a backup
  30. 30. Terminology • Resource: something which protects an asset: – Database Resource (i.e. %DB_Samples) – Administrative Resource (i.e. %Admin_Manage) – Development Resource (i.e. %Development) – Service Resource (i.e. %Service_CSP) – User Defined
  31. 31. Terminology • Permission: allows you to perform an action – Read (R): View (but not change) the contents of a resource – Write (W): View or change the contents of a resource – Use (U): Use a resource, such as an Application or Service
  32. 32. Terminology • Privilege: grants permission to do something with a resource protecting one or more assets – A privilege is written as a resource name followed by a permission separated by a colon: Example: %DB_SAMPLES:Read
  33. 33. More about Privileges… • Privileges can be made Public. • Effectively, this is equivalent to all users holding that privilege – Example: if the %Service_CacheDirect:Use privilege is Public, then any user can connect to Caché using the Caché Direct technology • Caché provides a function to check on privileges held by the current process: – $SYSTEM.Security.Check(Resource,Permission)
  34. 34. Exercise 4: Public Resource • Weve decided that all authenticated users of our system should be allowed to run this application. We will make the database which holds the code publicly readable so that everyone can run it.
  35. 35. Roles • Role: a named collection of privileges – Multiple users typically need the same set of privileges. – Sets of privileges can be defined once and shared. – Privileges are only assigned to roles. – Privileges are not assigned directly to users. – A user can have more than one role.
  36. 36. Exercise 5: Roles and Resources • We will add code to our Inventory application to individually control access to the functions in the application, and create roles and resources to allow users to access them
  37. 37. Three ways to get Roles... • At user login • Granted by an application • Code stored in CACHESYS can set $Roles
  38. 38. Application Roles • Everyone running the application gets application roles
  39. 39. Exercise 6: Application Roles • Instead of having database access in the roles, we will have the application give this to users. The application will control access to the database.
  40. 40. Matching Roles • Only the users who have the first role get the second role.
  41. 41. Exercise 7: Matching Roles • We may not want all users to be able to access all the data on entering the application. Demonstrate how matching roles can be assigned to selected users.
  42. 42. Granular Security in the SMP
  43. 43. Granular Security in the SMP
  44. 44. Exercise 8: Granular Security in the SMP • Demonstrate the new granular security in the System Management Portal
  45. 45. Auditing
  46. 46. Why Audit? • Allows monitoring of system • Deterrent
  47. 47. What events are audited? • System defined events • User defined events
  48. 48. Where is it kept? • Audit data is stored in a database called CACHEAUDIT. • Protected by the %DB_CACHEAUDIT resource. – No user should have access to this resource directly. • View via SMP, terminal utilities, SQL, APIs, etc.
  49. 49. Exercise 9: Viewing the Audit Log • We demonstrate using the audit log to see what has happened on the system.
  50. 50. What’s in an audit record?
  51. 51. Join the Global Summit Community We’ve established an online community where you can: • talk about the Global Summit • get helpful product information • share your thoughts about sessions • ask questions of presenters • assemble a group to meet for dinner or social events, etc. community.intersystems.com
  52. 52. Questions?

×