Indications in green = Live content
Indications in white = Edit in master
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
Indications in blue
= Locked elements
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in any
way.
• Group name:
17pt Arial Regular, white
IBM Software Group
Maximum length: 1 line
• Presentation title:
28pt Arial Regular, white
Recommended maximum
length: 2 lines
Enforcing security in a Software as a Service
application:
• Presentation subtitle:
20pt Arial Regular,
green R223 | G255 | B102
For client
presentations,
client’s logo may
go in this area
Enforcing Role Based Access Control using WebSphere
Portal Server & Tivoli Directory Server
Recommended
maximum length: 2 lines
IBM Developer Skills
© 2007 IBM Corporation
• Confidentiality/date line: 13pt Arial Regular, white
• Copyright: 10pt Arial
Maximum length: 1 line
Regular, white
• Information separated by vertical strokes,
with two spaces on either side
Indications in green = Live content
• Disclaimer information may also be appear in this area. Place
flush left, aligned at bottom, 8-10pt Arial Regular, white
Indications in white = Edit in master
Welcome to the IBM Software as a Service demonstration series. In this series, we
will demonstrate a set of architectural patterns exploiting features in IBM
middleware to build Software as a Service solutions.
Indications in blue = Locked elements
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
• Group name:
14pt Arial Regular, white
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in
any way.
IBM Software Group
Maximum length: 1 line
SaaS Demo Series – The Banking Application
• Slide heading:
28pt Arial Regular, light
blue R204 | G204 | B255
Maximum length: 2 lines
Enterprise Scenarios


• Slide body:
18pt Arial Regular, white
Square bullet color:
green R223 | G255 | B102
Recommended maximum
text length: 5 principal
points


Building Multi-Tenant Applications using WebSphere
Portal Server
Composing Multi-tenant User Interfaces using WebSphere
Portlet Factory
Designing a Multi-tenant Data architecture using DB2 V9
Enforcing Security in a Software as a Service application
• Background should
not be modified,
except for quotes,
which use gray
background.
Building a multi-tenant user registry using WebSphere Portal Server & Tivoli
Directory Server
Enforcing Role Based Access Control using WebSphere Portal Server &
Tivoli Directory Server
Securing Workflows using WebSphere Process Server & Tivoli Directory
Server
developerWorks
Optional slide number:
10pt Arial Bold, white
© 2007 IBM Corporation
• Title/subtitle/confidentiality line: 10pt Arial Regular, white
Maximum length: 1 line
Software as a Service
• Copyright: 10pt Arial
Regular, white
The Software as a Service
series
7 demonstrations based on a fictitious
Informationdemo
separated
by vertical includes
strokes,
with two spaces on either side
“Banking Application”.
Each demonstration shows a scenario in “The Banking Application” which addresses
some technical challenges relevant for building a Software as a Service solution.
This demo is part of the scenario describing “How to Enforce Security in a Software
as a Service application”.
Indications in green = Live content
In particular, this demo will show how to enforce
Role Based Access Control using
Indications in white = Edit in master
WebSphere Portal Server & Tivoli Directory Server
Indications in blue = Locked elements
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
• Group name:
14pt Arial Regular, white
Maximum length: 1 line
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in
any way.
IBM Software Group
Technical Challenge Addressed in this Demo
• Slide heading:
28pt Arial Regular, light
blue R204 | G204 | B255
Maximum length: 2 lines
 How can you prevent the user population of one tenant
from accessing the virtual portal for another tenant?
• Background should
not be modified,
except for quotes,
which use gray
background.
 How can you enforce role based access control for
different tenants for the user interface layer?
• Slide body:
18pt Arial Regular, white
Square bullet color:
green R223 | G255 | B102
 How can you enforce role based access control for
human tasks in the workflow layer?
Recommended maximum
text length: 5 principal
points
developerWorks
Optional slide number:
10pt Arial Bold, white
© 2007 IBM Corporation
• Title/subtitle/confidentiality line: 10pt Arial Regular, white
Maximum length: 1 line
Software as a Service
• Copyright: 10pt Arial
Regular, white
The scenario: “Enforcing
security
in a Software as a Service application”
Information separated
by vertical strokes,
with two spaces on either side
demonstrates 3 approaches for addressing 3 technical challenges
1. How can you prevent the user population of one tenant from accessing the
virtual portal of another tenant?
