Clarity Security Models That Work

advertisement
Clarity Security
Models
Clarity Security Models That Work
www.regoconsulting.com
Phone: 1-888-813-0444
Class Description
Creating a security model that is overly complex and difficult to
modify and maintain is easy to do when trying to implement
tight security within Clarity. In this session, you will learn
some key concepts when designing and implementing
security. Additionally, Rego’s team of experts will share tips
and tricks for automating security, as well as ways to monitor
the Clarity rights that individuals have.
2
www.regoconsulting.com
Phone: 1-888-813-0444
Quick Poll
● What’s your comfort level with security concepts?
● What’s your comfort level with security strategies?
● Do you have an established Clarity system or are you newly
implementing?
● What do you hope to get out of this class?
● What real world issues with your security model would you
like to resolve?
● What do you want to share? What have you lived through to
tell the tale?
3
www.regoconsulting.com
Phone: 1-888-813-0444
Agenda
● Security Overview
● Terminology
● The 9 paths to giving a right
○ Pro’s and Con’s of each
●
●
●
●
●
●
Automatic vs. Manual Rights
Explicit vs. Implied Prerequisites
Weird rights
Security Quiz
Tips on creating a security model
How to analyze and overhaul an existing security model
4
www.regoconsulting.com
Phone: 1-888-813-0444
5
Technical vs. Application Security
● Technical Security (Before you get logged into Clarity)
○ Server Level: VPN, Firewall, etc.
○ Database Level: Data Encryption, Password Protect Files
○ User: Passwords Tied To Global Authentication
● Application Security (Once you have logged into Clarity)
○ Restrict Data (restrict who can see certain projects or resources) –
View and Edit, Portlets and Reports
○ Restrict Functions (restrict who can see a link or portlet) – Processes,
Jobs, Objects, Administration
○ Clarity is a cumulative “Rights” based security model.
5
www.regoconsulting.com
Phone: 1-888-813-0444
6
Partitions vs. Security Rights
● Why would you use partitions vs. traditional security?
1. Partitions
•
•
Advantage: Can secure even administration within the tool, so the only way
to see another organization’s data is by querying the DB directly.
Advantage: Can have completely different (There are additional items that
can be partitioned, but these are the ones that are really used):
»
»
»
»
»
Object user-defined attributes (fields)
Object views (Properties, List Column, and List Filter)
Lookup values
Portlets and Processes
Note: Reports, Jobs, and NSQL queries cannot be partitioned, so security groups are still
needed even if partitions are used.
2. Security Groups and OBS Rights
•
•
Advantage: Lower cost to administrate and setup
Advantage: Can collaborate on projects – giving access to resources in both
organizations.
6
www.regoconsulting.com
Phone: 1-888-813-0444
7
Security Architecture
OBS
Rights
Group
Global
Rights
OBS Level
Instance
Rights
Person
Automatic
Rights
7
www.regoconsulting.com
Phone: 1-888-813-0444
Terminology
● “Principal”
○ Who has the right? Which specific user or which
groups of users?
• A specific single user could be given a right = Resource
right
• An arbitrary set of users can be grouped into a Security
Group and given a right = Group right
• Or , since users are already grouped together by the
OBS that they are in, a right could be given to an OBS
grouping of users = OBS Principal right
 The OBS has to associated with Resources and enabled
for security
8
www.regoconsulting.com
Phone: 1-888-813-0444
Terminology
● “Target”
○ What does the user (or set of users) have rights over?
• The Principal can have rights over a specific record in the Clarity
system (rights over a specific project or rights over a specific user)
= “Instance Rights”
• Since records are usually grouped together by their OBS
assignment, then a Principal can have rights over a set of records
that are grouped together the record’s OBS setting
 The OBS does not have to be security enabled (that setting is for the Principal
side of rights
• Or a Principal can have rights over all records of a particular kind (over all
Projects, over all Applications, etc)
9
www.regoconsulting.com
Phone: 1-888-813-0444
The 9 (or 25) paths to giving a right
So 3 Principal kinds times 3 Target Kinds = 9 “paths” to granting a right to
someone over something. Examples:
● Resource Bob has a right over Instance “Project X”
● Resource Sarah has a right over all Applications in OBS “Department X”
● Resource Joe has a right over every single Resource in the System (Global)
● The PM Group has a right over Instance “Portlet X”
● The Dept Z RM Group has rights over all Resources in Department Z’s OBS
● The Admin Group has rights over all Processes Globally
● Everyone in OBS X has rights over a certain Project (Instance) for tracking
Admin Time in that OBS
● Everyone in OBS X has rights over projects in that same OBS
● Everyone in the PMO OBS has rights over all Projects Globally
10
www.regoconsulting.com
Phone: 1-888-813-0444
Pro’s and Con’s of the 9 Paths
● OBS Principal Rights
○ Handy because it saves time creating a group that represents a group
of resources that are already in an OBS
○ If someone is added to a group – they automatically get certain rights.
