Security architecture

Similar Messages

• Possible (and secure) architectures for E-Recruitment Web Enabled???

  Hello,
  i need informations about posible (and secure) architecture solutions for E-Recruitment Web Enabled.
  I found one basic exsample in the E-Recruiting system architecture guide, but it is a exsample from 2003.
  do someone use E-Recruiting web enabled and in what for a topology?
  regards
  chris

  Hellow Christian,
  Successful e-recruiting relies on strong long-term relationships with both current and potential employees u2013 and on the ability to locate appropriate positions for talented individuals from within and outside the organization. The SAP E-Recruiting application offers innovative support for talent relationship management, as well as traditional central recruiting functions.
  SAP E-Recruiting, a fully Web-enabled, end-to-end recruiting solution, accelerates and streamlines the recruiting process with a comprehensive strategy that that enables your company to build up and draw from a qualified, global pool of internal and external talent. Recruiters can take advantage of this talent pool to quickly find the staff they need, while collaborating closely with hiring managers throughout the hiring process.
  Applicant tracking and reporting functions help organize the processing of job applications and monitor the effectiveness of the recruiting organization. A collaboration platform links SAP E-Recruiting to external systems such as job boards, recruiting service providers, and your company's internal systems.
  Please check this links for reference
  http://www.sap.com/solutions/business-suite/erp/hcm/featuresfunctions/index.epx
  http://www.sap.com/solutions/business-suite/erp/erecruiting.epx
  Thank you,
  Shyam

• Advantages of Weblogic security framework over websphere security architecture

  Hi,
  Weblogic implement the security as a layer . And websphere, as far as I known
  implements security as plug ins.
  I'd like to known what are the advantages of weblogic security framework over
  Websphere security archirtecture ? performance point of view, features, reliability,
  robustness etc ...
  Thanks a lot !

  "walt" <[email protected]> wrote in message
  news:3fca2d60$[email protected]..
  >
  Hi,
  Weblogic implement the security as a layer . And websphere, as far as Iknown
  implements security as plug ins.
  I would consider the WLS security provider model to be a plugin model.
  I'd like to known what are the advantages of weblogic securityframework over
  Websphere security archirtecture ? performance point of view, features,reliability,
  robustness etc ...
  http://www.bea.com/content/news_events/white_papers/BEA_WLS_vs_Websphere_TCO_wp.pdf
  http://e-docs.bea.com/wls/docs81/secintro/archtect.html
  http://dev2dev.bea.com/products/wlserver/whitepapers/WLS_security_Framework.jsp
  http://dev2dev.bea.com/products/wlserver81/index.jsp

• Security Architecture Suggestion

  Hello,
  I am trying to implement object level security and came across a typical security problem. I have got an User A who has access to everything(dashboards& Answers) in Dev and got access to only dashboards in QA.
  We wanted to create two groups Dev1 and QA1 in the same environment and assign priveleges to it but if the user belongs to both the groups, the group with less restictions will take the precedence which is a problem.
  Lets say we created different groups in diff env that will take care of the problem but every time we move code from dev to qa all the security groups will be replaced and again we have to create groups in qa and it involves maintenance
  what would be best way to implement security in uch kind of situations minimising maintenance
  Please advice
  Prash
  Edited by: Prash11 on Nov 20, 2009 4:22 PM

  Hi Prash,
  I don't understand why you want to create groups which belong specifically to one environment.
  I would say, just create two groups: Level 1 and Level 2.
  Now you need to create the authorization table.
  For DEV:
  USER___GROUP_NAME
  User A__Level 1
  etc.
  For QA:
  USER___GROUP_NAME
  User A__Level 2
  etc.
  In the initialization block you need to define the connection pool, you want to use to execute the query.
  !http://obieeblog.files.wordpress.com/2009/06/031709_1241_obieesecuri71.png!
  As you can see in the image below, you need to check "row-wise initalization" in order to add multiple groups to one user.
  !http://obieeblog.files.wordpress.com/2009/06/031709_1241_obieesecuri81.png!
  By doing this it is also possible to add a user to more groups like this:
  USER___GROUP_NAME
  User A__Level 1
  User A__Group X
  User A__Group Y
  So, you can add a user to only one, multiple groups or to no group at all.
  Regards,
  Stijn

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• EBS 12.1.3 Security - Provision the complete group in OID as responsibilities in EBS

  I need some help on EBS related security. • Running EBS - 12.1.3, OID, OAM, DIP provisioning profile • Have a BI tool which adds user responsibilities in OID groups. • Users are added as members to group in OID. • Right now only the user names in OID are provisioned to EBS. • Is there a way to provision the complete group in OID as responsibilities in EBS? • Does EBS 12.1.3 Security architecture allow this ?  Any kind of documents related to this would be helpful. Thanks

  Our hosting provider has now setup "pdf2ps" on AIX level. It works correctly with "root" user. But with "applmgr" user, it gives the following error:
  Does "<10.1.2 OH>/jdk/jre/bin/libjpeg.a" exist?
  Do you have "libjpeg.so.62" package installed?
  Can you compare the PATH settings for both root and applmgr user and see if there is a difference?
  Have you reviewed (How To Print XML Publisher PDF Reports From The Concurrent Manager (Doc ID 338990.1))?
  Thanks,
  Hussein

