Authorization Scheme -- Best Practices?

Similar Messages

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• SAP HANA Security - Best Practice for Access to Schemas??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  Hi,
  I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
  How does bpel know where to look for the xsd-files and how does the mapping still work?
  This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
  Thanks for any clue.
  Bette

• User Authorization, best practices for this custom application requirement?

  JDeveloper 12c (12.1.2)
  We want to use external LDAP (active directory) with ADF security to authenticate and authorize users.
  One of our custom application requirements is that there is a single page with many interactive components. It has probably about 15 tables and each table would need to have the following buttons (or similar components):
  - delete: (if certain row is selected) to delete it
  - edit: (if certain row is selected) takes user to 'edit page' where changes can be made
  - create: to create new record for this particular VO (table)
  So let's say that would be 3 x 15 = 45 different actions that single user can possibly perform. Not all users have same 'powers' ie some users can only edit CERTAIN tables, and delete from one or two. Most users can create and edit most VOs etc
  Back when this application was originally developed using (I believe) 10g JDeveloper with UIX, the way it was done is that we maintained a table in database with 'user credentials' as Y or N flags.
  For example: DEL_VO1, EDIT_VO1, ADD_VO1....
  So when user is authenticated we would then pull all these credentials from the DB table and load them into the session variables. Then we would use EL to render or not render certain buttons on the page. For example: rendered="#{sessionScope.appDelVo1 == 'Y'}"
  Moving forward into latest ADF technology, what would be the best practice to achieve described functionality?

  Hi,
  ADF BC could have permissions added to the entity level (includes remove and update). So you can create permissions for the entity (as it doesn't matter for data security how data is accessed. If as a user you are nit allowed to change a database table then this is for tables and forms). You can then use EL to check the permission, thus no need to keep the privileges in the database.
  If a user is allowed to update an entity then you can check this using EL in the UI
  <af:inputText value="#{bindings.DepartmentName.inputValue}"
  readOnly="#{!bindings.DepartmentName.hints.updateable}">
  whatch this for a full coverage of ADF Security: Oracle ADF Security Overview - Oracle JDeveloper 11g R1 and R2
  Frank

• Authorization best practices in AS Java

  I have been assigned the responsibility to create an authorization structure on the java stack.
  We would like to create groups with corresponding roles for developers and system administrators.
  Are there any best practices out there regarding this subject?
  I have currently started with looking at the standard actions and roles available in EP and will start from there, any other ideas?

  Dear Colleague,
  SAP NetWeaver Application Server (AS) Java includes the [identity management|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/5069e9d6253912e10000000a42189b/frameset.htm] application for administration of users, groups, and roles. This [section|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/ad6a169eff35b7e10000000a42189d/frameset.htm] lists administrative tasks, general and specific, for the management of users, groups, and roles.
  Regards
  Alvaro Raminelli

• Authorizations for tasks (R_UC_TASK) / Best Practice SEM-BCS authorization

  Dear Experts,
  I am quite new to authorizations and in particular to SEM-BCS authorization. So I would be happy if you could help me with the following requirement:
  We have to setup an authorization concepts for SEM-BCS. Among others we want to setup authorizations for consolidations tasks using authorization object R_UC_TASK. With this authorization object certain tasks can be restricted to certain characteristic values u2013 e.g. for a certain consolidation group or a certain consolidation unit. We have defined a role each for certain consolidation tasks. These roles are not restricted to any characteristic value yet. We have for instance a role u201Cregional controlleru201D who is allowed to perform certain BCS tasks on a regional level (consolidation unit level). This would mean that we would have to create the role u201Cregional controlleru201D for all consolidation units u2013 see example below:
  Role 1: Regional Controller u2013 Cons. Unit 1000
  Role 2: Regional Controller u2013 Cons. Unit 1100
  Role 3: Regional Controller u2013 Cons. Unit 1200
  Role n: Regional Controller u2013 Cons. Unit n
  We have more than 400 consolidation units. So this would require a high effort. Is there instead a possibility of creating one role based on authorization object R_UC_TASK which just defines which activities can be performed (without restricting access to a certain consolidation unit). , and using second role which defines the consolidation unit access? u2013 see example below:
  A
  Role: Regional Controller
  Role: Cons Unit 1000
  B
  Role: Regional Controller
  Role: Cons Unit 1100
  C
  Role: Regional Controller
  Role: Cons Unit 1200
  In this case we only would have to maintain one role u201CRegional Controlleru201D and we only would have to assign the restriction for the consolidation unit. How could this be realized?  Or do you have any other ideas to solve this requirement in a simple way?
  Moreover I would be happy if you could tell me where I could find best practice scenarios for SEM-BCS authorizations.
  Thanks a lot in advance!
  Best regards
  Marco