This could be good or bad (anyone with ability to change a resource’s
OBS could change them to any OBS and thus get those rights)
○ Performance issues sometimes occur – more logic to analyze
especially if using “Modes”
○ Often better to automate the synching of OBS’s with Groups
11
www.regoconsulting.com
Phone: 1-888-813-0444
Pro’s and Con’s (cont’d)
● OBS Target Rights
○ Performance Issues, especially if using Modes
• Especially if doing OBS Principal over OBS Target rights
● Not simple to set up
○ No relative rights in Clarity. Can’t say “all users in any OBS can do X in their
OBS”. You have to go to each node on the Principal side and map it to the
Target side
○ Every OBS change means updating and remapping OBS to OBS
● Workaround
○ There is a single security view in Clarity that does not perform well. Any
OBS and instance rights are added to this single view and used when you
call for @SECURITY@ in a portlet. If you have lots of OBS rights, it will slow
down performance vs. global rights. If you can do global view – do it. If
not, can write custom security call to improve performance.
12
www.regoconsulting.com
Phone: 1-888-813-0444
Pro’s and Con’s (cont’d)
● Resource and Instance rights
○ Can be done temporarily for exceptional situations
○ Must be tracked or the right will linger off the radar beyond the time it
should have
○ Processes are available or can be built to automatically grant. Make
sure they automatically revoke as well.
● Global rights
○ Best performance – no logic to take care of, but benefit can be
counter-balanced if their screens will also pull back all data (example:
Timesheet Approver right can slow down their ability to even enter up
their own time)
13
www.regoconsulting.com
Phone: 1-888-813-0444
Automatic vs. Manual
● We’ve been demo’ing Manual ways of granting rights
○ Manual giving a right to a Principal over a Target
● There are also automatic rights
○ Example: if you are marked as another user’s RM you get to edit their
calendar
○ Two kinds of automatic rights
• Revocable
 Resource – Enter Time (for themselves)
• Irrevocable
 User Favorites Menu - Edit
14
www.regoconsulting.com
Phone: 1-888-813-0444
Implicit vs. Explicit Pre-requisites
● Some rights are useless without another right (example: does
no good to give someone the rights to create Security Groups
if they can’t get to the Admin side of the system)
● Therefore the other right has to be given
○ Sometimes Clarity will automatically (implicitly) give the pre-requisite
Rights [will not show in list of rights in the UI]
• Example: Give someone “Administration – Authorization” to manage
rights of other users and groups and they will get Administration access
but doesn’t show in list of rights
○ Sometimes Clarity will NOT automatically give the pre-requisite right
and you must Explicitly grant it for the original right to mean anything
• Example: “Administration – Partition Models” – means nothing unless you
manually also give “Administration Access”
15
www.regoconsulting.com
Phone: 1-888-813-0444
Weird rights
● Collaborator Manager rights
○
Doesn’t show in security model screens. Only the current Collaboration Manager can make someone else a
Collaboration Manager
● Incident Security
○
In order to gain access to incidents, incident categories must be created within the administration section
(Data  Incidents). Next, a person/group/OBS can be given rights to manage or select the incident category.
● Sub-page Security
○
The first step is to mark a sub-page as “secure”. This action will create two rights within the security
administration section – “edit” and “view” for that subpage. These rights can then be given to a
person/group/OBS.
● Field Level Security
○
○
○
○
Read Only Field
• A field can be made read-only. This is useful when it is populated by a process or auto-numbered
Locked Field
• A field can be locked or unlocked by the process at certain point(s) in the object lifecycle.
Calculated Field
• The editable field can be put on a secure subpage, then a calculated field (based on the editable field)
can be displayed on the main subpage – having the appearance of being read-only
Dependent Lookup Field
• This is only available in later versions, but it is possible to have one lookup field display values based
on the value of another lookup field on the same object. This will need to be done with query based
lookups.
16
www.regoconsulting.com
Phone: 1-888-813-0444
17
Quiz Time
1. You want to give RMs the rights to add their people onto any project
2. You want to give resources the ability to update % complete on tasks
3. You want to create a set of dashboard links based on the role people have –
some of the portlets are the same between RM and PM
4. You want to have only finance be able to open a project for time entry
5. You want to have the stage field controlled by a process where no one can
update (but later the users will come back asking to allow the PMO to
manually update the stage, then lock again)
6. You want to give RMs the right to edit the time of the people that report to
them
7. You want to give executives the rights to see all projects but edit none
8. You want directors to have view rights to all, but edit rights only to their
organization for resources and projects
9. You want the business to only be able to see ideas they sponsor
10. You want one business unit to select from 3 project types, while another
selects from 2 of the same and one different type
11. You want to give ability for local admins to reset passwords
17
www.regoconsulting.com
Phone: 1-888-813-0444
Tips on Creating a Security Model
18
www.regoconsulting.com
Phone: 1-888-813-0444
Steps to Implement a Security Model
1.
Understanding what each right means
○ The 9 paths
○ The definition of each right
○ Understand licensing implications of different rights
2.
Define Security Roles
○ Not same as Primary Role or their Security Groups
○ Theoretical, not in the system
○ Example: Timesheet user is not a Primary Role and it may mean membership
3.
4.