• Mapping Apps security profiles in Discoverer

  Hello
  We wish to implement a 2-tiered security architecture. We already have the 1st tier in place in Disco Admin by assigning specific Business Areas to responsibilities.
  However, we also want to use the Apps custom Security Profiles to restrict access to tables and views through Discoverer Admin.
  How can this be implemented? Any examples would be most welcome.
  Thanks
  Sanjib Manna
  Oracle Practice
  IBM Business Consulting

  You can use the following query to look for all the security profiles. You can join the hr_operating_units to fnd_profile_option_values.level_value to get the desired result.
  SELECT psp.security_profile_name,
         psp.security_profile_id,
         hou.NAME,
         hou.organization_id
    FROM per_security_profiles psp,
         per_security_organizations pso,
         hr_operating_units hou
  WHERE pso.security_profile_id = psp.security_profile_id
     AND pso.organization_id = hou.organization_id;Additionally, you can also have a look at the below MOS docs.
  How To Check If a Profile Option Is Set In Oracle Applications? [ID 470102.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To List E-Business Suite Profile Option Values For All Levels Using SQLPlus [ID 201945.1]
  Script To List The Values Of A Profile Option At All Levels [ID 803587.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To Find All Users With A Particular Profile Option Set? [ID 367926.1]
  How to Change Profile Option Value Without Forms? [ID 943710.1]
  Cheers,
  ND
  Use the "helpful" or "correct" buttons to award points to replies.

• The role of java.security.acl in Java 2 security

  I have been trying to assess the role of the java.security.acl package within the Java 2 Security architecture. I have some questions regarding it.
  First where in the JVM are the interfaces of java.security.acl used? Are there any examples out there to guide developers in understanding their proper implementation?
  What is the relationship between this package and the core security package? There seems to be a Permission interface in the acl sub-package and an abstract Permission class in the core security package. Why is this the case? Why is the core abstract class not used instead of declaring a new Permission interface within the acl subpackage?
  Are not PermissionCollections and Permissions analogous to ACLs? If so then wouldn't that fact make the acl subpackage redundant?
  JSR 115 tries to bridge the gap between Java 2 Security in the SDK with security in J2EE. Namely enabling the RBAC-like approach to security in J2EE while using the AccessController of the J2SE to do the evalualtion of J2EE (Servlet/EJB) Permissions. Why are the Group and Owner interfaces defined here not leveraged in both JSR 115 and in general for Role Based Access Control?
  Could someone give some background on the vision behind creating the acl subpackage and how it relates to the historical progression of security advances in Java security architectures?
  Thanks much,
  Alex Karasulu

  I see from the defined interfaces that its an attempt at a formal approach to RBAC. However RBAC can be implemented without it all together using existing J2SE and JAAS based constructs. This does not answer the redundancy question. Could you elaborate a little bit more?
  Thanks,
  Alex

• How is the fingerprint used for security

  Dear all,
  There were an excellent article last year about how the passcode is used in the security architecture of iOS
  http://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf
  I was wondering how is the fingerprint used in the encrpyption mechanism.
  - Is a hash generated and then the hash is compared and if ok the access is grante d?
  - Is this hash is used in the deriving process of the encryption key ?
  - etc ?
  Many thanks in advance,
  Regards

  It cleans rather well for me but, i never actually touch the screen with my hands/fingers. Just get a microfiber cloth and a non-abrasive cleaner like method window cleaner from target:)
  Message was edited by: demolasko

• Security architechture ACL in java

  Hello Friends i m chandrashekar.
  I am working on a java application.
  i have a problem that i need to provide the security architecture for that application using ACL in java.to restrict each user
  can u send me one small code or example which contains java.security.acl where when user will log in then the acl will check for the security
  Thanx..
  Chandrashekar

  I see from the defined interfaces that its an attempt at a formal approach to RBAC. However RBAC can be implemented without it all together using existing J2SE and JAAS based constructs. This does not answer the redundancy question. Could you elaborate a little bit more?
  Thanks,
  Alex

• Difference in Security Arch of 6.x and 7.0

  Hi all,
  Can anyone please tell me what are the major differences in the security architecture
  of Weblogic 6.x and Weblogic 7.0 platform. A few points of difference would be
  of great help.
  Thanks,
  Jimmy Shah

  Jimmy,
  Check out http://edocs.bea.com/wls/docs70/secintro/model.html#1029245 for an overview
  of changes. Also take a look at Managing WebLogic Security Chapter 1 Overview
  of Security Management which contains a section titled How Security Changed in
  WebLogic Server 7.0
  "Jimmy Shah" <[email protected]> wrote:
  >
  Hi all,
  Can anyone please tell me what are the major differences between the
  security
  architecture of Weblogic 6.x and Weblogic 7.0 platform. A few points
  of difference
  would be of great help.
  Thanks,
  Jimmy Shah

• ODBC Backdoor Access Security Question

  IS it still possible for an individual to gain access to a sql database if there is an ODBC connection open? Can anyone point me in the direction of any documentation that discusses this? I know my question may be a little outdated, but I've been having difficulty finding the answer myself. Thanks guys!

