Session: Security Concerns, Issues and Setup (or the Good, the Bad and the Ugly) Panelist: Mike...
-
Upload
maximillian-code -
Category
Documents
-
view
213 -
download
0
Transcript of Session: Security Concerns, Issues and Setup (or the Good, the Bad and the Ugly) Panelist: Mike...
Session: Security Concerns, Issues and Setup (or the Good, the Bad and the Ugly)
Panelist: Mike Neely, City of Pasadena
Date: Wednesday October 3, 2001
October 2001 Tidemark User's Conference
2
TIDEMARK SECURITYConcerns, Issues and Setup;..with restricted and view only fieldsTHE
GOOD
THE BAD& THE
UGLY
-or-
October 2001 Tidemark User's Conference
3
TIDEMARK SECURITY
Should you be here?If you:
•Have set up security at your organization using Restricted Field and View Only tables,•Are happy with your current Tidemark security set up, or•Have no security installed, but don’t feel you need it..Then you probably don’t need to be here.
October 2001 Tidemark User's Conference
4
TIDEMARK SECURITY
What is it?
For the purpose of this session security is the restriction or limiting of the users ability to perform functions (view, add, edit or delete) on the Tidemark system.
October 2001 Tidemark User's Conference
5
TIDEMARK SECURITY
What is it?
For the purpose of this session security is the restriction or limiting of the users ability to perform functions (view, add, edit or delete) on the Tidemark system.
This includes:•Activities•Fees•Case information•Parcel information•People information•Valuation information
October 2001 Tidemark User's Conference
6
TIDEMARK SECURITY
What will we cover?
This session will explore:•The initial stages of implementing Tidemark security.
•Assignment of access levels.
•The use of Restricted Field and View Privilege tables.
•The Activity Department table (–vs- Activity User) table.
•…and a group discussion following the presentation.
October 2001 Tidemark User's Conference
7
TIDEMARK SECURITYTHE GOOD:•Security aids in automating your
business/ government rules.•Security can impact data quality.
-Increases reporting validity.-Saves YOU time.
•Can avert potential disasters.
Why use it?
October 2001 Tidemark User's Conference
8
TIDEMARK SECURITYTHE GOOD: Why use it?•For auditing purposes.
-Almost all government agencies are required to submit to audits.-Provides accountability
•For legal purposes.-Information from Tidemark is sometimes used as evidence; eg. code violations, etc.-Information will be scrutinized.
October 2001 Tidemark User's Conference
9
TIDEMARK SECURITYTHE GOOD:•Can authorize/prevent users’ ability to
add, edit and delete certain functions on cases.
•Can restrict users from viewing/editing specific fields on case screens.
•Can provide varying security levels between casetypes……….(see UGLY).
Capabilities
October 2001 Tidemark User's Conference
10
TIDEMARK SECURITYTHE BAD:
•Does not provide case-level security. (But didn’t I just say….)•If a user can add/delete an activity or fee for one type of case, he/she can do the same for any case (and probably much more…)•Requires a lot of effort and hours to create and maintain a reasonably thorough system.
Incapabilities
October 2001 Tidemark User's Conference
11
TIDEMARK SECURITY
•Gather ALL users, departments or reps. who will be using the system.
•Group them into logical units (depts., positions, etc.)
THE GOOD: Department/Division Group Name
Fire Inspectors, ReviewersHealth Inspectors, ReviewersHousing & Development Plan ReviewersP & P / Administration All staffP & P / Arts(Cultural Planning) All staffP & P / Building InspectorsP & P / Building Plan ReviewersP & P / Building Processing staffP & P / Building Supervisors
Preparing for setup
October 2001 Tidemark User's Conference
12
TIDEMARK SECURITYTHE GOOD: Preparing for setup
•Discussion:
“What do you need to be able to do on the system (or, what do you do)?”