2. How can you enforce role based access control for different tenants for the
user interface layer?
3. How can you enforce role based access control for human tasks in workflows?
In this demo we will look at the second technical challenge.
Indications in green = Live content
Indications in white = Edit in master
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
• Group name:
14pt Arial Regular, white
Maximum length: 1 line
• Slide heading:
28pt Arial Regular, light
blue R204 | G204 | B255
Indications in blue
= Locked elements
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in
any way.
IBM Software Group
Multi-Tenant Bank Environment
A PoC delivered as a SaaS
• Background should
not be modified,
except for quotes,
which use gray
background.
Shared Portal server instance with
 Tenant specific virtual portals &
 Multiple roles per tenant
Maximum length: 2 lines
• Slide body:
18pt Arial Regular, white
Square bullet color:
green R223 | G255 | B102
Recommended maximum
text length: 5 principal
points
Bank Service Provider
Administrator
 On-board Bank
 Provision Bank
 Manage Master Bank
Administrators
 Manage Banks
Configure with dynamic
profiles
Bank Administrator
 Add/Delete Bank Customers
 View Bank Customers
 Update customer profile
Bank Employee
 Perform Teller operations
 Approve Loans
developerWorks
Optional slide number:
10pt Arial Bold, white
Bank Customer
 Account transfers
 View Interest Rates
 Apply for Bank Loan
 Review Loan Status
© 2007 IBM Corporation
• Title/subtitle/confidentiality line: 10pt Arial Regular, white
Maximum length: 1 line
Software as a Service
• Copyright: 10pt Arial
Regular, white
We present a security
scenario
invertical
thestrokes,
context of a fictitious multi-tenant banking
Information
separated by
with two spaces on either side
application. The banking application shares a single instance of WebSphere Portal
Server with different virtual portals for different tenant banks. The virtual portals
include a set of portal pages and portlets for each bank. The set of portal pages
and portlets viewable by a user of the banking application depends on the role of
the user.
Two of the roles supported in this banking application are: Bank Administrator and
Bank Customer. These roles are defined for each tenant bank.
Each role has a set of operations permitted for users in that role. For example,
only a bank administrator is allowed to update the customer profile for that bank’s
customers.
These operations are available to a bank user through specific portlets such as the
customer profile portlet for updating the customer profile.
In this demo, we will show how WebSphere portal access control features can be
exploited to restrict the set of portal pages and portlets that a particular user
can access based on the role of the user.
<Start of demo>
Different user groups are configured in the common LDAP user registry for the bank for
both the bank administrator and the bank customer roles.
Let’s look at the Bank1 domain, and the groups within Bank1
Here are a list of the user groups defined.
We can see bank1admins and bank1users.
The user group bank1users includes the bank1 users, for example, b1u1.
The user group bank1admin includes the bank1 administrators, for example, b1a1.
Now we login to the bank1 portal as bank1 user b1u1 and we see that the portal page retail
banking is accessible to bank users.
Next we log in to the same portal as bank1 administrator, b1a1,
and we see that the portal page retail banking is not accessible to bank administrators.
The portlets and portal pages accessible to the banking administrator role are different
from those for the banking end user role. We will show how to configure Portal access
control to enforce this separation.
First, we login to the Portal page as the portal administrator
We go to the Administration tab.
Then we navigate to the User and Group Permissions page in the Access category.
Next, in the User groups page, we search for all the available groups in the user registry.
Here, we see that there are different groups for bank managers, bank employees and bank
users for each bank.
Next we click on bank1users to specify the portlets and pages which are accessible to
bank1users.
We navigate under pages to the “Retail Banking” page in the“My Portal”portal for
bank1.
Here we see the predefined security roles in WebSphere Portal for any portlet, for example,
Manager, Editor, Privileged User and User, with varying levels of capabilities.