  It sounds like you're talking about a generic problem of controlling what application(s) a user is allowed to use to connect to a database. If so, that's not really an issue with ODBC or any other client API-- it's an issue with the organization's security architecture.
  If you give a person an Oracle user name and password, they're going to be able to connect via whatever application they'd like-- whether they're using Access via ODBC, SQL*Plus, or a custom application. Once they connect, they'll have whatever privileges you've granted them. Ideally, that would mean that users only have SELECT access and EXECUTE access on a set of stored functions and procedures they are authorized to run. If users have been given the keys to the kingdom as it were-- full INSERT, UPDATE, and DELETE privileges on every table-- you've got more fundamental problems.
  Justin

• Security (permissions)

  Hello,
  As I understand permissions can be set on beans and their methods, but what if I need to check object state to decide whether user can change it or not?
  What I need is to implement permissions system that can be changed on the fly and some advanced checks are required (objects states + users permissions on objects states).
  Can I implement it using standart J2EE security featurs? System must be configurable (need to develop administration tool that will allow permissions assignemnt to the users and objects (for axample object can be changed if it is in state 'A' and user 'Paul' can change it)). I need to make it in one way not in several (not like: one part using standart J2EE features and other using my own permission system).
  With regards,
  Pavel Krupets

  Pavel,
  I belive you are looking for a way to configure access to your components such that who can access them
  is a function of component state. You can write portable components such that this is the case, but J2EE
  does not standardize how one might configure the impact of component state on such a policy model.
  On all J2EE platforms, you can configure role membership such that it effects who can do what given a
  static model for what roles are able to do what in each component state. You can either protect different
  methods with different roles, or test the caller for membership in a specific role seclected by the
  component based on the state of the component.
  As an added consideration, the Java Authorization Contract for Containers (JACC), which is a required
  element of all J2EE 1.4 containers, defines a pluggability model for policy providers and a way (policy
  context handlers) for such providers to obtain from the container the parameters of the component
  invocation. The parameters of the invocation are not quite the same thing as the instance state, but one
  way that you could accomplish much of what you are trying to do would be to develop a custom policy
  provider that could be configured to apply the parameters of the invocation in its policy decisions. As a
  result of JACC, on dispatch into the component, a proper access control context including a subject
  representing the component runAs identity has been bound to the call thread, and thus you can use the
  j2se security api's to check whether that context is granted any j2se security permission.
  Custom policy providers are an evolving J2EE capability, so I must confess that you would
  likely encounter portability challenges should you adopt this approach. I described it to you to
  expose our thinking regarding how we believe more sophisticated access control functionality
  could be integrated with the j2ee container security architecture.
  Ron Monzillo

• OBIEE11g Security

  Please help me with the information!!
  What exactly is the difference between Users/Groups vs Catalog Groups vs Application Roles
  We recently upgraded from 10g to 11g environment
  We were having external table Authentication in 10g.
  we have a Super user group which have all privileges(create anlaysis /dashboard) like weblogic.
  After the upgrade I was testing with one of the users from that Power group but he could not create analysis/Dashboard(When I punch in "New" could not see Analysis/Dashboard) etc.
  Let me know what makes do like this.I am not familiar with weblogic security Architecture!!
  Thanks
  NK

  Hi NK,
  You need to remember two things Authentication and Authorization
  Authentication where in 11g happens through external table itself (initialization block) when it comes to authorization the groups (no longer supported directly in rpd) you should assign the groups to default application roles . For example superuser has to assign to BI Administrator/BI author role in weblogic itself to get a privilege of creating analysis,dashboard & assigning permissions
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  thanks,
  Saichand

• Architecture/Design Question with best practices ?

  Architecture/Design Question with best practices ?
  Should I have separate webserver, weblogic for application and for IAM ?
  If yes than how this both will communicate, for example should I have webgate at both the server which will communicate each other?
  Any reference which help in deciding how to design and if I have separate weblogic one for application and one for IAM than how session management will occur etc
  How is general design happens in IAM Project ?
  Help Appreciated.

  The standard answer: it depends!
  From a technical point of view, it sounds better to use the same "midleware infrastructure", BUT then the challenge is to find the lastest weblogic version that is certified by both the IAM applications and the enterprise applications. This will pull down the version of weblogic, since the IAM application stack is certified with older version of weblogic.
  From a security point of view (access, availability): do you have the same security policy for the enterprise applications and the IAM applications (component of your security architecture)?
  From a organisation point of view: who is the owner of weblogic, enterprise applications and IAM applications. In one of my customer, application and infrastructure/security are in to different departments. Having a common weblogic domain didn't feet in the organization.
  My short answer would be: keep it separated, this will save you a lot of technical and political challenges.
  Didier.