Pick a philosophy (will discuss later)
Do it on paper first (your security model design)
○ Can use ootb groups as suggestions or material to brain chew on but you will
likely not use them.
19
www.regoconsulting.com
Phone: 1-888-813-0444
Steps to Implement a Security Model
5. Set up the model in Clarity
○ Can be done concurrent with other implementation coding
○ Create dummy data
○ Create dummy users – one per “role” (not same as a group)
6. Look at dummy users in Licensing Portlets
○ Challenge any discrepancies to published PDF’s
○ Do the math of license implications of your current design
7. Log in as dummy user and Test and simulate
○ Can you see what you should in that role?
○ Can you NOT see what you shouldn’t see (often neglected in test scripts)
20
www.regoconsulting.com
Phone: 1-888-813-0444
Exposure Philosophies
● Underlying Philosophies
○ Open by default, restrict only when needed
○ Closed by default, open only when absolutely needed
○ Blended
• Open by default for everything but Financial information (pay grades, rates,
etc) which should be fully closed
● Choice of philosophy
○ Often driven by standards and compliance (SOX)
○ Otherwise – blended approach works best. Closed by default creates
overhead for the Support team that isn’t proven to be necessary. Also
causes system to have to run more logic to determine access.
• This means Global rights but within the limits of their licensing (no need to
give timesheet users the rights to manage projects if they don’t)
● Auditing versus Security
○ If someone is just worried that someone else will alter a field and no one
will know who did, then consider auditing
• Too much auditing can cause performance issues on some versions of Clarity
21
www.regoconsulting.com
Phone: 1-888-813-0444
Licensing Implications
● Licensing Portlets
● Audit them periodically and compare results to licensing PDF’s
to validate what the portlet seems to be saying
22
www.regoconsulting.com
Phone: 1-888-813-0444
23
Feedback on Security – Pain or Gain
● What areas are causing you pain in security?
● What are some lessons learned in security?
● Other questions?
23
www.regoconsulting.com
Phone: 1-888-813-0444
Overhauling an Existing Security Model
● Why?
○ Licensing problems (under or overutilized licenses)
• Clarity doesn’t warn you when you just increased your license usage to a
new level
○ User complaints about speed of getting access they need
○ The support team has lost track of what’s going on and who
can/should see what and not see what
○ Maintaining the model is too time consuming
24
www.regoconsulting.com
Phone: 1-888-813-0444
How to analyze and overhaul an
existing security model
● Collect pains
○
○
○
○
Not just your own!
Your end users
Your support teams’
Your stakeholders
● Run licensing portlets to see if you have a problem there (or
underutilized licenses) when compared to your licensing
agreement
● Derive a paper security model design to represent what
should be in the system if you don’t have one.
○ If you do have one, update it
● Query the database to extract the real world data model
○ Pivot tables useful
25
www.regoconsulting.com
Phone: 1-888-813-0444
Overhauling an Existing Security Model
(cont’d)
● Compare reality to the design and fix the paper design to
match what was really needed or make a plan to modify
reality to match the design (or both)
● Review the collected pains and incorporate their resolution
into your model design
● Execute any remediation plan in non-Prod first
● Run licensing portlet to see if all is now well in Non-Prod
● Whenever modifying the model – test, test, test
○ Ex: Don’t assume that a right given to an OBS principal will work same
exact way when given to a User Group
26
www.regoconsulting.com
Phone: 1-888-813-0444
Overhauling an Existing Security Model
(cont’d)
● Dummy users for testing or logging in as sample users
● Testing includes performance testing in a large user-base
system
● UAT is good so users aren’t surprised
● After implementing into Prod, run License Portlets again
27
www.regoconsulting.com
Phone: 1-888-813-0444
Improving Maintenance
● Overhaul security model to make it easier (steps already
covered)
● Automation
○ Turnkey – RegoXchange
○ Roll your own
● Federating access control
○ Or at least authorization
28
www.regoconsulting.com
Phone: 1-888-813-0444
Other tips
● If you change or add something to the system (enhancements like new
portlets or objects), remember to think through the security implication
○ Who should be able to create this kind of object? Edit it? Run it?
○ Often forgotten
• To grant rights to new subobjects
• To use rights to control the ability to see subpages
● When your develops code something, use record-level security
○ Running a portlet right is different than only showing the rows that the user is
supposed to see
● Give feedback to CA
○ There is often a workaround that you can get used to but it is still a work around
○ GUC, Ideas, Product Advisory Council
● Periodically audit compliance to your security model design
○ And do a license comparison and compare to your last audit
● When upgrading – test, test, test
○ War story – pay grade exposed when an explicit requirement became implicit
29
www.regoconsulting.com
Phone: 1-888-813-0444
Other tips (cont’d)
● Define your process for granting rights
○ Have an authorization step(s)
• But include rules for what is always ok and no need for authorization
○ Include a step to check the user’s license level before and after
30
www.regoconsulting.com
Phone: 1-888-813-0444
Questions
Contact US
Thank you.
888.813.0444
Email Contact
info@regoconsulting.com
Web Site
www.regoconsulting.com
31
www.regoconsulting.com
Phone: 1-888-813-0444
Download