In our case, we feel that these Portal roles will provide sufficient authority for the
bank1 User Group and hence we explicitly assign them.
Next we login to bank1’s portal page as user b1u1. User b1u1 belongs to the bank1users
group.
Here we see that the “Retail Banking” page is visible to b1u1 along with all the portlets
on that page.
Next we login to bank1’s portal page as user: b1a1. b1a1 belongs to the bank1Administrator
group.
Indications in green = Live content
Here we can see that the “Retail Banking” page is not
visible to b1a1, however the Bank
Indications in white = Edit in master
Administration page is.
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
• Group name:
14pt Arial Regular, white
Maximum length: 1 line
Indications in blue
= Locked elements
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in
any way.
IBM Software Group
Conclusion
• Slide heading:
28pt Arial Regular, light
blue R204 | G204 | B255
Maximum length: 2 lines
 Use the portal access control feature in WebSphere Portal
Server for protecting portlets and portal pages in a softwareas-a-service application
• Background should
not be modified,
except for quotes,
which use gray
background.
• Slide body:
18pt Arial Regular, white
Square bullet color:
green R223 | G255 | B102
Recommended maximum
text length: 5 principal
points
developerWorks
Optional slide number:
10pt Arial Bold, white
© 2007 IBM Corporation
• Title/subtitle/confidentiality line: 10pt Arial Regular, white
Maximum length: 1 line
Software as a Service
• Copyright: 10pt Arial
Regular, white
In conclusion, we have
shown
howbyto
usestrokes,
portal access control for protecting portlets
Information
separated
vertical
with two spaces on either side
and portal pages using WebSphere Portal Server and Tivoli Directory Server
Indications in green = Live content
Indications in white = Edit in master
Template release: Oct 02
For the latest, go to http://w3.ibm.com/ibm/presentations
• Group name:
14pt Arial Regular, white
Maximum length: 1 line
• Slide heading:
28pt Arial Regular, light
blue R204 | G204 | B255
Maximum length: 2 lines
= Locked elements
Indications in black = Optional elements
• IBM logo must not
be moved, added
to, or altered in
any way.
IBM Software Group
Ready to Go Further With IBM?
 Join the SaaS Community
Learn
• Background should
not be modified,
except for quotes,
which use gray
background.
Register for PartnerWorld
http://www.ibm.com/partnerworld/join
Select Software as a Service as an interest area
Network with other SaaS business partners at SaaSpace.com
more.
Deploy
 Visit the Virtual Innovation Center (VIC)
faster.
Take the SaaS Education Courses
Fill out the VIC Project Profile for a no-charge technical assessment and custom
enablement road-map
• Slide body:
18pt Arial Regular, white
Square bullet color:
green R223 | G255 | B102
Indications in blue
Market your
SaaS Solution
 Qualify for the SaaS Specialty
Receive additional marketing resources and benefits
Recommended maximum
text length: 5 principal
points
www.ibm.com/partnerworld/saas
developerWorks
Optional slide number:
10pt Arial Bold, white
© 2007 IBM Corporation
• Title/subtitle/confidentiality line: 10pt Arial Regular, white
Maximum length: 1 line
Software as a Service
• Copyright: 10pt Arial
Regular, white
IBM has innovative resources
andbyprograms
Information separated
vertical strokes, to help you manage change & become relevant
with two spaces on either side
in the Software as a Service market. Whether you’re an ISV, System Integrator or
Reseller, we can provide education, support and benefits to help you grow revenue
and differentiate yourself.
The first step will be to join the SaaS community. You will automatically be kept
aware of new SaaS technical benefits and workshops and get the enablement help that
you need to transform your application for delivery in the IBM Software as a Service
model.
Then, as a member of IBM SaaS community, you can register at the Virtual Innovation
Center (VIC) where you will get personalized access to product support and education
to help build your Software as a Service knowledge and skills.
As an Advanced level member of PartnerWorld, you have the opportunity to gain access
to additional marketing and sales support by qualifying for the Software as a Service
(SaaS) specialty.
For more information, Visit our main site at www.ibm.com/partnerworld/saas.