  Hello Marco,
  you can enter a master role in the description tab of a role. All fields populated via program PFCG_ORGFIELD_CREATE can be maintained in the role. All other fields will be taken from the master role. So you only need to populate the field for unit with the program.
  Good luck
  Harry

• Best Practice - Securing Schema from User Access

  Scenario:
  User A requires access to schema called BLAH.
  User A is a developer that built an application using this schema in a separate development environment, although has the same privileges mirrored to production (same roles etc - required for operation of the application built).
  This means that the User has roles that grant Select, Update etc rights for the schema / table in order to use (and maintain) the applications.
  How can we restrict access to the BLAH schema in PRODUCTION, enforcing it to only be accessible via middle tier / application (proxy authentication?)?
  We've looked at using proxy authentication, however, it's not possible to grant roles and rights to the proxy account and NOT have them granted to the user (so they can dive straight in using development tooling and hit prod etc)>
  We've tried granting it on a session basis using proxy authentication (i.e. user a connects via proxy, an we ENABLE a disabled role on the user based on this connection), however, it causes performance issues.
  Are we tackling this the wrong way? What's the best practice for securing oracle schemas (and objects in general) for user access where the users actually get oracle user account (or even use SSO) for day to day business as usual.
  To me this feels like a common scenario, especially where SSO comes into play ...

  What about situations where we have Legacy Oracle Forms stuff? In these cases the user must be granted select etc rights to particular objects, as this can't connect via a middle tier.
  The problem we have is that our existing middle tier implementation is built expecting the user credentials to be passed to it during initial authentication and does not use a proxy, or super user style account.  We have, historically, been 100% reliant on Oracle rights and controls to validate and restrict access to our underlying data.  From what you are saying, we should start to look at using proxy or super user access and move this control process further up - i.e. into Code or Packages ?  If so, does this mean that there is no specific way to restrict schema access to given proxy accounts and then grant normal user accounts to connect through these to get access (kind of a delegated access scenario), without using disabled roles?

• "Best Practices" for using different Authentication Schemes ?

  Hi
  We are using different authentication schemes in different environments (Dev/QA/Prod). Changing the authentication scheme between the environments is currently a manual step during the installation. I am wondering if there are better "Best Practices" to follow, where the scheme is set programmatically as part of the build/ load process for a specific environment. ... or any other ideas.
  We refrained from merging the authentication schemes (which is possible) for the following reasons:
  - the authentication code becomes unnecessary complex
  - some functions required in some environments are not available in all environments (LDAP integration through centrally predefined APIs), requiring dynamic execution
  Any suggestions / experience / recommendation to share are appreciated.
  Regards,
  - Thomas
  [On Apex 4.1.0]

  t-o-b wrote:
  Thanks Vikram ... I stumbled over this post, I was more interested in what the "Work Around" / "Best Practices" given these restrictions.
  So I take it that:
  * load & change; or
  * maintain multiple exports
  seem to be the only viable options
  ... in addition to the one referred to in my questions.
  Best,
  - ThomasThomas,
  Its up-to you really and depends on many criteria +(i think its more of release process and version controlling)+.
  I haven't come across a similar scenario before..but I would maintain multiple exports so that the installation can be automated (no manual intervention required).
  Once the API is published +(god knows when it will be)+ you can just maintain one export with an extra script to call the API.
  I guess you can do the same thing with the load & change approach but I would recommend avoiding manual intervention.
  Cheers,
  Vikram

• What is the best practice for connecting to different schemas?

