Fine Grain Access Control for Admission & Graduation

1,093 views
1,010 views

Published on

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,093
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Fine Grain Access Control for Admission & Graduation

  1. 1. SUNGARD SUMMIT 2007 | sungardsummit.com<br />1<br />FGAC for Admission/Graduation<br />Presented by: Khalid M. Tariq, <br />Supervisor, Student Records Systems<br />Higher Colleges of Technology<br />March 20, 2007<br />Course ID 1311 <br />
  2. 2. 2<br />Course ID 1311<br />Objectives<br />By the end of this presentation, you will be able to:<br />Differentiate between FGAC and VBS<br />Learn about the basic steps to setup VBS<br />Learn the needs of specific security in admissions and graduation modules at HCT<br />Learn how FGAC was used to address the security needs<br />Use ERDs while implementing FGAC<br />
  3. 3. 3<br />Course ID 1311<br />Agenda<br />Introduction to HCT <br />Basic Concepts in FGAC<br />HCT implementation of FGAC for admissions<br />HCT implementation of FGAC for graduation<br />Lessons Learned and Summary<br />
  4. 4. SUNGARD SUMMIT 2007 | sungardsummit.com<br />4<br />Part # 1<br />Introduction to HCT<br />
  5. 5. 5<br />Course ID 1311<br />Highlights of HCT<br />Located in United Arab Emirates<br />First institution in entire Middle East to go live with Banner 7.x<br />Started in 1988 with 239 students and four campuses<br />Today: <br />Enrollment: 16000+<br />Colleges: 15 STVCAMP<br />Graduates: 22K+ <br />Credentials awarded: 32K+ <br />Programs offered in 2006: 80+ SMAPRLE<br />Academic Divisions: 6 STVCOLL<br />3-4K students graduate every year<br />
  6. 6. 6<br />Course ID 1311<br />Where We Are?<br />
  7. 7. 7<br />Course ID 1311<br />Distributed Campuses with a Central System Registrar<br />(2)<br />(2)<br />(2)<br />(2)<br />(3)<br />(2)<br />(2)<br />
  8. 8. 8<br />Course ID 1311<br />Central Banner Support for all 15 Campuses <br />
  9. 9. 9<br />Course ID 1311<br />NAPO<br />Faculty EvaluationSystem<br />HCTPORTAL<br />Attendance <br />Management System<br />CMS<br />Textbook Ordering & <br />Tracking System<br />Quality Assurance System<br />HCT Unified Digital Campus<br />SYLLABUS PLUS<br />
  10. 10. SUNGARD SUMMIT 2007 | sungardsummit.com<br />10<br />Part # 2<br />Basic Concepts in FGAC<br />
  11. 11. 11<br />Course ID 1311<br />FGAC vs. VBS<br />Fine Grain Access Control (FGAC) is an Oracle feature<br />Value Based Security (VBS) is one of the security features of Banner which is built on top of Oracle FGAC<br />Other Banner features which are based on Oracle FGAC are PII (Personal Identifiable Information) and VPD (Virtual Private Directory)<br />In this presentation I will be using both VBS and FGAC interchangeably<br />
  12. 12. 12<br />Course ID 1311<br />Basic Concepts of VBS<br />You tell the Banner about enforcing some restrictions on some people when some tables are accessed in some way.<br />Whenever anyone tries to access the table, Banner looks at whether the person is in the group of people associated with the restriction and enforces the restriction<br />The beauty of VBS is that it works not only in Banner but also for any SQL access to the tables (TOAD, Access, Crystal Reports, etc.)<br />For example, if you denied all people in admissions department to be able to viewpersonal address of a student (SPRADDR), they will not be able to see it in Banner, TOAD, Access, SQL+, Crystal Reports, etc.<br />
  13. 13. 13<br />Course ID 1311<br />Basic Concepts of VBS<br />VBS predicate logic is defined by using SQL<br />SHRDGMR_GRST_CODE = ‘AW’<br />Oracle appends any access to a particular table with the predicate logic <br />SELECT COUNT(SHRDGMR_PIDM) FROM SHRDGMRWHERE SHRDGMR_GRST_CODE = ‘AW’<br />
  14. 14. 14<br />Course ID 1311<br />Step#1: Write down your Business Requirements<br />Only counselors can view consular type comments entered in student comments form.<br />Counselors can not delete or update comments entered in student comments form by other counselors.<br />
