Fine Grain Access Control for Admission & Graduation
1. SUNGARD SUMMIT 2007 | sungardsummit.com 1 FGAC for Admission/Graduation Presented by: Khalid M. Tariq, Supervisor, Student Records Systems Higher Colleges of Technology March 20, 2007 Course ID 1311
2. 2 Course ID 1311 Objectives By the end of this presentation, you will be able to: Differentiate between FGAC and VBS Learn about the basic steps to setup VBS Learn the needs of specific security in admissions and graduation modules at HCT Learn how FGAC was used to address the security needs Use ERDs while implementing FGAC
3. 3 Course ID 1311 Agenda Introduction to HCT Basic Concepts in FGAC HCT implementation of FGAC for admissions HCT implementation of FGAC for graduation Lessons Learned and Summary
5. 5 Course ID 1311 Highlights of HCT Located in United Arab Emirates First institution in entire Middle East to go live with Banner 7.x Started in 1988 with 239 students and four campuses Today: Enrollment: 16000+ Colleges: 15 STVCAMP Graduates: 22K+ Credentials awarded: 32K+ Programs offered in 2006: 80+ SMAPRLE Academic Divisions: 6 STVCOLL 3-4K students graduate every year
7. 7 Course ID 1311 Distributed Campuses with a Central System Registrar (2) (2) (2) (2) (3) (2) (2)
8. 8 Course ID 1311 Central Banner Support for all 15 Campuses
9. 9 Course ID 1311 NAPO Faculty EvaluationSystem HCTPORTAL Attendance Management System CMS Textbook Ordering & Tracking System Quality Assurance System HCT Unified Digital Campus SYLLABUS PLUS
11. 11 Course ID 1311 FGAC vs. VBS Fine Grain Access Control (FGAC) is an Oracle feature Value Based Security (VBS) is one of the security features of Banner which is built on top of Oracle FGAC Other Banner features which are based on Oracle FGAC are PII (Personal Identifiable Information) and VPD (Virtual Private Directory) In this presentation I will be using both VBS and FGAC interchangeably
12. 12 Course ID 1311 Basic Concepts of VBS You tell the Banner about enforcing some restrictions on some people when some tables are accessed in some way. Whenever anyone tries to access the table, Banner looks at whether the person is in the group of people associated with the restriction and enforces the restriction The beauty of VBS is that it works not only in Banner but also for any SQL access to the tables (TOAD, Access, Crystal Reports, etc.) For example, if you denied all people in admissions department to be able to viewpersonal address of a student (SPRADDR), they will not be able to see it in Banner, TOAD, Access, SQL+, Crystal Reports, etc.
13. 13 Course ID 1311 Basic Concepts of VBS VBS predicate logic is defined by using SQL SHRDGMR_GRST_CODE = ‘AW’ Oracle appends any access to a particular table with the predicate logic SELECT COUNT(SHRDGMR_PIDM) FROM SHRDGMRWHERE SHRDGMR_GRST_CODE = ‘AW’
14. 14 Course ID 1311 Step#1: Write down your Business Requirements Only counselors can view consular type comments entered in student comments form. Counselors can not delete or update comments entered in student comments form by other counselors.
15. 15 Course ID 1311 Step#2: Refine your Business Requirements with Tables and Access Type Information UserGroup can not add, update, delete, view data from tables when condition1 is true Think of the driver table which will need restrictions Look at the ERD diagrams and decide whether other tables will also need to be restricted
16. 16 Course ID 1311 Step#3: Create a Domain in GTVFDMN (Optional) VBS rules are written against a domain For every rule there is a base (driver table). For example; the driver table for graduation rule would be SHRDGMR There can be only one driver table for a domain If you need to have another driver table, you need to create another domain Domain Names are created in GTVFDMN
17. 17 Course ID 1311 Step#3: Create a Domain in GTVFDMN (Optional) cont. Try to put your institution code in the beginning of domain so that domains created by you are easily searchable. For example, HCT_SB_GRADUATION1_VBS
18. 18 Course ID 1311 Step#4: Define the Domain Driver Table in GORFDMN (Optional) In this form you map the driver table to your created domain For example, GB_SPRTELE_VBS domain is mapped to SPRTELE driver table
19. 19 Course ID 1311 Step#5: Add Policy Tables in GORFDPL (Optional) Policy tables are tables which have a relationship with driver table (for example, driver table SARADAP, policy table, SARAPPD) If you want your restrictions to apply to the policy tables as well, you need to create joins of these policy tables to driver table in GORFDPL Even if you are not going to join driver table with any policy table, you need to include the domain and driver table in the form with empty SQL:
20. 20 Course ID 1311 Step#6: Start Applying Policy to all Tables There is a script called “GFVBSADDPOL.SQL” included in General/Plus directory as part of your Banner upgrade/installation Login into your database as BANINST1 and run this script for each table (driver and policy)
21. 21 Course ID 1311 Step#7: Define a FGAC Group in GTVFGAC A domain is defined for each driver table Under each domain can be different groups. One group is created for each type of restriction. For example, if you have restriction based on student level type in SGBSTDN, it will be one group and if you have another restriction based on student status in SGABSTDN, it will require a separate group creation
22. 22 Course ID 1311 Step#8: Create a Business Profile in GTVFBPR
23. 23 Course ID 1311 Step#9: Assign Users to Business Profile in GOAFBPR
24. 24 Course ID 1311 Step#10: Define Predicate Rules in GOAFGAC
25. 25 Course ID 1311 Step#11: Assign Users to a Predicate in GOAFGAC You can either assign individual users or a group (using business profiles) to a predicate and assign the different access levels.