  Hi all,
  We are porting an application from SQL Server to oracle and would like to know what the best practices are in oracle for user connections to an Oracle instance.
  More or less the question could be put like this:
  1) The equivalent of a SQL Server Database in Oracle is a Schema. (more or less)
  2) A specific application has it's own schema where it keeps all related objects (Tables, etc)
  3) In SQL Server you grant access to the Database and its objects (Tables, etc) to all users of the application.
  4) In Oracle do you grant access to the Schema and its objects (Tables, etc) to all users of the application also? Or do all users log
  in as the schema owner?
  So in Oracle if there existed [SchemaApplication].[table1], how would [userChris] and [userDave] query [SchemaApplication].[table1]?
  Would Chris and Dave log in as [userChris] and [userDave], or would they normally log in as [userApplication]?
  finally, is it good practice to log in as a unique user eg [userChris] and then issue the
  alter session set current_schema = shemaApplication;
  command to change the way references to tables are interpreted?

  We are porting an application from SQL Server to oracle and would like to know what the best practices are in oracle for user connections to an Oracle instance.
  More or less the question could be put like this:
  1) The equivalent of a SQL Server Database in Oracle is a Schema. (more or less)
  2) A specific application has it's own schema where it keeps all related objects (Tables, etc)
  3) In SQL Server you grant access to the Database and its objects (Tables, etc) to all users of the application.
  4) In Oracle do you grant access to the Schema and its objects (Tables, etc) to all users of the application also? Or do all users log
  in as the schema owner?There are ways to implement the same.
  Case 1.
  Create different roles, such as APP_ROLE, READONLY_ROLE. Create public synonym for objects in SchemaApplication user. Grant these role to single user say appUser this is different from you SchemaApplication user. Use appUser to connect to application and for different user like userChris, userDave provide another layer of security. Say userDave is allowed only to deal with cash related transaction, so allow him to open only those screens which are related to cash transaction only.
  Case 2.
  Create public synonym and grant privilege on tables from SchemaApplication to different users (say userChris, userDave).
  So in Oracle if there existed [SchemaApplication].[table1], how would [userChris] and [userDave] query [SchemaApplication].[table1]?This is resolved by public synonym. There are private synonym as well, you can create this also but in this case you have to create private synonym for each of the users.
  Would Chris and Dave log in as [userChris] and [userDave], or would they normally log in as [userApplication]? I would suggest you to connect either using a new user(Case 1) or the user itself has account in the database(Case2).
  finally, is it good practice to log in as a unique user eg [userChris] and then issue the
  alter session set current_schema = shemaApplication;
  No. It is not a good practice to allow the user to login to database using the application owner.
  command to change the way references to tables are interpreted?The public/private synonym can be used to resolve the schema.object value. For example, if SchemaApplication has table T, then you can create public synonym as 'CREATE PUBLIC SYNONYM T FOR SchemaApplication.T'; and now you can refer this table as T from any other schema(user).
  HTH
  Virendra

• Best practice to set up the user authorization

  Dear expert,
  I have a question regarding the user authorization access. I've attend the BOE training but I'm still blur in term of user authorization planning. Currently, I have around 50 named users that need to access the BOE server. But the certain user will be restricted to access to certain folders or reports.  May I know what is the best practice to set up the user authorization access? Should I set up first in the development machine and once its firm, then I migrate it to production machine..or is there any steps that I need to follow...?
  Really appreciate if you can let me know on what should I look into first before set up the authorization. Is there any doccument that I can referring to..?
  Thanks & Regards,
  -Syahida-

  Create User Group for each folder (for eg. Sales/Marketing etc) and also based on the type of access you want to provide.
  Like Sales VOD/ Sales View/Sales Schedule, and add users to the User Group based on the type of rights you want to provide them. Then add the User Group to respective report folders.
  First deploy it in the Development environment, once you have everything finalized then you can replicate the same to QA and Prod environment by migration. Also make sure that in Development environment developers will have full control to develop/add reports to folders, you have to restrict that in QA & Prod environment.