  15. 15. 15<br />Course ID 1311<br />Step#2: Refine your Business Requirements with Tables and Access Type Information <br />UserGroup can not add, update, delete, view data from tables when condition1 is true<br />Think of the driver table which will need restrictions<br />Look at the ERD diagrams and decide whether other tables will also need to be restricted<br />
  16. 16. 16<br />Course ID 1311<br />Step#3: Create a Domain in GTVFDMN (Optional)<br />VBS rules are written against a domain<br />For every rule there is a base (driver table). For example; the driver table for graduation rule would be SHRDGMR<br />There can be only one driver table for a domain<br />If you need to have another driver table, you need to create another domain<br />Domain Names are created in GTVFDMN<br />
  17. 17. 17<br />Course ID 1311<br />Step#3: Create a Domain in GTVFDMN (Optional) cont.<br />Try to put your institution code in the beginning of domain so that domains created by you are easily searchable. For example, HCT_SB_GRADUATION1_VBS<br />
  18. 18. 18<br />Course ID 1311<br />Step#4: Define the Domain Driver Table in GORFDMN (Optional)<br />In this form you map the driver table to your created domain<br />For example, GB_SPRTELE_VBS domain is mapped to SPRTELE driver table<br />
  19. 19. 19<br />Course ID 1311<br />Step#5: Add Policy Tables in GORFDPL (Optional)<br />Policy tables are tables which have a relationship with driver table (for example, driver table SARADAP, policy table, SARAPPD)<br />If you want your restrictions to apply to the policy tables as well, you need to create joins of these policy tables to driver table in GORFDPL<br />Even if you are not going to join driver table with any policy table, you need to include the domain and driver table in the form with empty SQL:<br />
  20. 20. 20<br />Course ID 1311<br />Step#6: Start Applying Policy to all Tables<br />There is a script called “GFVBSADDPOL.SQL” included in General/Plus directory as part of your Banner upgrade/installation<br />Login into your database as BANINST1 and run this script for each table (driver and policy)<br />
  21. 21. 21<br />Course ID 1311<br />Step#7: Define a FGAC Group in GTVFGAC<br />A domain is defined for each driver table<br />Under each domain can be different groups. One group is created for each type of restriction. For example, if you have restriction based on student level type in SGBSTDN, it will be one group and if you have another restriction based on student status in SGABSTDN, it will require a separate group creation <br />
  22. 22. 22<br />Course ID 1311<br />Step#8: Create a Business Profile in GTVFBPR<br />
  23. 23. 23<br />Course ID 1311<br />Step#9: Assign Users to Business Profile in GOAFBPR<br />
  24. 24. 24<br />Course ID 1311<br />Step#10: Define Predicate Rules in GOAFGAC<br />
  25. 25. 25<br />Course ID 1311<br />Step#11: Assign Users to a Predicate in GOAFGAC<br />You can either assign individual users or a group (using business profiles) to a predicate and assign the different access levels.<br />
  26. 26. 26<br />Course ID 1311<br />Step#12: View the Policy in GOIFGAC<br />
  27. 27. SUNGARD SUMMIT 2007 | sungardsummit.com<br />27<br />Part # 3<br />HCT Implementation of FGAC for Admissions<br />
  28. 28. 28<br />Course ID 1311<br />The Need for Row-level Security in Admission<br />HCT is a public institution fully sponsored by UAE government<br />All students must be admitted via National Admissions and Placement Office (NAPO) <br />Students are approved by HCT admission officers on NAPO website and then downloaded into Banner centrally<br />The download process creates SPRIDEN (General Person), SARADAP (Admission Application), SARAPPD (Admission Decision) records<br />
  29. 29. 29<br />Course ID 1311<br />NAPO<br />HCT Banner - NAPO Integration<br />
