aqualogic user interaction security

ALUI Technique Document

AquaLogic User Interaction Security

LiJieSenior SE

BEA Confidential | 2BEA ALUI Technique Document, BID China

Knowledge Directory Security

Users, Groups and Object Access

Community Security

Admin Folder Security

Module Roadmap

Single Sign-On

Portal Users

The Portal administrator creates users in the Portal, or syncs users into the Portal

The user can then log in

Each user is defined by an object in the Portal

George

Portal Groups

The Portal administrator creates and manages groups

A group has one or more members*

A user belongs to one or more groups

Executive CommunityMembers

Executive CommunityManagers

1. George2. Helen3. Christine4. Jack5. Jim

– All these users are in the Executive Community Members group

– Helen is a member or two groups

Portal Objects

Almost everything in the Portal is considered an object

Communities

Subcommunities

Portlets

Administrative folders

Document folders

Documents

Groups …

Every object in the Portal has a list describing who can access that object – it is called an Access Control List (ACL)

Access Control List

An Access Control list specifies which uses and groups have access to an object (and what kind of access privileges they have… see next page)

Executive Community

Administrators Group

Executive Community Members

Executive Community Managers

Administrator

Access Privileges

ACLs have privileges that specify what a user/group can do with an object

READ View the object only

SELECT Add this object to other objects e.g., add a portlet to a My Page

EDIT Create and modify objects

ADMIN All rights, including delete objects and change object ACLs

If users are not listed on an ACL (access of NONE), they do not know the object exists

Example: ACL for a Community

Groups

Object

AccessPrivileges

Module Roadmap

Community Security

Single Sign-On

Security Scenario #1

The Knowledge Directory contains folders and objects (i.e., links to documents) within those folders

A user may be able to see some folders and not see others

If a user cannot see a folder, he cannot see or search for objects within that folder

Both folders and the objects within them are secured with ACLs

Steps: View Document Folder Security

Steps to witness Knowledge Directory security

1. Log in as a George, a member of the Executive team and browse the Knowledge Directory

2. Log in as Keith, a member of Marketing and view the Knowledge Directory

3. View security on the Document folder and explain what is happening

See next slides for details…

Step 1: Log in as George

Log in as George, who is in the Executive Community Members group

Step 1: Browse the Directory

Choose Directory -> Browse Directory

Click on the Financials subfolder, inside the Executive folder

Step 1: Click a Link to a Document

The contents of the Financial subfolder display

Click on a link to see the underlying content

Click Back

Note that George can Submit links to this folder

Step 2: Log in as Keith

Log in as Keith, who is in the Marketing Community Members group

Step 2: Browse the Directory

Choose Directory -> Browse Directory

The Financials subfolder does NOT appear to Keith

Step 3: View Document Folder ACL

Access Control List for the Financials folder

Conclusion: The group that Keith is in (Marketing Community Members group) is not listed on the ACL; therefore, he cannot see the Financials folder or any documents inside of it. George is in Executive Community Members; he can access, view and submit documents to the Financials folder

George is in this group

Access Levels: Folders, Objects in Folders

What ACLs mean to document folders

NONE: Cannot see folder

READ or SELECT: Can view the folder

EDIT: Can submit or crawl content into folder

ADMIN: Can approve documents for this folder

What ACLs mean on objects in folders

NONE: Cannot see object (search or browse)

READ or SELECT: Can view object

EDIT: Can overwrite object’s properties

ADMIN: Can edit the object’s ACL and delete object

Note: You cannot update the content of a document in the Knowledge Directory

Module Roadmap

Community Security

Single Sign-On

Users can access a Community at various levels

Cannot see it at all (don’t know it exists)

Can browse the Community without joining it

Can join the Community and become a “member”

Can edit the Community

Can change the security settings

In scenario #2, you will see the difference between users with NONE, SELECT, EDIT and ADMIN access to a Community

Based on what you know about Access Control List privileges,Which privileges do you think correspond to each above? READ, EDIT, SELECT, ADMIN, NONE

Steps: Observe Community Security

Steps to experience Community security

1. Log in as George, and go to the Executive Community

2. Log in as Keith and (try to) join the Executive Community

3. Log in as Helen and join the Executive Community

4. Log in as Erica 5. View security on the Admin folders and explain

what is happening

Step 1: Log in as George

Log in as George, who is in the Executive Community Members group

Go to the Executive Community (George is already a member)