October 2001 Tidemark User's Conference
13
TIDEMARK SECURITY
The Good:
Determine what types of data to secure:
Preparing for setup
For instance, Pasadena was concerned with:•Case screen information•Case activity information•Parcel data•People data•Fee data•Valuation data
October 2001 Tidemark User's Conference
14
TIDEMARK SECURITY
The Good:
It is useful to create a matrix similar to this:Department/Division Code Group Name ADD ART BLD BMNFire FIRE Inspectors, Reviewers plck AE
insp AEplck AE insp AE
Health HLTH Inspectors, Reviewers plck AE insp AE
Housing & Development H&DV Plan Reviewers plck AEP & P / Administration PPAD All staffP & P / Arts(Cultural Planning)
PPAR All staff AED insp AE arts AE
P & P / Building PPBI Inspectors insp AE insp AEP & P / Building PPBP Plan Reviewers plck AE plck AEP & P / Building PPBC Processing staff AED AE AEP & P / Building PPBS Supervisors AED AED AEDP & P / Code Compliance PPCC Clerical staff plck AE
insp AEplck AE insp AE
Recommendation:
October 2001 Tidemark User's Conference
15
TIDEMARK SECURITY
The Good:
The Access Level table:•All functions are assigned to a level•Initially, all levels set to 30JOB #1:Assign all functions to varying access levels based on the organizational authority required for the task
Beginning the setup
October 2001 Tidemark User's Conference
16
TIDEMARK SECURITY
The Good: Assigning Levels to Roles
Department/Division Group Name Code Level
Fire Inspectors, Reviewers FIRE 49Health Inspectors, Reviewers HLTH 49Housing & Development Plan Reviewers H&DV 39P & P / Adminstration All staff PPAD 24P & P / Planning Supervisors PPPS 69Police Field Officers PDPT 39Public Works Inspectors, Reviewers PW&T 39Water & Power Plan Reviewers W&P 39System Maintenance Tech Team SYSM 95System Administrator Manager SYSA 99
October 2001 Tidemark User's Conference
17
TIDEMARK SECURITY
What have you done at this point?
•Identified and ranked functions performed by your organization.
•Grouped users according to their functions and authority/level of importance.
The Good: What you’ve done already
October 2001 Tidemark User's Conference
18
TIDEMARK SECURITY
How does this help me?
•You already have a functional level of security.
•Have a good understanding of the who, how when and why of organization’s activities.
THE GOOD: What you’ve done already
•Your system now reflects more of your business rules.
October 2001 Tidemark User's Conference
19
TIDEMARK SECURITYTHE BAD:
•As it stands, no case-level security.
•If you can add/edit/delete on one casetype, you can do it to all types.
•This holds true for case screen information and case activity information.
What you haven’t done
October 2001 Tidemark User's Conference
20
TIDEMARK SECURITYTHE BAD:
•You have probably given users authority to do more than they need to / you want them to.
•You’re relying on “ignorance security”
•What they don’t know, they won’t try…
What this means
October 2001 Tidemark User's Conference
21
TIDEMARK SECURITYTHE BAD:
•If you really want to provide some degree of case-specific security, it can be done.
•How?
Case-Level Security?
October 2001 Tidemark User's Conference
22
TIDEMARK SECURITYTHE BAD:
1. Forward your phone to voicemail.2. ‘Unvolunteer’ from any committees
you’re on.3. Lock your door, or seal yourself in your
cubicle with additional walls.4. Inform your family you’ll miss dinner for
the next, oh month or so.5. Open Tidemark Utilities and go to…
Are you sure????
October 2001 Tidemark User's Conference
23
TIDEMARK SECURITY
THE UGLY:
Restricted field and View privilege Tables
October 2001 Tidemark User's Conference
24
TIDEMARK SECURITY
THE UGLY:
Restricted field and View privilege TablesWhat are
they?•Allow you to prevent the viewing and editing of fields on any screen.•Allow you to give combinations of permissions to users in different departments/groups.•Allow you to create a certain degree of case-specific security levels in Tidemark.
October 2001 Tidemark User's Conference
25
TIDEMARK SECURITYTHE UGLY:
Restricted field table
How it works:
•Any field on any case screen can be blocked to any user.
•Once restricted to certain users, the field becomes blank all others.
October 2001 Tidemark User's Conference
26
TIDEMARK SECURITYTHE UGLY:
Restricted field table
What’s so hard?
•Entries in the Restricted Field Table actually give permissions.
•By placing placing a field/department combination in the table just once, it becomes restricted to everyone else until you make a similar entry using their group.
October 2001 Tidemark User's Conference
27
TIDEMARK SECURITYTHE UGLY:
Restricted field table
What does this mean? Table Name Field Name Department
case_add add_assign_addr P&P BLDG PLAN RVWcase_add add_assign_mail P&P BLDG PLAN RVWcase_add add_change_addr P&P BLDG PLAN RVWcase_add add_assign_addr SYSTEM MAINTENANCEcase_add csm_caseno P&P BLDG PLAN RVWcase_add add_assign_mail SYSTEM MAINTENANCEcase_add csm_caseno SYSTEM MAINTENANCEcase_add add_change_addr SYSTEM MAINTENANCEcase_add add_assign_addr SYSTEM ADMINISTRATRcase_add add_assign_mail SYSTEM ADMINISTRATRcase_add add_change_addr SYSTEM ADMINISTRATRcase_add add_assign_addr P&P/BLDG PROCESSINGcase_add csm_caseno SYSTEM ADMINISTRATRcase_add add_assign_mail P&P/BLDG PROCESSINGcase_add csm_caseno P&P/BLDG PROCESSING
Hours…
& Hours…
& Hours…
& Hours…& Hours…
& Hours…
& Hours…& Hours…
October 2001 Tidemark User's Conference
28
TIDEMARK SECURITYTHE UGLY:
Good side, Bad side
Good news: Bad news:
•You’ve restricted access to ‘important’ fields to only those who need them.
