CollegeSource Security Application & Supported Security Implementations R1.02 Two parts to this presentation, one semi-functional (Security App) and one technical (Security Implementations) Presented by: Zach Lewis, CollegeSource June 14, 2012
CollegeSource Security Application Topics We’ll Cover CollegeSource Security Application Security Components Application Functions, Permissions, & Roles Domains Groups Users Properties Application Demo Supported Security Implementations Database Tables LDAP CAS We’ll run through the components first then have a little demo to see them in action Session ID R1.02
CollegeSource Security Application For the technical folks, this is basically a front end to manage the groups, roles, etc in the security database tables Security Component Administration
Security Component Definitions Application Function – a predefined area available in CollegeSource applications where the level of access can be controlled Permission – the level of access (Read, Update, Create , Delete) granted for a specific application function Role – a functional grouping of permissions that simulates a real life capacity (i.e. Advisor, Student) Domain – a hierarchy that defines an institution and can be used to limit permissions Group – a list of roles to which users can be mapped User – an individual given permission to use certain functions of one of the CollegeSource applications Property – an attribute that can be assigned to a user or group to limit permissions Each of these has a table or set of tables that corresponds them in the database Session ID R1.02
Application Functions, Permissions, & Roles This is a role named “Advisor” The app function controls level of access to a predefined area within a particular CollegeSource app (i.e. u.direct). There are 4 permission aspects: Read, Update, Create, Delete There are 3 permission values: Full, Restricted, None The entire set of the predefined application functions with permissions for each is a ROLE. The “predefined areas” for app functions are used throughout the apps For example, UDIR_Plans controls the plan functionality in u.direct and UDIR_Notes controls access to notes Session ID R1.02
Domains A domain can be used to limit permissions on a more narrow scope than a role can. There can be anywhere from 1 to 6 levels in a domain, which must be defined in a database view. There are group-level and user-level domains. In order to use domains, you must implement a view in the database called DCP_PROGRAM that corresponds to the levels you want to use Session ID R1.02
DCP_PROGRAM View Example create view DCP_PROGRAM as select distinct a.instidq+a.instid as level_1, a.college as level_2, a.major as level_3, a.degree as level_4, null as level_5, null as level_6, dprog as program, webtitle as program_name, a.instidq as instidq, a.instid as instid, a.instcd as instcd from dprog a where a.instidq = '73' and a.instid = '007104' and a.dpstatus = 'T' This view (this default version) is created when running the database scripts that come with the CollegeSource Security application, but it can be modified Session ID xxxx
Groups A group is the place where users can be associated with roles. A group is like a placeholder for users and roles. It is the main link used for authorization with the security implementations. A group is the place where users can be associated with roles. A group can have multiple roles and multiple users. Group-level domains and properties can also be assigned. Session ID R1.02
Users Users must be members of a group to be assigned roles. There’s no way to assign a role directly to a user. The SIS Id is usually the student number used in your SIS. This is used when running audits if it is a student. Users must be members of a group to be assigned roles. Group-level domains will be applied to users assigned to a group that has a domain. Session ID R1.02
Properties Similar to a domain, a property can limit permissions in a more narrow way than a role can. Properties can be combined to create more specific sets of limitations and aren’t dependent on a database view. Properties can be user-level, group-level, application-level, or global. There are defined properties that are allowed to be specified. These are available in the dropdown on this screen. Session ID R1.02
Overview A Role is a list of pairs consisting of an App Function and a Permission. A Group is a container that can hold a list of many Roles and many Users. It can also contain group-level Properties and/or Domains. Role examples are Student or Advisor. Group examples are UDIR_STUDENTS or SS_ADVISORS. A User must belong to a Group to have Roles. It can, however, have user-level Properties and/or Domains. Session ID xxxx
Supported Security Implementations There was some technical stuff sprinkled into the first half of the presentation, but here’s the bulk of it. Getting Your Students & Staff Access
Implementations Supported by CollegeSource Security The 3 implementations that are supported by CollegeSource Security are: Database tables LDAP CAS CollegeSource can also provide some interfaces for clients to attempt using other security implementations. We use the Spring Security API, which plays well with Database, LDAP, and CAS. It also has a hook for Pre-Authenticated implementations, but they come with additional considerations. Session ID R1.02
Database Tables By default, all CollegeSource applications are configured to use the database tables for security purposes. It will work “out of the box.” CollegeSource provides the database schema necessary to use this security implementation. When using this implementation, users and user properties and domains can be managed using the CollegeSource Security application. The database schema will be created by u.achieve scripts if you have u.achieve. Otherwise, a create.sql script is included. A populate.sql populates a default user, group, and some roles. Session ID R1.02
