Why must you never click on an email link?CMS validates with Siteminder policy server validity of...
Transcript of Why must you never click on an email link?CMS validates with Siteminder policy server validity of...
SAP Confidential © 2011 SAP AG. All rights reserved. 1
Why must you never click on an email link?
SBOP Security Strategies
Paul Hearmon
PreSales ‘Data2Design’ Team
April 2013
Agenda
1. Types of Security
2. SBOP Security Model
3. SSO Strategies
4. Personalization
Strategies
SAP Confidential © 2011 SAP AG. All rights reserved. 4
„Security‟ covers many areas
Identification (Provisioning)
Importing external identities into BOE (BusinessObjects Enterprise)
Authentication
Proving who you say you are
Authorization
Determining what objects you can see, and what actions you can perform in BOE
Confidentiality (“Personalization”)
Determining what data (rows/columns/cells) you can see in the database
Auditing
Determining what information is being accessed, how it's being accessed and changed,
and who is performing these operations
SAP Confidential © 2011 SAP AG. All rights reserved. 5
Provisioning:
What external identities can we import into BOE?
BOE
MS
Active
Directory
LDAP
Database
Table
SAP Confidential © 2011 SAP AG. All rights reserved. 6
Authentication:
Proving who you say you are
BOE
MS
Active
Directory
LDAP
Database
Table
SAP Confidential © 2011 SAP AG. All rights reserved. 7
Authorization:
What can you see/do within BOE?
BOE
MS
Active
Directory
LDAP
Database
Table
SAP Confidential © 2011 SAP AG. All rights reserved. 8
Personalization (Confidentiality):
What data can you see in the database?
BOE
AUSTIN Dinner $10
AUSTIN Shirt $12
DALLAS Ring $30
DENVER Tie $10
AUSTIN Club $15
AUSTIN Dinner $10
AUSTIN Shirt $12
AUSTIN Club $15
Agenda
1. Types of Security
2. SBOP Security Model
3. SSO Strategies
4. Personalization
Strategies
SAP Confidential © 2011 SAP AG. All rights reserved. 10
BIP Security Model
Identification (Provisioning)
BOE Accounts
BOE Security Plugins
Authentication
SSO
Authorization
The BOE Model: Access Control Lists (ACL)
Confidentiality (“Personalization”)
SAP Confidential © 2011 SAP AG. All rights reserved. 11
BOE - Identities
BOE Accounts
Nothing more than a „shell‟ that contains Aliases
Aliases
Can be „Enterprise‟
Created and managed within BOE system by BI Administrators
3rd Party
Imported from external identity management systems e.g. Active Directory, SAP
A BOE Account may contain multiple Aliases
SAP Confidential © 2011 SAP AG. All rights reserved. 12
Security Plug-ins Provide Provisioning, Authentication and Authorization
“Enterprise” Aliases / authentication
Default authentication mechanism
For customers who do not want to leverage an external system
Allows for hybrid security model
External integration with user directories
Active Directory
LDAP SunOne Directory Server, IBM Secureway, Novell eDirectory, Lotus Domino Directory
SAP, JD Edwards and Peoplesoft Role imports
Supports both authentication and authorization
Users authenticate using their external credentials (username and password)
Security can be applied to external groups for role based deployments
SAP Confidential © 2011 SAP AG. All rights reserved. 13
LDAP/AD Security Plug-In
Basic user authentication work flow for external directories
*AD CMS Security Plugin must run on Windows O/S
*
SAP Confidential © 2011 SAP AG. All rights reserved. 14
AD Security Plug-in
Much more powerful than the simple LDAP plug-in
Uses Windows ADSI rather than LDAP protocol
Supports multiple domains natively
Supports SSO into BOBJ clients
Out-of-the-box
No 3rd party IDM necessary
Supports down-to-the-database SSO in Kerberos-enabled databases
MS SQL Server
MS Analysis Services
Oracle RDBMS
HANA
Supports end-to-end SSO
SAP Confidential © 2011 SAP AG. All rights reserved. 15
Authentication required even for Offline Access
SAP Confidential © 2011 SAP AG. All rights reserved. 16
Authorization
SAP Confidential © 2011 SAP AG. All rights reserved. 17
CMC: Centralized Security for all Products
Centralized security reduces TCO
Single point of administration
Leverage 3rd party security databases – authentication and authorization
Delivers deployment scalability
Full range of security requirements
Group inheritance
Document
Row level
Actions are Audited
Business User
Developer
SAP Confidential © 2011 SAP AG. All rights reserved. 18
Security Model
