Banner VBS (FGAC): Concepts and Techniques
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Banner VBS (FGAC):
Concepts and Techniques
Real-world examples, with emphasis on how design can enhance
security, functionality and ease of support.
– Russ Wade, Banner Security Specialist, Wichita State University
Why FGAC is important from a Student records standpoint.
– Michelle Barger, Associate Registrar, Wichita State University
Banner VBS (FGAC):
Concepts and Techniques
• Overview of Value Based Security (VBS) - Ellucian’s
implementation of FGAC for Banner
• Process to create a VBS (FGAC) restriction for INB
• Business Profile design to ensure FGAC managed access
is “restricted unless granted” rather than “granted unless
restricted”
• Using Banner Class membership as criteria for FGAC
restrictions
• Making FGAC criteria table-driven
• Preventing users with Select Any Table privilege from
seeing sensitive data
2
Overview of Value Based Security (VBS) - Ellucian’s
implementation of FGAC for Banner
• FGAC provides a row-level security mechanism
• It works by appending a WHERE predicate to SQL statements
• This “filters” what data can be seen or operated upon
• The Ellucian Support Center Banner General Documentation
Library “Banner General Data Security Handbook” has
chapters on Value-Based Security and FGAC Reference
that are very helpful
3
Process to create a FGAC (VBS) Restriction
• Banner VBS or FGAC is a useful tool for customizing
access
• Requires caution since it changes the access behavior
of tables underlying Banner forms and processes
• For this reason, realistic and complete testing is
important
4
Careful definition of the business requirement and testing by content
specialists is important for the success of FGAC development
Step in Process Effort Area with Primary
Responsibility
1. Define Business Requirement 30% Functional Area
2. Research and Proof of Concept 20% Technical Area
3. Programming 15% Technical Area
4. Testing 35% Functional Area
5
Setup of a simple FGAC restriction
The first step is to define the Business Requirement for
what you are going to develop the FGAC restriction for:
“Prevent anyone from deleting Holds.”
You might want this so there is a record of every hold
ever placed to refer back to. People can release them,
but not delete them.
6Screen image of SOAHOLD Banner form
7Identifying the table behind the form
8Table is SPRHOLD
9Banner General Menu displays FGAC Forms
INB General Menu>General>System Functions/Administration:
10System Functions/Administration>Fine-Grained Access Control
11FGAC Value Based Security Maintenance sub-folder
12First setup task is to create a
VBS (FGAC) Group
13Create an entry in a validation table for the new VBS
Group name using the GTVFGAC form
14Create FGAC Domain validation table entry using
GTVFDMN
15Create FGAC Domain Driver Table Rules using
GORFDMN
16Create FGAC VBS Table Rules entry using GORFDPL
17Request DBA to run GFVBSADDPOL.SQL to place
Oracle FGAC policies on the table involved
As instructed in the Banner General Data Security Handbook:
“From SQL*Plus run the gfvbsaddpol.sql script while logged in with the
BANINST1 User ID. You are prompted for a table name (you can use wild
cards).
The gfvbsaddpol.sql script is located in the Banner General Plus
directory.”
This places the following policies on the specified table:
OBJECT_OWNER OBJECT_NAME POLICY_NAME SEL INS UPD DEL
--------------- --------------- -------------------- --- --- --- ---
SATURN SPRHOLD GOKFGAC_SPRHOLD_INS NO YES NO NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_SEL YES NO NO NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_UPD NO NO YES NO
SATURN SPRHOLD GOKFGAC_SPRHOLD_DEL NO NO NO YES
18Add the FGAC predicate for delete to
HOLD_DELETE_PREVENTION_VBS using GOAFGAC form
19FGAC WHERE Predicate appended to SQL
For example, the SQL submitted by the SOAHOLD form
might be something like:
Delete from SPRHOLD where SPRHOLD_PIDM = 123456
and SPRHOLD_HLDD_CODE = 'RH';
The FGAC policy on the SPRHOLD table for the delete
function would then append “1=2” as an AND condition:
Delete from SPRHOLD where SPRHOLD_PIDM = 123456
and SPRHOLD_HLDD_CODE = 'RH' and 1=2;
20The “Access to Predicate” tab of the GOAFGAC form
specifies when the FGAC restriction will be applied
21Create a Business Profile for the Hold Delete Prevention
FGAC restriction using the GTVFBPR form
22Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC
Business Profile to a user using GOAFBPR form
23Returning to the GOAFGAC form where we originally
saw the need for a Business Profile
