Banner overview
Authentication to Banner & 3
rdParty Apps
Authorization to Banner & 3
rdSection 1
Higher Education Enterprise Resource Planning (ERP) system.
Original vendor – SunGard Higher Ed
› Now supported by Ellucian
› Ellucian serves 2,400+ higher
Banner INB
– Internet Native Banner
The functional user Interface for
accounting, human resources, and
other administrative staff
Banner SSB
– Self Service Banner
The web-based interface to Banner
functionality for students & Finance
reporting functionality
Includes multiple distinct “systems” or
modules:
›
Finance
›
Human Resources
›
Financial Aid
Distributed architecture generally
includes:
›
Application Server
›
Database Server
›
Job Scheduling Server
›
Web Server (Luminis)
This is not meant to be a comprehensive list – only the basics
Oracle Database Application
Many available for varied purposes Common 3rd Party Apps:
›
SciQuest E-Procurement
›
Touchnet U.Commerce
Authentication The process of identifying a user – usually by a user name
and password Authorization The function of specifying or granting access rights to resources in information systems
Section 2
When a user connects to Banner, that user
also connects to the Oracle database
All Banner INB accounts require individual
Oracle database accounts. Banner SSB accounts do not work the same way.
Banner INB authentication & authorization
use Oracle database info & processes
› Security is configured by granting privileges to a
Oracle uses a User Name & Password
to identify a user
› Stored encrypted in the SYS.USER$ Table
Authentication requires one Oracle
privilege:
CREATE_SESSIONStep 1 • Enter user name/password• Enter user name/password
Step 2 • Oracle checks credentials• Oracle checks credentials
Step 3
• Oracle checks privileges/security rights:
• Default Role(s)
• Directly granted privileges
• PUBLIC account privileges (granted to everyone)
• Oracle checks privileges/security rights:
• Default Role(s)
• Directly granted privileges
Method 1:
Direct Login
› Oracle Database Password Profiles
› Login to App Server directly via web browser
Method 2:
Web-Facing Portal › Directory Service Password Policies › Login to Luminis web server first, then connect to App ServerBanner Direct Login Page
Oracle Credentials
Uses the internet browser and
Oracle
Fusion Middleware Forms Service
-a J-av-a JRE Plug-in to displ-ay the B-anner Forms in an Oracle Java Applet
Example URL:
http://APPPRD.ExampleCollege.edu:##
#0/forms/frmservlet?config=prod
Luminis Web Server Login Banner Direct Login Page Oracle Credentials Active Directory Credentials or LDAP
Luminis Web Server can use a directory
service for user authentication
› Login requires directory service credentials › Possible to configure as Single Sign-On or as
another layer of network security.
Direct login via Oracle credentials may
All paths to authentication should
have proper controls if both
methods are used!
Method 2 Banner INB Method 1 DBA_PROFILES PW Verify Function
› “IF” Function for password complexity
V$PARAMETERS includes other security
PROFILE RESOURCE_NAME RESOURCE LIMIT
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED
UAC can override other group policy
settings
› Codes to consider:
Value Description
512 Enabled Account
544 Enabled, Password Not Required
66048 Enabled, Password Doesn’t Expire
Authentication for each 3rd party
application can vary.
Must inquire about how authentication &
security are configured.
Also, consider network security such as
Virtual Private Networks (VPN)
SciQuest can be synchronized with
Active Directory.
› Uses AD credentials for authentication Touchnet generally uses built-in security
and authentication.
› Unique login URL for each user
› Unique Touchnet user IDs and passwords › Touchnet has its own password controls
Look before you leap!
› Identifying relevant control points is key. Determine the layers of network security All Banner INB accounts can access the
Oracle database directly – increases risk!
Section 3
Your system administrator has
determined that your current activity is providing a level of enjoyment beyond that which is allowed on company time. Your enjoyment will now be disabled. You may continue with this activity, but you may not enjoy it. See your system administrator for more information.
Oracle database security structures
serve as “building blocks”
Oracle security configuration can either
strengthen or undermine
security Banner uses “Role-based” security
Banner “
Roles
” = Oracle Roles › Containers for Oracle system privileges › Can be password-protected A Banner “
Class
” is used to group Roles& database objects together in one container
However, Banner objects can also be
directly granted outside of a class;
increases risk of security being undermined.