Fine grained access control for authorization
Set rights using ACL‟s (Access Control Lists)
Centralized web based administration using CMC (Central Management Console)
Control access to resources
Set object level access
Can inherit from parent objects for simple administration
Control access to applications
Set system wide access for users to applications
Web, Desktop and CMC
Groups
Users
(Performed in LDAP)
Folders
Objects
Rights
SAP Confidential © 2011 SAP AG. All rights reserved. 19
Groups
© SAP 2009 / PARTNER SUMMIT
“Enterprise” Groups
Groups fall under two categories Content Access (Folders)
Functional Access (Applications)
Best Practice: Wrap mapped 3rd party groups with Enterprise Groups Maintains rights should external group disappear
Allows for hybrid security model Course-grained departmental groups mapped in from external sources
Fine-grained functional groups created & managed by BO Administrators
SAP Confidential © 2011 SAP AG. All rights reserved. 20
Object Level Rights
Security Right
Grants or denies access to a particular action
Granted, Denied, Inherited, and Undefined
Access Levels
Apply to all objects and enforced by the CMS (Central Management Server)
Examples: View, Edit, Modify rights, Schedule, …
Custom Rights
Apply to specific objects for which they are defined
Examples: Refresh Reports Data, Export Reports Data, Download Report Files
Custom Access Levels
Allow roles to be defined that align to your business
Agenda
1. Types of Security
2. SBOP Security Model
3. SSO Strategies
4. Personalization
Strategies
SAP Confidential © 2011 SAP AG. All rights reserved. 22
Microsoft Impersonation:
AD Domain Controller to Your Workstation
AMERICAS\phearmon
AMERICAS
xxxxxxx xxxxxxx
Fg
SAP Confidential © 2011 SAP AG. All rights reserved. 23
Microsoft Impersonation:
Workstation to Server Propagation
AMERICAS
xxxxxxx xxxxxxx IE
IIS’ threads
AMERICAS\phearmon AMERICAS\phearmon
Fg
SAP Confidential © 2011 SAP AG. All rights reserved. 24
Microsoft Impersonation:
Server to Server Propagation
AMERICAS
xxxxxxx xxxxxxx IE
IIS’ threads
AMERICAS\phearmon AMERICAS\phearmon
DB M/W
AMERICAS\phearmon
Fg
SAP Confidential © 2011 SAP AG. All rights reserved. 25
„Silent Sign On‟ to Portal
Web
Server
`
Client Web App
Server
BOE
Server
http://myBI/InfoView
Allowing a user to go straight
through to the Home Page
without seeing a login page
SAP Confidential © 2011 SAP AG. All rights reserved. 26
Cross-site request forgery (CSRF)
http://infoview/BI/Launchpad?delete_all_my_reports=true
SAP Confidential © 2011 SAP AG. All rights reserved. 27
SSO Strategies
LogonToken / SessionToken
SiteMinder
Trusted Authentication
Active Directory SSO-into-the-Client (via Kerberos/Vintela)
Active Directory SSO-down-to-the-database (via Delegation/Kerberos)
SAP Confidential © 2011 SAP AG. All rights reserved. 28
SiteMinder
1. User requests Infoview URL through browser
2. User is redirected to Siteminder authentication page
3. User enters credentials which are verified with AD/LDAP
directory for web application access
4. LDAP responds that user credentials are valid
5. Siteminder returns token and UID
6. Siteminder agent enters token and UID in HTTP header and
authorizes access to Infoview application directory.
7. Web App Server creates Enterprise session with CMS
providing Siteminder token and UID.
8. CMS validates with Siteminder policy server validity of token
and UID
9. Siteminder policy server replies that token and UID are valid,
user is authorized in CMS
10. CMS does read-only lookup of user group membership
11. LDAP provides user group membership.
12. CMS returns requested objects to Web App Server
13. Web App Server returns Infoview page to user
14. Web Server returns HTML from InfoView to user.
SAP Confidential © 2011 SAP AG. All rights reserved. 29
Trusted Authentication
We delegate the responsibility of authentication to a third party
Typically a web server plug-in that talks to a identity management tool
Thereby 'Trusting' it to provide an authenticated username to us
We take the username and just log them in
no questions asked
No password needed
Or more accurately:
We bypass the authentication phase
But we still authorize the user (i.e. get their groups)
Trusted Authentication has proven to be very popular with our customers, including
many security-conscious banks who are quite comfortable using this feature in their
infrastructures.