  30. 30. 30<br />Course ID 1311<br />The Need for Row-level Security in Admission (contd.)<br />Until 2005, HCT used to only download accepted students from NAPO database<br />Starting 2006, a decision was made to download all applicants data from NAPO database (including students who are not approved and waitlisted)<br />This meant that campus admission officers can possibly go and directly approve students from Banner (SAADCRV) instead of NAPO<br />We explored and decided to used VBS to tackle this security issue<br />
  31. 31. 31<br />Course ID 1311<br />HCT Admission Codes<br />
  32. 32. 32<br />Course ID 1311<br />Typical Accepted Student Admission Application<br />
  33. 33. 33<br />Course ID 1311<br />Typical Waitlisted Student Admission Application<br />
  34. 34. 34<br />Course ID 1311<br />Business Requirement for Admissions Module<br /> Prevent users from entering admission decision ‘01’ (Institution Accepted) if code ’02’ (Not Approved) or ’03’ (Waitlisted) is the already in the application<br />This can not be achieved by simply preventing all campus admission officers from accessing SARADAP<br />The solution: VBS in Banner<br />
  35. 35. 35<br />Course ID 1311<br />Step#1: Write down your Business Requirements<br />Prevent users from entering admission decision ‘01’ (Institution Accepted) if code ’02’ (Not Approved) or ’03’ (Waitlisted) is the already in the application<br />
  36. 36. 36<br />Course ID 1311<br />Step#2: Refine your Business Requirements with Tables and Access Type Information <br />CampuseUsers can not add decision code 01 into SAADCRV form (SARAPPD table) when decision code 02 or 03 are already entered <br />Driver Table: SARAPPD<br />
  37. 37. 37<br />Course ID 1311<br />Step#3: Create a Domain in GTVFDMN (Optional)<br />Checked if there is already a domain with Seed data with SARAPPD table. No<br />Created a new domain: HCT_SB_ADMISISONS1_VBS <br />
  38. 38. 38<br />Course ID 1311<br />Step#4: Define the Domain Driver Table in GORFDMN (Optional)<br />
  39. 39. 39<br />Course ID 1311<br />Step#5: Add Policy Tables in GORFDPL (Optional)<br />No policy tables are needed for SARAPPD. However the driver table SARAPPD should still be added here<br />
  40. 40. 40<br />Course ID 1311<br />Step#6: Start Applying Policy to all Tables<br />Apply policies for SARAPPD by running gfvbsaddpol script<br />
  41. 41. 41<br />Course ID 1311<br />Step#7: Define a FGAC Group in GTVFGAC<br />
  42. 42. 42<br />Course ID 1311<br />Step#8: Create a Business Profile in GTVFBPR<br />
  43. 43. 43<br />Course ID 1311<br />Step#9: Assign Users to Business Profile in GOAFBPR<br />
  44. 44. 44<br />Course ID 1311<br />Step#10: Define Predicate Rules in GOAFGAC<br />
  45. 45. 45<br />Course ID 1311<br />Step#11: Assign Users to a Predicate in GOAFGAC<br />
  46. 46. 46<br />Course ID 1311<br />Step#12: View the Policy in GOIFGAC<br />
  47. 47. 47<br />Course ID 1311<br />
  48. 48. 48<br />Course ID 1311<br />
  49. 49. SUNGARD SUMMIT 2007 | sungardsummit.com<br />49<br />Part # 4<br />HCT Implementation of FGAC for Graduation<br />
  50. 50. 50<br />Course ID 1311<br />The Need for Row-level Security in Graduation<br />HCT System Registrar is responsible for centrally awarding students <br />This meant that no one has access to SHADEGR and SHAMDEG<br />Graduating 4000 students used to take at least a month after Spring semester<br />In 2005, the need to conduct a more robust and quick solution to graduation processing was defined<br />As a result HCT went through a 180 degree change of graduation processing<br />Most of the responsibilities of graduation were pushed back to the campuses but students were still to be awarded centrally by system registrar<br />This meant campus staff to have access to SHADEGR and SHAMDEG<br />
  51. 51. 51<br />Course ID 1311<br />A Typical Use of SHADEGR by Campuses<br />
  52. 52. 52<br />Course ID 1311<br />Business Requirement for Graduation Module<br /> Prevent users from entering Degree/Graduation Status of “AW” (Awarded) but allow them to enter other codes such as “PG” (Potential Graduate)<br />This can not be achieved by simply preventing all campus staff from accessing SHADEGR<br />The solution: VBS in Banner<br />