Step 1: View the Community

Step 2: Log in as Keith

Step 2: Join Executive CommunityAttempt to join the Executive Community

Choose My Communities -> Join Communities

Since it is not listed, search for Executive Community, then click

Step 2: Join Executive Community

Result: Nothing is returned from Keith’s search because he does not have access to the Executive Community

Click Cancel

Step 3: Log in as Helen

Log in as Helen, who is in the Executive Community Managers group

Go to the Executive Community(Helen is already a member)

Step 3: View the Community

Result: Helen sees the Community and also has the option, Edit This Community; click on this link

Step 3: View Community Security

The Community editor appears … Helen can edit the Community

Click Security

Step 3: View Community Security

Result:

Helen can view the security settings of the Community but she cannot change any security settings

Click Cancel

Step 4: Log in as Erica

Log in as Erica, who is in the Portal Managers group

Go to the Executive Community(Erica is already a member)

Step 4: Edit the Community

Result: Like Helen, Erica sees the Community and also has the option, Edit This Community; click on the link

Step 4: Edit the Community

The Community editor appears … Erica can edit the Community

Click Security

Step 4: Edit Community SecurityResult: Erica can CHANGE the security settings for this Community -- add and delete users and groups to the ACL, change the privileges

Click Cancel (please do not change any settings!)

Erica is in this group

George is in this group

Helen is in this group

The group that Keith is in (Marketing Community Members group) is not on the ACL … therefore, he cannot view or join the Executive Community

There may be reasons to allow a user to view a Community without joining it

Differences to end user

Does not have to join and become a member

Community does not appear on My Communities tab

In the next example, Keith is in a group that has READ access to the Evergreen Community … see what happens!

Log in as Keith

Try to join the Evergreen Community

Try to Join Evergreen Community

Search for Evergreen Community

Keith cannot JOIN the Community … but he knows it exists and that he should be able to see it!

Click Cancel

Try to View Evergreen Community

Submit a Portal search … search for Evergreen Community

The Portal returns the Evergreen Community this time…

Click on it

View the Evergreen Community

Result: Keith is allowed to VIEW but not JOIN the Community

Module Roadmap

Community Security

Single Sign-On

Access Levels: Administrative Folders

Like Document folders, Administrative folders are secured

What ACLs mean to Administrative folders

NONE: User cannot see the folder

READ or SELECT: User can see the folder

EDIT: User can create objects in the folder

ADMIN: User can delete the folder and change folder security

Steps: View Admin Folder Security

Steps to experience administrative folder security

1. Log in as StudentN and go to the Administration page Make a note of the folders you can see

2. Log in as Ben and go to the Administration page; Make a note of the folders you can see

3. Log in as Erica and go to the Administration page; Make a note of the folders you can see

4. View security on the Admin folders and explain what is happening

5. As StudentN, try to create an object in an administrative folder

Step 1: Log in as StudentN

Log in as StudentN (where N is your student number), who is a member of a group called Students

Go to the Administration page

Step 1: Observe What StudentN Can See

Note that you can see a folder called Community Lab and one subfolder … StudentN, where N is your student number

Step 2: Log in as Ben

Log in as Ben, who is in the Sales Community Managers group

Step 2: Observe What Ben Can See

Note that Ben cannot see the Community Lab or any of its subfolders

Step 3: Log in as Erica

Log in as Erica, who is in the Portal Managers group

Step 3: Observe What Erica Can See

Note that Erica can see the Community Lab folder and many subfolders…

Step 4: View Folder Security

Security for the Community Lab folder

Do you think StudentN or Erica can create anything in this folder? Why or why not?

StudentN is in this group

Erica is in this group

Community Lab

StudentN

Step 4: View Folder Security

Security for the StudentN Folder

Can StudentN create anything in the StudentN folder?Why or Why not?

StudentN is in this user…

(where N is your student number)

Community Lab

StudentN

Step 5: Log in as StudentN

Log in as StudentN (where N is your student number)

Step 5: Go to the StudentN Folder

Click on the subfolder in the Community Lab folder that StudentN can see

Step 5: Create an Object

Advanced Security note: In order to create anything, StudentN also needs activity rights (which you have)!All students have activity rights of Access Administration, Create Community and Create Administrative Folder

Choose Create Object… then Administrative Folder

Name it Test Folder, then click OK

Result: Folder created

Module Roadmap

Community Security

Single Sign-On

Single Sign-On (SSO)

What is SSO and what is it not?

How do SSO products work?

How does ALUI integrate with SSO Solutions?

Working around SSO limitations

Lab Info

SSO – What is it?

What problem is Single Sign-On trying to address?