SAP Confidential © 2011 SAP AG. All rights reserved. 30
Basic SAML Integration
BOE can act as a SAML Relying party
Consumes SAML Assertions
Scrapes Principal name from assertion
But currently unable to set rights within
BOE according to a Principal‟s Attributes
Agenda
1. Types of Security
2. SBOP Security Model
3. SSO Strategies
4. Personalization
Strategies
SAP Confidential © 2011 SAP AG. All rights reserved. 33
Security revisited: SAP-based Personalization
Tight integration with SAP security and authorization roles
SSO via SAP logon ticket supported (or third party)
Authorization Roles applied to each user regardless of SSO mechanism
BOE
Dave
Mary
Paul
Susan
SAP: impersonate „Paul‟
userID=„Paul‟
AUSTIN Dinner $10
AUSTIN Shirt $12
DALLAS Ring $30
DENVER Tie $10
AUSTIN Club $15
AUSTIN Dinner $10
AUSTIN Shirt $12
AUSTIN Club $15
LDAP
SAP city=„AUSTIN‟
SAP Confidential © 2011 SAP AG. All rights reserved. 34
Row-Level Security: Non-SAP Personalization
Custom attributes stored in external authorization system
Additional attributes can be captured and used to set:
Groups within BOE (Authorization)
Custom database-level row-level restrictions (Access Restrictions)
Custom User Attributes
BOE
city=„CHICAGO‟
city=„NEW YORK‟
city=„AUSTIN‟
city=„DALLAS‟
city=„AUSTIN‟
city=„AUSTIN‟
AUSTIN Dinner $10
AUSTIN Shirt $12
DALLAS Ring $30
DENVER Tie $10
AUSTIN Club $15
AUSTIN Dinner $10
AUSTIN Shirt $12
AUSTIN Club $15
userID=„Paul‟
SAP Confidential © 2011 SAP AG. All rights reserved. 35
Dimensional Entitlement Tables
Personalization rules are maintained using tables in the database
BIP
„Paul‟ select * from table
where username = ‘Paul’
I am
Paul
BIP passes a ‘claim’ (typically the username) that was
given to it down to the database within the SQL
WHERE clause
Paul can only
see Product
„XYZ‟
SAP Confidential © 2011 SAP AG. All rights reserved. 36
Database Metadata Oracle VPN, Teradata Query Banding
Personalization rules are maintained using database metadata
BIP
„Paul‟ Logon/Impersonate ‘Paul’
I am
Paul
BIP logs on/impersonates the user’s identity, and the
rules (maintained by the DBAs) filter the user’s
perspective of the data
Paul can only
see Product
„XYZ‟
SAP Confidential © 2011 SAP AG. All rights reserved. 37
BI Tools Metadata
Personalization rules are maintained in the BI Tool‟s metadata
BIP
„Paul‟ select * from table
where product = ‘XYZ’
I am
Paul
BIP constructs the necessary SQL WHERE clause to
restrict the data
Paul can only
see Product
„XYZ‟
SAP Confidential © 2011 SAP AG. All rights reserved. 38
Claims-based Assertions
Personalization rules are maintained in an external IdM
BIP
„Paul‟ select * from table
where product = ‘XYZ’
I am
Paul
BIP is given the entitlements (possibly using SAML),
then constructs the necessary SQL WHERE clause to
restrict the data
Identity
Management
System
Paul can only
see Product
„XYZ‟
SAP Confidential © 2011 SAP AG. All rights reserved. 39
Personalization Strategy Types
Maintained in the database - in database tables
Simple to manage by authorized users via a data-driven GUI or via ETL jobs
Linked into the BI Tool‟s semantic layer
Open (can be used by any query tool)
Maintained in the database‟s metadata
Managed by the DBAs
Transparent to the BI Tool
Open (can be used by any query tool that supports Stored Procedures invoked at login)
Maintained in the BI Tool‟s metadata
Managed by the BI Administrators
Closed: only available to the query tool
Maintained somewhere else?
