Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Banner INB

advertisement 
 Banner
overview
 Authentication
Party Apps
 Authorization
Party Apps
to Banner & 3rd
to Banner & 3rd
Section 1

Higher Education Enterprise Resource
Planning (ERP) system.

Original vendor – SunGard Higher Ed
› Now supported by Ellucian
› Ellucian serves 2,400+ higher
education institutions globally
Banner INB – Internet Native Banner
The functional user Interface for
accounting, human resources, and
other administrative staff
Banner SSB – Self Service Banner
The web-based interface to Banner
functionality for students & Finance
reporting functionality

Includes multiple distinct “systems” or
modules:
› Finance
› Human Resources
› Financial Aid
› Advancement
List above is not exhaustive!
 Distributed
architecture generally
includes:
› Application Server
› Database Server
› Job Scheduling Server
› Web Server (Luminis)
This is not meant to be a comprehensive list – only the basics
Application
Server
Oracle
Database

Many available for varied purposes

Common 3rd Party Apps:
› SciQuest E-Procurement
› Touchnet U.Commerce
Authentication
The process of
identifying a user –
usually by a user name
and password
Authorization
The function of
specifying or granting
access rights to
resources in information
systems
Section 2

When a user connects to Banner, that user
also connects to the Oracle database

All Banner INB accounts require individual
Oracle database accounts. Banner SSB
accounts do not work the same way.

Banner INB authentication & authorization
use Oracle database info & processes
› Security is configured by granting privileges to a
User Profile in Oracle
 Oracle
uses a User Name & Password
to identify a user
› Stored encrypted in the SYS.USER$ Table
 Authentication
requires one Oracle
privilege: CREATE_SESSION
Step 1
Step 2
• Enter user name/password
• Oracle checks credentials
• Oracle checks privileges/security rights:
Step 3
• Default Role(s)
• Directly granted privileges
• PUBLIC account privileges (granted to everyone)
Method 1:
Direct Login
VS
Method 2:
Web-Facing Portal
› Oracle Database
› Directory Service
› Login to App Server
› Login to Luminis
Password Profiles
directly via web
browser
Password Policies
web server first, then
connect to App
Server
Banner Direct
Login Page
Oracle
Credentials

Uses the internet browser and Oracle
Fusion Middleware Forms Service a Java JRE Plug-in to display the Banner
Forms in an Oracle Java Applet
 Example
URL:
http://APPPRD.ExampleCollege.edu:##
#0/forms/frmservlet?config=prod
Active
Directory
Credentials
or LDAP
Luminis Web Server
Login
Banner Direct
Login Page
Oracle
Credentials

Luminis Web Server can use a directory
service for user authentication
› Login requires directory service credentials
› Possible to configure as Single Sign-On or as
another layer of network security.

Direct login via Oracle credentials may
still be required!
All paths to authentication should
have proper controls if both
methods are used!
Method 1
Banner
INB
Method 2

DBA_PROFILES
PROFILE
DEFAULT
DEFAULT
DEFAULT
DEFAULT
DEFAULT
DEFAULT
DEFAULT
RESOURCE_NAME
FAILED_LOGIN_ATTEMPTS
PASSWORD_LIFE_TIME
PASSWORD_REUSE_TIME
PASSWORD_REUSE_MAX
PASSWORD_VERIFY_FUNCTION
PASSWORD_LOCK_TIME
PASSWORD_GRACE_TIME
RESOURCE LIMIT
PASSWORD UNLIMITED
PASSWORD UNLIMITED
PASSWORD UNLIMITED
PASSWORD UNLIMITED
PASSWORD NULL
PASSWORD UNLIMITED
PASSWORD UNLIMITED
PW Verify Function
› “IF” Function for password complexity
 V$PARAMETERS includes other security
settings such as case sensitivity.


UAC can override other group policy
settings
› Codes to consider:
Value
Description
512
544
66048
66080
Enabled Account
Enabled, Password Not Required
Enabled, Password Doesn’t Expire
Enabled, Password Doesn’t Expire & Not Required

Authentication for each 3rd party
application can vary.

Must inquire about how authentication &
security are configured.

Also, consider network security such as
Virtual Private Networks (VPN)

SciQuest can be synchronized with
Active Directory.
› Uses AD credentials for authentication

Touchnet generally uses built-in security
and authentication.
› Unique login URL for each user
› Unique Touchnet user IDs and passwords
› Touchnet has its own password controls

Look before you leap!
› Identifying relevant control points is key.

Determine the layers of network security

All Banner INB accounts can access the
Oracle database directly – increases risk!
Section 3
Your system administrator has
determined that your current activity is
providing a level of enjoyment beyond
that which is allowed on company time.
Your enjoyment will now be disabled.
You may continue with this activity, but
you may not enjoy it. See your system
administrator for more information.

Oracle database security structures
serve as “building blocks”

Oracle security configuration can either
strengthen or undermine security

Banner uses “Role-based” security

Banner “Roles” = Oracle Roles
› Containers for Oracle system privileges
› Can be password-protected

A Banner “Class” is used to group Roles
& database objects together in one
container
Banner CLASS
Role
(Oracle Privs.)