24Attempting to remove (delete) record on SOAHOLD
form
Resulting error displayed at bottom of page:
25Errors displayed when FGAC restriction is violated and
an operation is prevented
• FGAC - INSERT ERROR = Security violation,
transaction not complete
• FGAC - DELETE ERROR = Delete Failed. Exactly one
row must be deleted
• FGAC - UPDATE ERROR = Delete Failed. Exactly one
row must be deleted
26Summary of FGAC example setup steps
1. Create an entry in a validation table for the new VBS Group name using
the GTVFGAC form
2. Create FGAC Domain validation table entry using GTVFDMN
3. Create FGAC Domain Driver Table Rules using GORFDMN
4. Create FGAC VBS Table Rules entry using GORFDPL
5. Request DBA to run GFVBSADDPOL.SQL to place Oracle FGAC policies on
the table involved
6. Add the FGAC predicate for delete to HOLD_DELETE_PREVENTION_VBS
using GOAFGAC form
7. Create a Business Profile for the Hold Delete Prevention FGAC restriction
using the GTVFBPR form
8. Assign the Business Profile to the FGAC Group for the select, insert,
update and/or delete operation on the GOAFGAC form
9. Assign the BUSINESS_PROFILE_FOR_HOLD_FGAC Business Profile to a
user using GOAFBPR form
27Some Design Techniques
• Business Profile design to ensure FGAC managed
access is “restricted unless granted” rather than
“granted unless restricted”
• Using Banner Class membership as criteria for FGAC
restrictions
• Making FGAC criteria table-driven
• Preventing users with Select Any Table privilege from
seeing sensitive data
28Diagram of typical Business Profile use
29Diagram of “inclusive” access control scope Business
Profile design
30Identifying the user to apply FGAC criteria to
• The value of FGAC restrictions rests very much on its ability to
enforce role-based access
• I would like to show you a way to determine who the user is
and relate them to their data in Banner
31Identifying the user to apply FGAC criteria to
The following selects the user name by which the current user is
authenticated:
SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL
This can be used to select the user’s PIDM from the SPRIDEN table as
follows:
SELECT SPRIDEN_PIDM FROM SPRIDEN
WHERE SPRIDEN_ID = (SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND SPRIDEN_CHANGE_IND IS NULL;
Once you have the PIDM, you can apply a variety of FGAC restrictions
based upon the user’s Banner data
32Using Banner Class membership as criteria for FGAC
restrictions
• Remember our simple setup example FGAC predicate?
• What would be a good way to change this to exempt the Registrar and
Associate Registrar from this restriction?
33GURUCLS security table stores Banner Class membership
DESC GURUCLS;
Name Null? Type
------------------------------------------- -------- -------------------
GURUCLS_USERID NOT NULL VARCHAR2(30 CHAR)
GURUCLS_CLASS_CODE NOT NULL VARCHAR2(30 CHAR)
GURUCLS_ACTIVITY_DATE DATE
GURUCLS_USER_ID NOT NULL VARCHAR2(30 CHAR)
GURUCLS_COMMENTS VARCHAR2(4000 CHAR)
GURUCLS_DATA_ORIGIN VARCHAR2(30 CHAR)
GURUCLS_USERID stores the user’s Oracle Username
GURUCLS_CLASS_CODE stores Banner Class name the user is a member of
This gives us an opportunity to use the SESSION_USER to select the Banner
Classes of the user who is logged in
34FGAC Predicate with Banner Class as criteria
We can then use the following FGAC predicate to exempt users who have the
BAN_STUDENT_REG_ADMIN Banner Class from the delete restriction:
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
This predicate only returns true when the user has the required
Banner Class.
35SESSION_USER is the name the user is authenticated with
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
36SESSION_USER is used to select for required
USERID and Banner Class combination
-- Exempt user with BAN_STUDENT_REG_ADMIN Banner Class
(EXISTS
(SELECT 'X' FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
AND GURUCLS_CLASS_CODE = 'BAN_STUDENT_REG_ADMIN'
)
)
-- Prevents SPRHOLD Table delete if condition above evaluates false
37What this looks like when implemented on the GOAFGAC form
38Recap of the value of using Banner Class membership as criteria
for FGAC restrictions
• Banner Classes already provide job role based user grouping
that does not have to be duplicated using Business Profiles
• When we grant the forms access with Banner Classes, it
automatically applies the appropriate FGAC restrictions
• This is both an efficiency and accuracy advantage
39Making FGAC criteria table-driven
The solution for the following FGAC restriction involved use
of a custom table for the criteria.