  53. 53. 53<br />Course ID 1311<br />Step#1: Write down your Business Requirements<br />Prevent users from entering Degree/Graduation Status of “AW” (Awarded) but allow them to enter other codes such as “PG” (Potential Graduate)<br />
  54. 54. 54<br />Course ID 1311<br />Step#2: Refine your Business Requirements with Tables and Access Type Information <br />UserGroup can never add, update, delete, view “AW’’ from STVGRST and STVDEGS<br />
  55. 55. 55<br />Course ID 1311<br />Step#3: Create a Domain in GTVFDMN (Optional)<br />
  56. 56. 56<br />Course ID 1311<br />Step#4: Define the Domain Driver Table in GORFDMN (Optional)<br />
  57. 57. 57<br />Course ID 1311<br />Step#5: Add Policy Tables in GORFDPL (Optional)<br />
  58. 58. 58<br />Course ID 1311<br />Step#6: Start Applying Policy to all Tables<br />Run “GFVBSADDPOL.SQL” for STVDEGS and STVGRST<br />
  59. 59. 59<br />Course ID 1311<br />Step#7: Define a FGAC Group in GTVFGAC<br />
  60. 60. 60<br />Course ID 1311<br />Step#8: Create a Business Profile in GTVFBPR<br />
  61. 61. 61<br />Course ID 1311<br />Step#9: Assign Users to Business Profile in GOAFBPR<br />
  62. 62. 62<br />Course ID 1311<br />Step#10: Define Predicate Rules in GOAFGAC<br />
  63. 63. 63<br />Course ID 1311<br />Step#11: Assign Users to a Predicate in GOAFGAC<br />
  64. 64. 64<br />Course ID 1311<br />Step#12: View the Policy in GOIFGAC<br />
  65. 65. 65<br />Course ID 1311<br />Issues with Graduation FGAC<br />We thought by limiting users to select AW from STVDEGS and STVGRST, they won’t be able to award a student by mistake…<br />We found out two students were unawarded (degree status changed from AW to SO) by mistake by campus users.<br />It was obvious that the FGAC was not complete. We had to add restrictions on SHRDGMR table.<br />
  66. 66. 66<br />Course ID 1311<br />Step#1: Write down your Business Requirements<br />Campus users can view degree records for students who have been “awarded” but they can not insert, delete or update any information on such records.<br />
  67. 67. 67<br />Course ID 1311<br />Step#2: Refine your Business Requirements with Tables and Access Type Information <br />UserGroup can never add, update, delete any data from SHRDGMR, SHRDGIH, SHRDGDH, SHRDGCM if the student has a degree status of “AW”<br />
  68. 68. 68<br />Course ID 1311<br />Step#3: Create a Domain in GTVFDMN (Optional)<br />
  69. 69. 69<br />Course ID 1311<br />Step#4: Define the Domain Driver Table in GORFDMN (Optional)<br />
  70. 70. 70<br />Course ID 1311<br />Step#5: Add Policy Tables in GORFDPL (Optional)<br />
  71. 71. 71<br />Course ID 1311<br />Step#6: Start Applying Policy to all Tables<br />Run “GFVBSADDPOL.SQL” for :<br />SHRDGMR<br />SHRDGDH<br />SHRDGIH<br />SHRDGCM<br />
  72. 72. 72<br />Course ID 1311<br />Step#7: Define a FGAC Group in GTVFGAC<br />
  73. 73. 73<br />Course ID 1311<br />Step#8: Create a Business Profile in GTVFBPR<br />Already done. Use the AW_RESTRICTED profile created before.<br />
  74. 74. 74<br />Course ID 1311<br />Step#9: Assign Users to Business Profile in GOAFBPR<br />Already done<br />
  75. 75. 75<br />Course ID 1311<br />Step#10: Define Predicate Rules in GOAFGAC<br />
  76. 76. 76<br />Course ID 1311<br />Step#11: Assign Users to a Predicate in GOAFGAC<br />
  77. 77. 77<br />Course ID 1311<br />Step#12: View the Policy in GOIFGAC<br />
  78. 78. SUNGARD SUMMIT 2007 | sungardsummit.com<br />78<br />Part # 5<br />Lessons Learned and Summary<br />
  79. 79. 79<br />Course ID 1311<br />Summary<br />Use ERDs to find all tables you need to touch<br />Always keep the profiles up-to-date<br />Always check how predicates are placed on GOIFGAC<br />Make sure the policies are checked as active in GOAFGAC and GORFDPL<br />
  80. 80. 80<br />Course ID 1311<br />Thank you and email if you need help!<br /> Khalid M. Tariq<br /> Supervisor, Student Record Systems<br /> Higher Colleges of Technology<br /> Abu Dhabi, UAE<br />ktariq@hct.ac.ae<br />http://www.hct.ac.ae<br />Please complete the online class <br />evaluation form Course ID 1311<br />SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.<br />© 2006 SunGard. All rights reserved.<br />

×