Lightweight Directory Access Protocol (LDAP) CollegeSource Security provides an interface that can connect to and communicate with a university’s LDAP directory server. An LDAP implementation can be used for both user authentication and authorization (what roles the user is granted). Using LDAP, users are not managed in the CollegeSource Security application. They are managed in the LDAP directory and mapped to groups that are managed in the application. CollegeSource Security supports any type of directory server that uses LDAP, including Active Directory, Oracle Virtual Directory, etc. For more info, visit: http://clients.collegesource.com/home/display/SEC/LDAP+Implementation Session ID R1.02
LDAP – Mapping Users to Security Groups One or more attributes from LDAP are configured to be the “group role attribute(s)” where the security interface will look to find assigned groups. The security interface reformats the LDAP group name by adding “ROLE_” to the front and converting it to caps. Then it looks for a CollegeSource Security group that matches. Note: All groups intended to be mapped to an LDAP attribute must start with “ROLE_” and be in all capital letters. There is a property that you can use to specify whether you want it to convert the group names to all capital letters. Session ID R1.02
Sample LDAP Properties # Connection URL dcp.security.ldap.url=ldap://domain:port/dc=value,dc=value # User Authentication Options # # Manager Service Account Credentials dcp.security.ldap.manager=cn=user,dc=value,dc=value dcp.security.ldap.password=password # User DN Pattern dcp.security.ldap.userDnPattern=cn={0},ou=people # User Password Attribute dcp.security.ldap.passwordAttribute=userPassword # Search Filters # These filters are passed an array of parameters. In # each, the {0} denotes the username field. You can also # use {1} for the user DN in groupMemberSearchFilter. dcp.security.ldap.userNameSearchFilter=(cn={0}) dcp.security.ldap.groupMemberSearchFilter=(cn={0}) dcp.security.ldap.sisIdSearchFilter=(eid={0}) # Name Result Limiting Filter dcp.security.ldap.nameResultLimitingFilter=(field=value) # Search Bases # # Multiple search bases can be specified by # providing a list separated by forward slash (“/”) dcp.security.ldap.userSearchBase=ou=people dcp.security.ldap.groupMemberSearchBase=ou=people # User Information Attributes dcp.security.ldap.userNameField=cn dcp.security.ldap.firstNameField=givenName dcp.security.ldap.lastNameField=sn dcp.security.ldap.emailField=mail dcp.security.ldap.sisIdField=eid dcp.security.ldap.passwordAttribute=userPassword dcp.security.ldap.advisorNameField=advisorName # Multiple group role attributes can be specified by # providing a list separated by commas dcp.security.ldap.groupRoleAttribute=memberOf These property names have been tweaked and the newest version of CollegeSource Security (1.3.9.1) has a security.properties that looks like this. Session ID R1.02
Sample LDAP Properties - Explained dcp.security.ldap.url – the URL to the LDAP server. dcp.security.ldap.manager – the DN used for binding with a manager service account dcp.security.ldap.password – the password used for binding with a manager service account dcp.security.ldap.userDnPattern – a pattern that can be used to match a typical user DN dcp.security.ldap.userNameSearchFilter – the filter used to do the user name search dcp.security.ldap.groupMemberSearchFilter – the filter used to do the group member search dcp.security.ldap.sisIdSearchFilter – the filter used to do the SIS Id search dcp.security.ldap.nameResultLimitingFilter – an attribute/value filter that can limit the amount of LDAP search results dcp.security.ldap.userSearchBase – the base location where the user search will be performed dcp.security.ldap.groupMemberSearchBase – the base location where the group member search will be performed dcp.security.ldap.sisIdField – the attribute in the user’s profile that contains the SIS Id dcp.security.ldap.userNameField – the attribute in the user’s profile that contains the username dcp.security.ldap.firstNameField – the attribute in the user’s profile that contains the first name dcp.security.ldap.lastNameField – the attribute in the user’s profile that contains the last name dcp.security.ldap.emailField – the attribute in the user’s profile that contains the email address dcp.security.ldap.advisorNameField – the attribute in the user’s profile that contains the name of an advisor dcp.security.ldap.passwordAttribute – the attribute in the user’s profile that contains the password value dcp.security.ldap.groupRoleAttribute – the attribute in the user’s profile that contains the name of groups Session ID R1.02
Central Authentication Service (CAS) CollegeSource Security provides an interface that can connect to and communicate with a university’s CAS server. CAS is the only Single Sign-On (SSO) provider that is fully supported by CollegeSource Security. Since the CAS service only provides user authentication, an alternate means of authorization must be used. With CAS, your users will login at your portal/homepage and be redirected to the CollegeSource application that is being accessed. For more info, visit: http://clients.collegesource.com/home/display/SEC/CAS+Implementation Session ID R1.02
CAS – User Authorization There are 2 options for user authorization when using CAS: Database tables LDAP If using the database tables for authorization, the users can be managed in the CollegeSource Security application and be assigned domains and properties. If using LDAP for authorization, users will be managed in AD and linked to a CollegeSource Security group by using one or more group role attributes. All of this is configurable through the XML config files that come with CollegeSource Security. Session ID R1.02
Please remember to complete the session survey. Thank you! Questions? Zach Lewis 513-834-8766 Zach@CollegeSource.com Please remember to complete the session survey. Thank you! Session ID R1.02