26. 26 Course ID 1311 Step#12: View the Policy in GOIFGAC
27. SUNGARD SUMMIT 2007 | sungardsummit.com 27 Part # 3 HCT Implementation of FGAC for Admissions
28. 28 Course ID 1311 The Need for Row-level Security in Admission HCT is a public institution fully sponsored by UAE government All students must be admitted via National Admissions and Placement Office (NAPO) Students are approved by HCT admission officers on NAPO website and then downloaded into Banner centrally The download process creates SPRIDEN (General Person), SARADAP (Admission Application), SARAPPD (Admission Decision) records
30. 30 Course ID 1311 The Need for Row-level Security in Admission (contd.) Until 2005, HCT used to only download accepted students from NAPO database Starting 2006, a decision was made to download all applicants data from NAPO database (including students who are not approved and waitlisted) This meant that campus admission officers can possibly go and directly approve students from Banner (SAADCRV) instead of NAPO We explored and decided to used VBS to tackle this security issue
32. 32 Course ID 1311 Typical Accepted Student Admission Application
33. 33 Course ID 1311 Typical Waitlisted Student Admission Application
34. 34 Course ID 1311 Business Requirement for Admissions Module Prevent users from entering admission decision ‘01’ (Institution Accepted) if code ’02’ (Not Approved) or ’03’ (Waitlisted) is the already in the application This can not be achieved by simply preventing all campus admission officers from accessing SARADAP The solution: VBS in Banner
35. 35 Course ID 1311 Step#1: Write down your Business Requirements Prevent users from entering admission decision ‘01’ (Institution Accepted) if code ’02’ (Not Approved) or ’03’ (Waitlisted) is the already in the application
36. 36 Course ID 1311 Step#2: Refine your Business Requirements with Tables and Access Type Information CampuseUsers can not add decision code 01 into SAADCRV form (SARAPPD table) when decision code 02 or 03 are already entered Driver Table: SARAPPD
37. 37 Course ID 1311 Step#3: Create a Domain in GTVFDMN (Optional) Checked if there is already a domain with Seed data with SARAPPD table. No Created a new domain: HCT_SB_ADMISISONS1_VBS
38. 38 Course ID 1311 Step#4: Define the Domain Driver Table in GORFDMN (Optional)
39. 39 Course ID 1311 Step#5: Add Policy Tables in GORFDPL (Optional) No policy tables are needed for SARAPPD. However the driver table SARAPPD should still be added here
40. 40 Course ID 1311 Step#6: Start Applying Policy to all Tables Apply policies for SARAPPD by running gfvbsaddpol script
41. 41 Course ID 1311 Step#7: Define a FGAC Group in GTVFGAC
42. 42 Course ID 1311 Step#8: Create a Business Profile in GTVFBPR
43. 43 Course ID 1311 Step#9: Assign Users to Business Profile in GOAFBPR
44. 44 Course ID 1311 Step#10: Define Predicate Rules in GOAFGAC
45. 45 Course ID 1311 Step#11: Assign Users to a Predicate in GOAFGAC
46. 46 Course ID 1311 Step#12: View the Policy in GOIFGAC
49. SUNGARD SUMMIT 2007 | sungardsummit.com 49 Part # 4 HCT Implementation of FGAC for Graduation
50. 50 Course ID 1311 The Need for Row-level Security in Graduation HCT System Registrar is responsible for centrally awarding students This meant that no one has access to SHADEGR and SHAMDEG Graduating 4000 students used to take at least a month after Spring semester In 2005, the need to conduct a more robust and quick solution to graduation processing was defined As a result HCT went through a 180 degree change of graduation processing Most of the responsibilities of graduation were pushed back to the campuses but students were still to be awarded centrally by system registrar This meant campus staff to have access to SHADEGR and SHAMDEG