•You’ve already completed 10,000 entries or more!
•You probably want others to be able to see the info that’s been restricted.
•You haven’t yet secured activities.
•You have, oh, 15,000 more entries to go….
October 2001 Tidemark User's Conference
29
TIDEMARK SECURITYTHE UGLY:
View privilege table
What does it do?
•Restricted fields are blank.
•To make the field view-only, it must be added to the View Privilege Table.
October 2001 Tidemark User's Conference
30
TIDEMARK SECURITYTHE UGLY:
View privilege table
What does it do?
•Restricted fields are blank.
•To make the field view-only, it must be added to the View Privilege Table.
Again, this means:
•Entering the field / department combos
Table Name Field Name Departmentcase_extended csm_caseno P&P/BLDG PROCESSINGcase_extended csm_caseno P&P BLDG PLAN RVWcase_extended csm_caseno P&P/BLDG SUPERVISORcase_extended csm_caseno SYSTEM ADMINISTRATRcase_extended csm_caseno SYSTEM MAINTENANCEcase_extended csm_extension P&P/BLDG PROCESSINGcase_extended csm_extension P&P BLDG PLAN RVWcase_extended csm_extension P&P/BLDG SUPERVISORcase_extended csm_extension SYSTEM ADMINISTRATRcase_extended csm_extension SYSTEM MAINTENANCEcase_extended csm_sqft_est P&P/BLDG PROCESSINGcase_extended csm_sqft_est P&P BLDG PLAN RVWcase_extended csm_sqft_est P&P/BLDG SUPERVISOR
•& creating another 10,000 entries….
•There is a small trick using linked files & MS Access.
October 2001 Tidemark User's Conference
31
TIDEMARK SECURITYTHE UGLY:
A helpful trick…
Try a linked table in MSAccess
By linking to the restricted / view tables, you can use Microsoft’s copy command to create new entries… much more efficient!
October 2001 Tidemark User's Conference
32
TIDEMARK SECURITYTHE UGLY:
Restricting Activities
Activities can be restricted also ..to a degree
•Groups can be prevented from ‘signing-off’ specific activities.
•This is done via the Activity Department or Activity User table.
October 2001 Tidemark User's Conference
33
TIDEMARK SECURITYTHE UGLY:
Restricting Activities
Activities can be restricted also ..to a degree
•Groups can be prevented from ‘signing-off’ specific activities.
•This is done via the Activity Department Table.
•Like the R.F. and V.P. tables, individual activities must be associated with each group separately.
•Also, once an activity has been placed in the table, it becomes blocked to every group not included.
October 2001 Tidemark User's Conference
34
TIDEMARK SECURITYTHE UGLY:
You Have: •Added any restrictions
concerning the addition or deletion of fees…
•Those permissions are still based on the access level table.
Good side, Bad side
You Have Not:
•Restricted the signing off of activities based on department or group.
•Why signing off?
October 2001 Tidemark User's Conference
35
TIDEMARK SECURITY
Summary to this point
By completing these steps, you have:•Established access levels defined by data sensitivity.
•Created role/department-based groups and assigned them specific access levels.
•Restricted viewing and editing specific fields to specific groups or users.
•Restricted signing off of specific activities to specific groups or users.
October 2001 Tidemark User's Conference
36
TIDEMARK SECURITY
Summary to this point
By completing these steps, you have:•Established access levels defined by data sensitivity.
•Created role/department-based groups and assigned them specific access levels.
•Restricted viewing and editing specific fields to specific groups or users.
•Restricted signing off of specific activities to specific groups or users.
You do have a functional level of
security.
October 2001 Tidemark User's Conference
37
TIDEMARK SECURITY
Summary to this point
By completing these steps, you have
not
•Created user-specific access to activities.•Implemented true case-specific security.•Prevented users from adding/deleting cases, activities & fees for casetypes other than their own.•Utilized Security Groups•Prevented database access via other programs
October 2001 Tidemark User's Conference
38
TIDEMARK SECURITY
Summary to this point
By completing these steps, you have
not
•Created user-specific access to tasks.•Implemented true case-specific security.•Prevented users from adding/deleting cases, activities & fees for casetypes other than their own.•Utilized Security Groups•Prevented database access via other programs
Still have to rely upon “ignorance security”.
October 2001 Tidemark User's Conference
39
TIDEMARK SECURITYDiscussion: Where
do we go from here?
•Has anyone used Security Groups?•Is there a way to allow specific users access to individual tasks (take the Access Level to the next step)?•Can we restrict ability to run sensitive reports?
October 2001 Tidemark User's Conference
40
TIDEMARK SECURITY
GOOD
LUCK