Business requirement:
Users may only insert or update Comment Types they have a
maintenance qualifying Banner Class for.
40SWRCMNT is a custom table created to store Banner Classes that
qualify the user to maintain Comment Types
The following lists some entries of the SWRCMNT table to illustrate what type
of information it provides:
PERSON COMMENT MAINTENANCE QUALIFYING BANNER CLASSES BY COMMENT TYPE
COMMENT TYPE CODE DESCRIPTION MAINTENANCE QUALIFYING BANNER CLASS
------------------ ------------------------------ -------------------------------
100 General Comment BAN_STUDENT_ACADEMIC_HISTORY
ADV College Advising Notes BAN_STUDENT_COMMENT_ADV_MAINT
GRA Graduate Admissions BAN_STUDENT_GR_ADM_ASSISTANTS
GAU Graduate School Degree Audit BAN_STUDENT_GR_ADM_DEAN
ADV College Advising Notes BAN_STUDENT_INQ_ADVISOR
INA International Admissions BAN_STUDENT_INTL_ADM_CLERK
OMA Offc of Multicultural Affairs BAN_STUDENT_OMA
DEC Deceased Indicator BAN_STUDENT_REG_DATA_ENTRY_SEC
FER FERPA Release BAN_STUDENT_REG_DATA_ENTRY_SEC
100 General Comment BAN_STUDENT_REG_GENERAL
FER FERPA Release BAN_STUDENT_REG_GENERAL
TRN Transcript Request Notes BAN_STUDENT_TRANS
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_BUDGET_SEC
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_CLERK
UGA Undergraduate Admissions BAN_STUDENT_UG_ADM_DEAN
41Description of the SWRCMNT custom table
DESC WSUSTU.SWRCMNT;
Name Null? Type
------------------------------------ -------- ---------------
SWRCMNT_CMTT_CODE NOT NULL VARCHAR2(3)
SWRCMNT_CLASS_CODE NOT NULL VARCHAR2(30)
42Person Comment FGAC Predicate
The following FGAC predicate allows users to any Comment Type they have a
Banner Class for as specified in the SWRCMNT table:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
43Person Comment FGAC Predicate
It looks for Comment Types in the custom SWRCMNT table that match what
has been retrieved on the form:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
44Person Comment FGAC Predicate
It then compares all of the current user’s Banner Class codes from the
GURUCLS security table to the custom table Banner Class code that matches
the Comment Type retrieved:
-- Require user have maint qualifying Banner Class for SWRCMNT Comment Type
(EXISTS
(SELECT 'X' FROM WSUSTU.SWRCMNT
WHERE SWRCMNT_CMTT_CODE = SPRCMNT_CMTT_CODE
AND SWRCMNT_CLASS_CODE IN
(SELECT GURUCLS_CLASS_CODE FROM BANSECR.GURUCLS
WHERE GURUCLS_USERID IN
(SELECT SYS_CONTEXT ('USERENV','SESSION_USER') FROM DUAL)
)
)
)
-- Prevents SPRCMNT table insert and update if each condition above fails
45Rationale for making FGAC criteria table-driven
• Using a custom table to store lengthy FGAC criteria simplifies the FGAC
predicate
• Changes to the criteria can be made to the table rather than to the FGAC
predicate
• This reduces the effort and risk of making these changes
• Tables that store FGAC criteria can be used to produce reports that
document the setup
46Preventing users with Select Any Table privilege from seeing
sensitive data
Immunization information data is deemed sensitive enough to warrant hiding
it from power users who have broad select access, but who do not need to
see this data. This is reflected in the following business requirement.