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• HANA Security - Best Practices for Schema??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  >So, if we follow this approach, who should be creating the schema as design time?
  Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
  > Security Administrator or Developer/Modeler?
  Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
  >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
  They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

• Best practices for creating application schema

  All,
  Can anyone recommend best practices (or pointer to a url) for creating application schema. A novice installer created a schema and the tablespace ran out of disk space in 2 days and the system came to a halt at a production site. The tablespace was created with one datafile and with MAXSIZE specified. I am looking for Do's and Dont's on production system.
  Thanks for any help,
  Vissu

  I'm not sure that you can boil this down to a "Do's and Don'ts" list unless you want to get overly general...
  For example, do make sure that you provision space appropriately. "Appropriately" however, is going to be radically different in different environments. Some shops set all their data files to autoextend in production and monitor utilization at the OS level. Other shops specify exact file sizes and monitor utilization at the Oracle level. Each approach has its own advantages and disadvantages, you just need to make sure that your application uses the same approach that every other application in the organization uses.
  Do have an idea about the space utilization of the application, but don't go overboard. Running out of space in 2 days means someone failed to do a basic analysis. On the other hand, I've seen people spend way more time than they should making 5 year projections based on some relatively soft assumptions and getting worried about internal overheads that were much smaller than the error bars in their baseline estimates. Of course, the precision necessary also depends on the implications-- a 20% error in a multi-TB data warehouse is going to have a lot more impact than a 20% error in a 20 GB OLTP application.
  Justin

• What are the best practices for the RCU's schemas

  Hi,
  I was wondering if there is some best practices about the RCU's schemas created with BIEE.
  I already have discoverer (and application server), so I have a metadata repository for the Application Server. I will upgrade Discoverer 10g to 11, so I will create new schema with RCU in my metada repository (MR) of the Application Server. I'm wondering if I can put the BIEE's RCU schemas in the same database.
  Basically,
  1. is there a standard for the PREFIX ?
  2. If I have multiple components of Fusion in the same Database, I will have multiples PREFIX_MDS schema ? Can they have the same PREFIX ? Or They all need to have a different prefix ?
  For exemple: DISCO_MDS and BIEE_MDS or I can have DEV_MDS and this schema is valid for both Discoverer and BIEE.
  Thank you !

  What are the best practices for exception handling in n-tier applications?
  The application is a fat client based on MVVM pattern with
  .NET framework.
  That would be to catch all exceptions at a single point in the n-tier solution, log it and create user friendly messages displayed to the user. 

• EDirectory Schema extensions best practices / Mac OS X 10.5

  Hello all,
  I am integrating Mac OS X clients into my eDirectory environment, and part of my process is to extend the eDirectory schema with the relevant Mac-specific attributes. Is there an easy method to extending the schema, or do I need to manually add each individual attribute that is not already stored in an importable ldif file? Also, are there any best practices to follow when performing this work?
  Thanks for the help!

  Are these the extensions published by Apple? If so I think they have
  fairly good documentation on their site where you got them from. If not,
  well, we're going to need to know where you did get them from and what
  they are actually doing.
  And again, we need to move this to the novell.support.native-file-access
  forum, where it belongs. Schema extensions are nothing to do with
  netware.communications. Thanks
  Andrew C Taubman
  Novell Support Forums Volunteer SysOp
  http://forums.novell.com/
  (Sorry, support is not provided via e-mail)
  Opinions expressed above are not
  necessarily those of Novell Inc.