OBJECTS
However, Banner objects can also be
directly granted outside of a class;
increases risk of security being undermined.
BANNER CLASS
Role
Access Level
Banner Object/Form
BAN_DEFAULT_M
Read/Write
FOMPROF
BAN_DEFAULT_M
Read/Write
FAAINVE
BAN_DEFAULT_Q
Read Only
GSASECR
Banner Classes are containers
for Role/Object assignments

Users are assigned to Classes to streamline security management
Banner Class
User
User
User
User
Oracle roles are used in two different
capacities in Banner
(1) Banner Classes
 When associated
with “objects” in a
Banner Class
 For Navigational
Security

“BAN_DEFAULT”
(2) Default Roles
 Controls “default”
privileges upon
login
 Oracle security
construct

“USR_DEFAULT”

Banner roles for Classes & Navigational
Security:
› BAN_DEFAULT_M*
 Full read/write access
› BAN_DEFAULT_Q*
 Read-only access
*These roles are created upon Banner installation
with an encrypted password that no human knows!

Banner-created Default Roles
› USR_DEFAULT_M
 Full read/write access
› USR_DEFAULT_Q
 Read-only access
› USR_DEFAULT_CONNECT
 Ability to connect to the database/Banner
only; provides no navigational access
*Note – none of these roles are password protected; more on that soon!
USR/BAN_DEFAULT_M
USR/BAN_DEFAULT_Q
USR_DEFAULT_CONNECT
CREATE SESSION
CREATE SESSION
CREATE SESSION
SELECT ANY TABLE
SELECT ANY TABLE
EXECUTE ANY PROCEDURE
SELECT ANY SEQUENCE
UPDATE ANY TABLE
SELECT ANY DICTIONARY
DELETE ANY TABLE
INSERT ANY TABLE
LOCK ANY TABLE
These privileges provide full
“write” access.
Connect Only
“Read only” Access
Step 1
• Navigate to a Banner form
• Banner Checks for an Oracle role
Step 2 • E.g. BAN_DEFAULT_M
Step 3
• Banner Checks for the “object”
• Banner Decrypts Oracle Role Password
Step 4
• This “activates” the role’s privileges only for that object
• Access to object granted based on Role’s privileges
Step 5
• E.g. BAN_DEFAULT_M = full read/write access
 Banner
security manuals recommend
that all users be assigned one Default
Role
› USR_DEFAULT_CONNECT
 Assigning
powerful roles as “Default”
can create security risks

Roles that are Password Protected in
Oracle (11g) must be invoked at an SQL
prompt, even if assigned as DEFAULT
› SET ROLE Statement with the password

No user can manually invoke the
BAN_DEFAULT roles because no one
knows the system-generated passwords.

BAN_DEFAULT_M as a Default Role?
Low Risk!

BAN_DEFAULT roles are passwordprotected w/ system-generated,
encrypted passwords.

USR_DEFAULT_M as a user’s default role?
Risky!

Grants the user full write access to
everything in Banner/Oracle that is not
protected within another “schema”
› A Schema is “owned” by a database user &
has the same name as that user.

BANSECR = default Banner security
administration account

Only BANSECR can access or execute the
GSASECR (Security Maintenance) form
› “Distributed Security Administrators” can also
access GSASECR
 Depends

upon the application!
Example:
› Touchnet & SciQuest use internal security
structure

Obtain security data for Banner/Oracle
› Key Tables Include:

Table Name
Description
DBA_USERS
Listing of Database Accounts/Status
DBA_ROLE_PRIVS
All database accounts/default roles
GUVUACC
“Object Access by User View” = All Banner
Accounts, Classes, Objects, & Roles
Obtain 3rd Party App security data
› May require coordination with the vendor

Determine who has access to BANSECR

Evaluate accounts assigned
USR_DEFAULT_M or _Q as a Default Role

Evaluate users with access to make
changes on other security forms like
FOMPROF, Finance Security
Maintenance Form
 User
Authorization Documentation
› Consider how the entity documents user
access:
 By Role/Object or by Class?
› Consider whether specific “access levels”
(i.e. classes) are requested and that
requests are not for access “like” an
existing user.
 Periodic
Review/Reauthorizatioin
› Consider auditing how management
monitors Banner access:
 Review of classes granted to users
 Review of terminated user access
 Review of objects granted directly
to users

Banner & Oracle are “tightly coupled” –
creates security enhancements & risks.

Banner security can be bypassed
through poor Oracle database security

Third-party applications may require
extra audit effort to understand; don’t
forget about SOC/SSAE 16 Audit Reports!
Questions?

Jeff White – Jeff.White@cot.tn.gov

Timothy Hollar – Tim.Hollar@cot.tn.gov
Related documents
Demands and Needs - Banner Insurance
Demands and Needs - Banner Insurance
Student Bursary Request Form
Student Bursary Request Form
Director - Banner Services
Director - Banner Services
Slide 1
Slide 1
Preparing for the Neolithic Debate
Preparing for the Neolithic Debate
Download
advertisement