51. 51 Course ID 1311 A Typical Use of SHADEGR by Campuses
52. 52 Course ID 1311 Business Requirement for Graduation Module Prevent users from entering Degree/Graduation Status of “AW” (Awarded) but allow them to enter other codes such as “PG” (Potential Graduate) This can not be achieved by simply preventing all campus staff from accessing SHADEGR The solution: VBS in Banner
53. 53 Course ID 1311 Step#1: Write down your Business Requirements Prevent users from entering Degree/Graduation Status of “AW” (Awarded) but allow them to enter other codes such as “PG” (Potential Graduate)
54. 54 Course ID 1311 Step#2: Refine your Business Requirements with Tables and Access Type Information UserGroup can never add, update, delete, view “AW’’ from STVGRST and STVDEGS
55. 55 Course ID 1311 Step#3: Create a Domain in GTVFDMN (Optional)
56. 56 Course ID 1311 Step#4: Define the Domain Driver Table in GORFDMN (Optional)
57. 57 Course ID 1311 Step#5: Add Policy Tables in GORFDPL (Optional)
58. 58 Course ID 1311 Step#6: Start Applying Policy to all Tables Run “GFVBSADDPOL.SQL” for STVDEGS and STVGRST
59. 59 Course ID 1311 Step#7: Define a FGAC Group in GTVFGAC
60. 60 Course ID 1311 Step#8: Create a Business Profile in GTVFBPR
61. 61 Course ID 1311 Step#9: Assign Users to Business Profile in GOAFBPR
62. 62 Course ID 1311 Step#10: Define Predicate Rules in GOAFGAC
63. 63 Course ID 1311 Step#11: Assign Users to a Predicate in GOAFGAC
64. 64 Course ID 1311 Step#12: View the Policy in GOIFGAC
65. 65 Course ID 1311 Issues with Graduation FGAC We thought by limiting users to select AW from STVDEGS and STVGRST, they won’t be able to award a student by mistake… We found out two students were unawarded (degree status changed from AW to SO) by mistake by campus users. It was obvious that the FGAC was not complete. We had to add restrictions on SHRDGMR table.
66. 66 Course ID 1311 Step#1: Write down your Business Requirements Campus users can view degree records for students who have been “awarded” but they can not insert, delete or update any information on such records.
67. 67 Course ID 1311 Step#2: Refine your Business Requirements with Tables and Access Type Information UserGroup can never add, update, delete any data from SHRDGMR, SHRDGIH, SHRDGDH, SHRDGCM if the student has a degree status of “AW”
68. 68 Course ID 1311 Step#3: Create a Domain in GTVFDMN (Optional)
69. 69 Course ID 1311 Step#4: Define the Domain Driver Table in GORFDMN (Optional)
70. 70 Course ID 1311 Step#5: Add Policy Tables in GORFDPL (Optional)
71. 71 Course ID 1311 Step#6: Start Applying Policy to all Tables Run “GFVBSADDPOL.SQL” for : SHRDGMR SHRDGDH SHRDGIH SHRDGCM
72. 72 Course ID 1311 Step#7: Define a FGAC Group in GTVFGAC
73. 73 Course ID 1311 Step#8: Create a Business Profile in GTVFBPR Already done. Use the AW_RESTRICTED profile created before.
74. 74 Course ID 1311 Step#9: Assign Users to Business Profile in GOAFBPR Already done
75. 75 Course ID 1311 Step#10: Define Predicate Rules in GOAFGAC
76. 76 Course ID 1311 Step#11: Assign Users to a Predicate in GOAFGAC
77. 77 Course ID 1311 Step#12: View the Policy in GOIFGAC
78. SUNGARD SUMMIT 2007 | sungardsummit.com 78 Part # 5 Lessons Learned and Summary
79. 79 Course ID 1311 Summary Use ERDs to find all tables you need to touch Always keep the profiles up-to-date Always check how predicates are placed on GOIFGAC Make sure the policies are checked as active in GOAFGAC and GORFDPL