8.1 Lawson Security Overview Del Dehn Product Manager.
-
Upload
imogene-bell -
Category
Documents
-
view
218 -
download
0
Transcript of 8.1 Lawson Security Overview Del Dehn Product Manager.
8.1 Lawson Security Overview
Del DehnProduct Manager
Agenda
• Security domains• Upgrade considerations• Summary• 8.1 Technology project update• Questions and answers
Lawson Security Domains
8.1.0 Technology Security Domains
• User management
• Authentication
• Authorization
Lawson Security
AuthorizationAuthentication/Single sign-on
ResourceManagement
Lawson Security
• Business process focused security
• Central repository for security administration (Resources)
• Organizational modeling (Roles)
• Rules builder (Rules)
• Single sign-on
• Additive security paradigm
• Database auditing (front-end, back-end sign-on)
Lawson Security: Design Features
• Designed as a centralized service – Callable by all Lawson layers
• Roles and Rules based – An industry prevalent approach
• Driven by user and corporate information – Flexible security to accommodate the customer’s business
structures
• Administration tool for policy modeling– Test new structures or security policies
• Attribute based security– Same concept as attributes in LDAP structures
• Fine grained securable objects– For example, field level security
User Management
User Management Domain
Lawson Resource Management
• Central repository for globally interesting data– user name, email address and roles
• Create custom attributes
• Structure – organizational chart modeling
• Non-organizational chart structures allowed
Organizational Modeling: Changes for Individuals
S m a ll C o m p a n y, In c.
P ro je ct M an a g er S e n io r P ro g ram m er
C IO
C o n tro lle r
C F O
C E O
Project Manager is promoted to CFO
“Roles” domain
LDAP ServerMicrosoft
ADAM 2003
Changes to structures can be made in a “drag and drop” fashion
Organizational Modeling: Changes for Groups
B ig C o m pa n y, In c.
M a rke tingM a na g er
M a rke tingM a na g er
M a rke tingM a na g er
M a rke tingM a na g er
D ire c to r o f M arke ting
S a lesM a na g er
S a lesM a na g er
S a lesM a na g er
S a lesM a na g er
D ire c to r o f S a les
V P o f S a les V P o f M a rke ting
C E O
Director of Marketing with all of his/her directly reporting Marketing Managers is moved to the direct supervision of the newly created position of VP of Marketing
LDAP ServerMicrosoft
ADAM 2003
“Roles” domain Changes to structures can be made in a “drag and drop” fashion
Resource Management: Structure
Authentication
Authentication Domain
Lawson Authentication 8.1.0
– Single Sign-on
– Database (DB) user authentication
– Session management
– Secure credential storage
– Identity management
Single Sign-on for End Users
Authorization
Authorization Domain
The new Lawson Security model
• Business process focused• Rules and Roles based• Granular security checking• Object oriented• Flexible policy modeling
– Allows organizational modeling for security
– Allows attribute driven policies
– Element based policies
• Allows for distributed administration
Authorization: Roles and Rules
• Roles– Organizational roles
– Organizational structures
• Rules– Rules builder
– Simple or complex
• Rules written for Roles govern the security privileges
of end-users assigned to a Role(s)
Benefits of Role-Based Security
• Transparency– User’s roles are defined by business needs– Security classes and privileges are defined by business tasks
• Stability– Access needs for a task do not change often– User’s roles change more frequently
• Efficiency– Changing access for a given task accomplishes changes for
all affected users
Lawson Security: New Rules
• Rules apply to “securable objects”– Product lines– System codes– Forms and their fields– Drill Around®– Tables and the columns in a row– Environment objects – printers, etc.
Security Rules
• Rules can be unconditional– Grant All Access/Deny Any Access– Builds fast, efficient access control lists
• Rules can be unconditional but allow limited access– Inquire only, for example
• Example– ADD_EMPLOYEE class:
EMPLOYEE table: ALL_ACCESS
(users that are employees can view their own information)
Conditional Rules
• Data can be secured based on attributes of the user– If (user.getAttribute(‘Department’)== ‘HR’) then ‘IACD’ else ‘I’
(if user is in HR Department, then can change information)
• Data can be secured based on the data values– If (table.EMPLOYEE == user.getEmployeeId()) then ‘IACD’ else ‘I’
(user can change own information and see all others)
• Data can be secured using other kinds of functions– Time of day, database reads, etc.
New Security Model
Rules express security policies- Rule execution allows or denies access to a securable object
Security Classes group rules for common tasks- Constitutes a task oriented privilege pack
Multiple security classes to Roles- Easy creation of Roles with overlapping functionalities
Multiple Roles to users- Allows for multiple responsibilities
A Security Policy Illustration
Users Roles SecurityClasses
SecurableObjects
Jane
John
Steve
Mary
Employee
HR Manager
Payroll Manager
Payroll Clerk
Employee Info
Manager Info
Payroll Access
Form HR11
Check Printer
Note: Users can be assigned multiple Roles simultaneously
Lawson Security Securable Objects
Deny Access to a Form Field
Security “Off” – All Form Transfers are Available
*
Secured: Form Transfers are Hidden
Upgrade Considerations
Lawson Security: 8.1 release
• Provides security for all Lawson Portal based products– LAUA security – not required
– Security extensions (Ex. HR security) - not required
• Lawson Security and LAUA security can operate
concurrently– Lawson Security – Lawson Portal Users ONLY
– LAUA security – Lawson Portal Users and LID users
– Each end user must be secured by only one security mechanism,
not both
Transitioning to 8.1 Lawson Security
• Security mechanism assignment per end user
• Enables phased migration from LAUA security to
Lawson Security
• Migration from LAUA to Lawson Security by:– End user
– Role
– Group
– Structure
– Etc.
• Not a “Big Bang” approach
Lawson 8.1 Technology Release
• 8.1 Technology = Environment, Internet Object
Services (IOS) and Lawson Portal
• 8.1 Technology will support:– 8.1 Applications
– 8.0.X Applications
• Existing or upgrading 8.0.X Applications customers
are not “cut off” from implementing 8.1 Technology
• 8.0.X Applications customers can utilize 8.1
Technology features without needing to upgrade to
8.1 Applications
8.1 Lawson Security: Summary
• Flexibility and power to create security policies based on how your organization does business
• Major components:
–Resource Management and LDAP (roles, structures)
–Authorization (rules engine)
–Authentication and Single sign-on (SSO)
8.1 Technology Project Update
The scheduled release of Lawson 8.1 Technology has been moved to Lawson’s Q1FY06 (June – August 2005) after a recent review of the project’s milestones and metrics.
This release is being measured against the quality standards and milestones of Lawson’s CMMI methodology and whole company readiness metrics. The review indicated that an adjustment to the proposed schedule would not only deliver much improved performance, usability and security, but also a quicker time to benefit for Lawson clients.
Questions?