Enterprises have many Web applications

Separate Web applications require separate login credentials

Managing identity within a topology of many applications is inefficient

What do Single Sign-On vendors sell?

Users login once to access all enterprise resources

Centralized location for authentication and authorization

Authentication: whether or not a user’s name and password are correct

Authorization: whether or not said user has access to a network resource

Streamlined user experience and global security administration

SSO – The Reality

What does SSO actually provide out-of-the-box?

Virtual directory level authentication and authorization to Web sites

A single place to manage authorization for Web sites

What does SSO NOT provide out-of-the-box?

A way to login to arbitrary vendors’ backend servers

A way to pass login information to a server API

We’ll call it the “Backend Problem”

This is a difficult problem

SSO products do not provide an out-of-the-box solution

Customizations can often provide a solution

SSO – How Do SSO Products Work?

Three main components

Directory Server (LDAP / AD)

“Access Server”

“SSO Gate”

“Access Server” synchronized with

Directory Server

User authorization managed

on “Access Server”

“SSO Gate” intercepts HTTP

requests to Web applications

AccessServer

(Oblix, Netegrity)

SSO Gate

ALUIPortal

Other Web App

Application Server

SSO – How Do SSO Products Work?

用户通过浏览器访问 ALUI门户SSO Gate 截获用户请求，访问服务器通过浏览器向用户显示器安全认证信息SSO Gate 需要用户输入认证信息认证信息被传输到访问服务器 , 由访问服务器将认证信息与 LDAP / AD存储的用户信息进行匹配如果认证通过，用户被授权访问 ALUI门户 , SSO 令牌将存在于整个用户会话中在进入 ALUI门户后，将不再提示用户输入认证信息，系统自动通过用户会话中的 SSO令牌进行认证

AccessServer

SSO Gate

ALUIPortal

Application Server

Other Web App

SSO – ALUI Integration

当 ALUI 检测到用户通过单点登陆进入时假定用户已经通过系统的单点登陆认证将浏览器重定向到 ALUI SSO 的专用登录界面检查位于 HTTP 头的用户名如果用户名及认证信息正确， ALUI 接受由访问服务器颁布的 SSO 令牌在认证的过程中 ALUI 会尝试在多个的用户数据源中进行匹配如果没有匹配的用户， ALUI 会将用户重定向到 My Page

SSOALUI

PortalALUI

SSO Page

Authenticate

Redirect

Forward

Request

Logged In

SSO – ALUI Integration

Integration with the login process is complex

When SSO is enabled, Guest access still works if the user clicks Logout

KB Article DA_218443

You protect /portal/SSOServlet

Diagram at the left shows what happens after SSO authenticates and authorizes the user

SSO – Supported Vendors

5.0J supports three SSO vendors out of the box:

1. Oblix NetPoint

2. Netegrity SiteMinder

• Siteminder Terminology

WebAgent – Intercepts calls to protected resources and Authenticates the user. Sits on Portal Server.

Policy Server – Authorizes the given user to access the given resource. Other restrictions like time can be applied to Policy Server rules.

Directory Server – the user repository

Summary

Portal security works the same for ALL Portal objects (except users) – each has an Access Control List, indicating

who can interact with that object

and at what level

This module is intended to give you a primer on Portal Security from an end-user perspective

For full coverage of Portal Security, please refer to the Portal Administration 5.0 course or to the E-learning Administration learning modules

ALUI Technique Document

aqualogic user interaction security

Documents

aqualogic bpm enterprise configuration guide€¦ ·...

bea aqualogic service bus - docs.oracle.com · bea...

aqualogic interaction collaboration 4.2 mp1 security … ·...

beaaqualogic interaction sharepoint console...2-2...

bea aqualogic service bus - docs.oracle.com · bea...

manual - publicar un servicio final en aqualogic service bus

aqualogic controller

bea aqualogic bpm suite version 6.0 mp4 (build 95902 ... ·...

chapter 2 - understanding alui portal with helloworld,...

beaaqualogic service bus - oracle cloud · system alerts...

aqualogic smart care no capital outlay - fixed price...

beaaqualogic user interaction - oracle · 1-2 aqualogic...

bea aqualogic pathways 1.5 white paper

bea aqualogic bpm suite version 6.0 mp4 (build 95902)

interaction of taxation and social security

beaaqualogic service bus - oracle...services, set up...

beaaqualogic pages - oraclewelcome to aqualogic pages 1-2...

informe aqualogic

aqualogic bpm weblogic integration

beaaqualogic service bus · service consumers) and business...