IdM (Identity Management System)?
Assertions are „Pushed‟ down into BOE at logon time ( Claims-based / SAML )
SAP Confidential © 2011 SAP AG. All rights reserved. 40
Universe Personalization Strategies
Dimensional Entitlement Tables BO_USER Attribute
Custom User Attributes
Data Security Profiles/Business Security Profiles
„Universe Access Restrictions‟ (XI 3.x) a.k.a. „Universe Overrides‟
Windows Impersonation powerful but doesn‟t work for scheduled reports
Database personalization SAP BW AA7 (Analysis Authorization 7)
Oracle VPD, Oracle Proxy
DB/2
Teradata Query Banding (Trusted Sessions)
Secondary Credentials (DBUSER & DBPASS)
SAP Confidential © 2011 SAP AG. All rights reserved. 41
Other Personalization Strategies
BI Publisher Personalization using BO Profile rules
Useful for external delivery options
VTS (View Time Security) Legacy Crystal Reports feature
Both operate on static, cached information
Relies on BI Engine to perform personalization
SAP Confidential © 2011 SAP AG. All rights reserved. 42
Dimensional Entitlement Tables
Simple, Single-domain Multi-domain
USER ACCESS
Al NW
Alice SW
Alice SE
Alice NE
Jerry SW
Jerry NW
Applied to a single Dimension only
USER DOMAIN ACCESS
Alice Office SW
Alice Office SE
Alice Office NE
Ed Channel C
Ed Channel D
Ed Product F
Emma Office NE
Jerry Office SW
Jerry Office NW
Jerry Channel F
Jerry Channel E
Max Product BU
Max Product BL
Maintains entitlements to multiple Dimensions in a single table
SAP Confidential © 2011 SAP AG. All rights reserved. 43
Dimensional Entitlements – Universe Integration
Allows us to easily integrate the Universe into your existing entitlement rules
SEC_ENTITLEMENTS
WHERE region IN
(SELECT access FROM sec_entitlements WHERE user = @variable(‘$BO_USER$’) )
1. You build a Universe Object* (e.g. “Store Name”) that includes the WHERE clause above
*Actually, this would be performed as a self-join on the dimensional table, so that all objects based on that table have the
restriction applied – but people tend to find it easier to visualize the process if I begin by applying it to an object
SAP Confidential © 2011 SAP AG. All rights reserved. 44
Dimensional Entitlements – Universe Integration
Allows us to easily integrate the Universe into your existing entitlement rules
SEC_ENTITLEMENTS
2. The special variable @variable(‘$BOUSER$’) is
replaced at run-time with the user‟s BOBJ Account
name e.g. “ALICE”
„ALICE‟
WHERE region IN
(SELECT access FROM sec_entitlements WHERE user = )
@variable(‘$BO_USER$’))
SAP Confidential © 2011 SAP AG. All rights reserved. 45
Dimensional Entitlements – Universe Integration
Allows us to easily integrate the Universe into your existing entitlement rules
SEC_ENTITLEMENTS
3. The sub-SELECT returns all the entitlements for Alice
(i.e. “SW, SE, NE”)
WHERE region IN
(SELECT access FROM sec_entitlements WHERE user = ) „ALICE‟ („SW‟, „SE‟, „NE‟)
SAP Confidential © 2011 SAP AG. All rights reserved. 47
Custom User Attributes BI 4.0 FP3 (SP4+) Enhancement
New Page in the CMC to list and administer Custom User Attributes
Populated from
LDAP attribute (‘city’)
Populated from
CMC or SDK
SAP Confidential © 2011 SAP AG. All rights reserved. 48
Custom User Attributes BI 4.0 FP3 (SP4+) Enhancement
Value of Custom User Attributes for each user is displayed in the CMC,
in the user properties dialog
Administrator can explicitly enter the value for
Custom User Attributes defined in the CMS
repository
Values retrieved from LDAP and SAP data
source are displayed
Values can be used to pass down parameters to
entitlement tables
Entitlement tables no longer have to be defined
at „user‟ granularity (can now be much higher)
SAP Confidential © 2011 SAP AG. All rights reserved. 49
Access Restrictions (XI 3.x)
Allows us to define entitlement rules directly into our Semantic Layer
SAP Confidential © 2011 SAP AG. All rights reserved. 50
Data Security Profiles (BI 4.x)
Data Security Profiles can be defined only for relational
universes
Data Security Profiles are the equivalent of classic
universe access restrictions
Connection Data Security Profile
Replaces a connection by another one
In case of multi-source universe, each connection can be
independantly replaced.