Business Requirement:
Restrict select, insert, update and delete access to the GORIMMU
immunization information table using the GOAIMMU form or when accessing
the tables directly to users who have one of the following Banner Classes:
BAN_GENERAL_IMMUNIZATION_ADMIN
BAN_GENERAL_IMMUNIZATION_MAINT
BAN_GENERAL_IMMUNIZATION_QUERY
47The following FGAC predicate exempts only the users with the
specified Banner Classes
48This FGAC predicate is implemented for select, insert, update
and delete
49Miscellaneous Topics
• Using the GOIFGAC form to see the FGAC predicate generated
by the system for a particular user
• Example of a FGAC restriction having a large domain
• Restricting Banner Self-Service Access using FGAC
• Documenting FGAC restrictions
50Using the GOIFGAC form to see the FGAC predicate generated by
the system for a particular user
It is always a good thing to see the FGAC predicate the system
generates, just to be sure it is as you envisioned
You may do this by granting query access to the GOIFGAC form
to a test user, and then logging on as that user and viewing the
predicate for the domain you are interested in
51Click on the FGAC Icon to see the FGAC predicate generated by
the system for a particular user
Icon
52Enter the Table Name of interest and next block to display the
FGAC predicate
In this case, the FGAC predicate for the SPRHOLD Delete
operation is displayed
53Schedule maintenance as an example of a FGAC restriction
having a large domain
Following lists the Schedule domain table and 5 or the 34 Child tables:
Domain Domain
Domain Validation Driver Policy
Code Table Tables Driver SQL
SB_SCHEDULE_VBS SSBSECT SSBSECT
SB_SCHEDULE_VBS SSBSECT SSBDESC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBDESC_CRN AND
SSBSECT_TERM_CODE = SSBDESC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBFSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBFSEC_CRN AND
SSBSECT_TERM_CODE = SSBFSEC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBOVRR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBOVRR_CRN AND
SSBSECT_TERM_CODE = SSBOVRR_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSBSSEC EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSBSSEC_CRN AND
SSBSECT_TERM_CODE = SSBSSEC_TERM_CODE
SB_SCHEDULE_VBS SSBSECT SSRATTR EXISTS (SELECT 'X' FROM SSBSECT WHERE SSBSECT_CRN = SSRATTR_CRN AND
SSBSECT_TERM_CODE = SSRATTR_TERM_CODE
These tables are all involved in the Schedule function and must be included in
the FGAC restriction
54Code to join the SSBDESC table with the SSBSECT driver table
EXISTS
(SELECT 'X' FROM SSBSECT
WHERE SSBSECT_CRN = SSBDESC_CRN
AND SSBSECT_TERM_CODE = SSBDESC_TERM_CODE
This joins SSBDESC to the SB_SCHEDULE_VBS domain and makes it subject to
the FGAC restriction for Schedule maintenance
Note that the closing parenthesis is omitted
55Restricting Banner Self-Service Access using FGAC
FGAC functions on the Banner Self-Service products. To create the cross reference between
a self-service login ID and a Banner ID, you must code the person on the GOAEACC form:
DESC GOBEACC;
Name Null? Type
------------------------------------------ -------- -----------------
GOBEACC_PIDM NOT NULL NUMBER(8)
GOBEACC_USERNAME NOT NULL VARCHAR2(30 CHAR)
GOBEACC_USER_ID NOT NULL VARCHAR2(30 CHAR)
GOBEACC_ACTIVITY_DATE NOT NULL DATE
GOBEACC_SURROGATE_ID NUMBER(19)
GOBEACC_VERSION NUMBER(19)
GOBEACC_DATA_ORIGIN VARCHAR2(30 CHAR)
GOBEACC_VPDI_CODE VARCHAR2(6 CHAR)
56Restricting Banner Self-Service Access using FGAC
The GOBTPAC table can be used to find a user’s PIDM using the name they logged into Self-
Service Banner with:
DESC GOBTPAC;
Name Null? Type
------------------------------------------ -------- ------------------
GOBTPAC_PIDM NOT NULL NUMBER(8)
GOBTPAC_PIN_DISABLED_IND NOT NULL VARCHAR2(1 CHAR)
GOBTPAC_USAGE_ACCEPT_IND NOT NULL VARCHAR2(1 CHAR)
GOBTPAC_ACTIVITY_DATE NOT NULL DATE
GOBTPAC_USER NOT NULL VARCHAR2(30 CHAR)
GOBTPAC_PIN VARCHAR2(256 CHAR)
GOBTPAC_PIN_EXP_DATE DATE
GOBTPAC_EXTERNAL_USER VARCHAR2(30 CHAR)
GOBTPAC_QUESTION VARCHAR2(90 CHAR)
GOBTPAC_RESPONSE VARCHAR2(30 CHAR)
GOBTPAC_INSERT_SOURCE VARCHAR2(8 CHAR)
GOBTPAC_LDAP_USER VARCHAR2(255 CHAR)
57Documenting FGAC Restrictions
Since FGAC restrictions can be fairly involved and you do not typically work
with them frequently, I would recommend maintaining some form of fairly
detailed documentation
There is a worksheet provided in the Ellucian FGAC documentation that you
may want to use
58Questions and Session Participant
Experiences with FGAC
59You can also read
