Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Build Fine-Grained Authorization for WebCenter Using Oracle Entitlements Server (OES)


Published on

Presented at Collaborate 2016 in Las Vegas
Date: 04/13/2016

Oracle WebCenter Content default security model is based on
group membership - RBAC (Role Based Access Control) and is not sufficient to handle fine-grained authorization models where authorization decision could be on the basis of a combination of document attributes and roles. It is not
aligned with the ABAC (Attribute Based Access Control) model - which helps prevent threat from inside the organization. Oracle Entitlements Server (OES) is a standards-based, policy-driven security solution that provides real time fine-grained authorization for enterprise applications such as WebCenter. By integrating Oracle WebCenter Content with OES, corporations can provide high performance fine-grained and coarse-grained access control for enterprise content using a centralized and consistent approach.

This session provides fine-grained authorization approach
for WebCenter using Oracle Entitlements Server. This session will also demonstrate a live demo and implementation UseCase from College of American Pathologist,IL. It will provide Q & A session for the attendees to ask any question.

Published in: Technology
  • Dating direct: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Build Fine-Grained Authorization for WebCenter Using Oracle Entitlements Server (OES)

  1. 1. Session ID: Prepared by: Build Fine-Grained Authorization for WebCenter Using Oracle Entitlements Server (OES) 1351 Shyam Kumar – AST Corporation Zeeshan Baig – AST Corporation
  2. 2. Introduction Shyam Kumar is the Vice President of Middleware Practice at AST Corporation, Naperville (Chicago), IL & responsible for all aspects of the middleware business including strategic account management and solution architecture. Speaker at following industry forums/conferences – – Airport E-Business Users’ Roundtable – 5th International SOA, Cloud + Service Technology Symposium, London – APTA - 2013 Fare Collect-TransITech - Phoenix, AZ – North Central Oracle Apps User Group(NCOAUG) - Chicago – Oracle HCM Users Group (OHUG) – Collaborate (OAUG/IOUG) – Oracle Open World (OOW) Zeeshan Baig is an Oracle ACE and works as Solution Architect at Middleware Practice at AST Corporation, Naperville (Chicago), IL & responsible for enterprise architecture for large Cloud, Mobile, Security and Integration Projects.. Speaker at following industry forums/conferences – – North Central Oracle Apps User Group(NCOAUG) – RMOUG – Collaborate (OAUG/IOUG) – KSCOPE
  3. 3. Our Brands Our Services Oracle Specialized  Enterprise Resource Planning  Business Intelligence  EPM-Hyperion  Middleware  CRM/CX  MDM-EDQ  Configure/Price/Quote  Managed Services  Education / Oracle University  Project Advisory Services  EBS Financial Management  EBS Human Capital Management  EBS Supply Chain Management  Database  BI Applications  BI Foundation Suite  Hyperion Planning & Financial Management  Essbase  Oracle Data Integration  Application Development Framework  Service Oriented Architecture  WebCenter Content  Access Management Suite Plus  Identity Governance Suite  WebLogic Server 2015, 2013, 2011, 2009 Oracle Excellence Award Winner 2015, 2014 Chicago Tribune Top 100 Workplaces Award Winner 2014, 2013, 2012 Inc. 5000 Fastest Growing Companies Award Winner 2014, 2012 Best & Brightest Companies to Work For Award Winner Specialized. Recognized. Preferred. 3
  4. 4. Agenda • Authorization Overview • Understanding Oracle Entitlement Server • Oracle Entitlement Server Demo • WCC – OES Implementation Approach • Implementation Case Study • Q & A. 4
  5. 5. Insider Threat 5 “Does our organization have a way to detect unauthorized access to our data?” “…less than 10 percent of companies actually have proactive monitoring of security controls - Authorization?” 58% Information Security Incidents Attributed to Insider Threat 93 % of U.S. Organizations Are Vulnerable to Insider
  6. 6. Authorization Concepts 6 Grant “trade” privileges for the Account resource when user is in Account Trader Role:
  7. 7. Fine-Grained & Coarse-Grained Authorization •Role Based (RBAC) •Less Restrictive Coarse- Grained •Attribute Based (ABAC) •More Restrictive Fine- Grained 7
  8. 8. Authorization Policy Definition Application Security Requirements are defined by ‘Business Experts’
  9. 9.  OES provides an implementation of fine- grained authorization  Use policies to protect application resources Oracle Entitlement Server (OES)
  10. 10.  The PAP is the OES Admin Server manages the policies and artifacts related to security  SM Engine are the process referred as OES client High-Level Architecture
  11. 11. WebCenter – Security Overview WebCenter Content Security Security Groups • Similar to Roles • Non-Hierarchical • Performance overhead Accounts with SG • User level • Could be Hierarchical • Could become Complex and out of control OES • Policy Based approach • Attribute Level control • Custom Functions • Integration with DB or LDAP
  12. 12. WebCenter – Supported Operations WebCenter Content Document Operation Description Oracle Entitlements Server Controls Check-in Creating new revision of the document Who can perform document check- in operation New Check-in Uploading new document Who can perform a new document check-in operation Check-in similar Similar to New Check-in. Inherits properties set during previous new document upload Who can perform check-in similar document operation Checkout Checkout existing document for modifications Who can perform document checkout operation Undo Checkout Discard checked-out document Who can perform discard document checkout operation Delete Delete revision of the document Who can perform document delete operation Update Update metadata or attributes of the document Who can perform document update operation Search Perform document search operation What user can see in the document search results Read Read content of the document Who can perform document read operation Download Download the document Who can perform document download operation
  13. 13.  The OES client(Security Module (SM), is embedded inside the Content Management; this SM provides both • Policy Decision Point (PDP) • Policy Enforcement Point (PEP) WebCenter – OES Integration
  14. 14. WebCenter – Integration Roadmap Migrate WC Policy Store to OES Install UCM Connector for OES Create Policies in OES
  15. 15. WebCenter – Demo Outline  OES Policy Overview  Policies for WebCenter  Create Check In Policy for Directors  Attribute Based Policy Scenario
  16. 16. CUSTOMER CASE STUDY Entitlement Server Implementation
  17. 17. CASESTUDY. College Of American Pathologist Northfield, Illinois World’s largest association composed exclusively of board certified pathologists and is the worldwide leader in laboratory quality assurance. More than 7,000 laboratories are accredited by the CAP, and approximately 23,000 laboratories. Build an Enterprise Security Platform, a strategic initiative for CAP’s future growth and expansion to the international market, requiring a highly‐secured infrastructure for its customers. BUSINESS NEEDS • Create foundation for Enterprise Security • Consolidation of identity data, creating a centralized identity store using Oracle Internet Directory & Oracle Virtual Directory • Implementations of policy‐driven automated provisioning, enhancing security and compliance by leveraging Oracle Identity Manager • Self‐service user registration and profile management • Single Sign‐On (SSO) using Oracle Access Manager • Federated identity management and cross‐domain SSO using Oracle Identity Federation • Fine‐grained portal entitlement and delegated administration using Oracle Entitlement Server • Integration with over 25 legacy systems • Identity governance, and IT audit monitoring and reporting SOLUTION & BENEFITS
  18. 18.  250,000 Users and 40,000 members  250 Policies  Dynamic Policies OES Implementation Overview Sun Lab Inc 3M Lab Enterprise OES Platform OID Authentication Store Database Policy Store CAP Staff John– the Lab Admin John – the Pathologist  OES Replacement to CrossLogix  Integration with Enterprise OIAM Systems  WebService Based Integration
  19. 19. Implementation Technical Architecture
  20. 20. Question & Answers Contact Information Shyam Kumar/Zeeshan Baig 630-347-0833