Ability to drill into connection folders
1.
2. 3.
SAP Confidential © 2011 SAP AG. All rights reserved. 51
Business Security Profiles (BI 4.x)
A Business Security Profile can be used to define what user/group can see in query panel .
It can be used to grant or deny :
• Business layer views
• Business layer objects
Denied views and objects are not displayed in the Query Panel
Views
Objects
SAP Confidential © 2011 SAP AG. All rights reserved. 52
Data/Business Security Profiles - Benefits
Can be set individually or at group level
Faster than Dimensional Entitlement Tables
Incur less load on the database since the entitlements are set directly in the semantic
layer (i.e. already „known‟) and do not need to be discovered via a sub-SELECT before
every query.
Can be programmatically created/modified via the
„BI Platform Enterprise SDK‟
SAP Confidential © 2011 SAP AG. All rights reserved. 53
Business Views‟ VTS (View Time Security)
A Crystal Decisions concept
Implemented using Business Views
A report instance is refreshed against the database using no personalization rules
Filtering of the data is performed on-the-fly at view time
Think: Similar to „Publisher‟ but filtering performed at view time rather than in batch
Limitations
Only available for CR and none of the other content types on the BI Platform
Uses deprecated functionality (i.e. Business Views)
No formal sizing guidelines from Product Group
Users view a potentially stale snapshot of the data (i.e. a filtered report instance)
Undecided (as of May 2013) when will be ported into .UNX Universes
Certainly not in the BI 4.1 timeframe
SAP Confidential © 2011 SAP AG. All rights reserved. 55
Oracle VPD
Oracle/Universe DBMS_SESSION
With an ORACLE database you can use connection initialization to take
advantage of fined-grained access control (also known as Virtual Private
Database – VPD).
The Oracle security context is defined using Oracle‟s CLIENT_IDENTIFIER
session variable to filter the data returned to the user.
The DBAs get to define what rights to rows and columns that user has)
SAP Confidential © 2011 SAP AG. All rights reserved. 56
Oracle VPD – How BIP Uses It
Fires off a stored procedure immediately upon connecting to the Oracle
instance using the ConnectInit Universe parameter.
We can use it to set the identity of the user for that particular session
Everyone logs on under a generic account, say 'scott/tiger', then fires off a
stored procedure to say, 'actually this is Paul„.
SAP Confidential © 2011 SAP AG. All rights reserved. 58
Secondary Credentials (DBUSER & DBPASS)
Limited practical value
Ask yourself, “How will you keep the DBPASS variable in synch as the
user‟s database credentials expire?”
• Yes, you can set the DBPASS programmatically using the SBOP Enterprise SDK, but
with what?
• Obtaining the user‟s password is a tough obstacle
• Obtaining it programmatically is almost always impossible. IdMs will allow you to reset a user‟s
password, but rarely retrieve it (except for SiteMinder).
• Asking the users to keep them in-sync is impractical
SAP Confidential © 2011 SAP AG. All rights reserved. 59
Explorer Personalization Strategies
Explorer can use Personalization InfoSpaces to dynamically filter user result
sets at run-time
BWA: Combination of one Analysis Authorization Object + Personalization
InfoSpaces
HANA: Analytic Privileges
SAP Confidential © 2011 SAP AG. All rights reserved. 60
Advanced Personalization – Column Masking
Two approaches
„All or Nothing‟ Two columns; one masked, one unmasked
„Row-by-row‟ UNIONed
123-45-6789
xxx-xx-6789
SAP Confidential © 2011 SAP AG. All rights reserved. 61
Windows Impersonation:
End-to-End SSO & Personalization
Web
Server
(optional)
`
Client Web App
Server
BOE
Server
DB
Server
Fred Dinner $10
Fred Shirt $12
Wilma Ring $30
Barney Tie $10
Fred Club $15
“Fred”
Fred Dinner $10
Fred Shirt $12
Fred Club $15
SAP Confidential © 2011 SAP AG. All rights reserved. 62