Banner CLASS
Role(Oracle Privs.)
OBJECTS
BANNER CLASS
Role Access Level Banner Object/Form
BAN_DEFAULT_M Read/Write FOMPROF BAN_DEFAULT_M Read/Write FAAINVE BAN_DEFAULT_Q Read Only GSASECR
Banner Classes are containers
for Role/Object assignments
Users are assigned to Classes to
stream-line security management
Banner Class User User User User (1) Banner Classes When associated with “objects” in a Banner Class For Navigational Security
“BAN_DEFAULT”
(2) Default Roles Controls “default” privileges upon login Oracle security construct “USR_DEFAULT”
Oracle roles are used in two different
capacities in Banner
Banner roles for Classes & Navigational
Security:
› BAN_DEFAULT_M* Full read/write access › BAN_DEFAULT_Q*
Read-only access
*These roles are created upon Banner installation with an encrypted password that no human knows!
Banner-created Default Roles › USR_DEFAULT_M
Full read/write access › USR_DEFAULT_Q
Read-only access
› USR_DEFAULT_CONNECT
Ability to connect to the database/Banner only; provides no navigational access
USR/BAN_DEFAULT_M
CREATE SESSION SELECT ANY TABLE EXECUTE ANY PROCEDURE SELECT ANY SEQUENCE UPDATE ANY TABLE SELECT ANY DICTIONARY DELETE ANY TABLE INSERT ANY TABLE LOCK ANY TABLE
USR/BAN_DEFAULT_Q
CREATE SESSION SELECT ANY TABLE
These privileges provide full “write” access.
“Read only” Access
USR_DEFAULT_CONNECT CREATE SESSION
Connect Only
Step 1 •Navigate to a Banner form•Navigate to a Banner form Step 2
•Banner Checks for an Oracle role •E.g. BAN_DEFAULT_M
•Banner Checks for an Oracle role •E.g. BAN_DEFAULT_M
Step 3 •Banner Checks for the “object”•Banner Checks for the “object” Step 4
•Banner Decrypts Oracle Role Password
• This “activates” the role’s privileges only for that object
•Banner Decrypts Oracle Role Password
• This “activates” the role’s privileges only for that object
Step 5
•Access to object granted based on Role’s privileges
• E.g. BAN_DEFAULT_M = full read/write access
•Access to object granted based on Role’s privileges
Banner security manuals recommend
that all users be assigned one Default
Role
›
USR_DEFAULT_CONNECT
Assigning powerful roles as “Default”
can create security risks
Roles that are Password Protected in
Oracle (11g) must be invoked at an SQL prompt, even if assigned as DEFAULT
› SET ROLE Statement with the password No user can manually invoke the
BAN_DEFAULT
roles because no one BAN_DEFAULT_M as a Default Role?
Low Risk!
BAN_DEFAULT roles are
password-protected w/ system-generated, encrypted passwords.
USR_DEFAULT_M as a user’s default role?
Risky!
Grants the user full write access to
everything in Banner/Oracle that is not protected within another “schema”
› A Schema is “owned” by a database user & has the same name as that user.
BANSECR = default Banner security
administration account
Only BANSECR can access or execute the GSASECR (Security Maintenance) form
› “Distributed Security Administrators” can also access GSASECR
Depends upon the application!
Example:
› Touchnet & SciQuest use internal security structure
Obtain security data for Banner/Oracle › Key Tables Include:
Obtain 3rd Party App security data › May require coordination with the vendor
Table Name Description
DBA_USERS Listing of Database Accounts/Status
DBA_ROLE_PRIVS All database accounts/default roles
GUVUACC “Object Access by User View” = All Banner Accounts, Classes, Objects, & Roles
Determine who has access to BANSECR Evaluate accounts assigned
USR_DEFAULT_M or _Q as a Default Role Evaluate users with access to make
changes on other security forms like
FOMPROF, Finance Security
User Authorization Documentation
› Consider how the entity documents useraccess:
By Role/Object or by Class?
› Consider whether specific “access levels” (i.e. classes) are requested and that
requests are not for access “like” an existing user.
Periodic Review/Reauthorizatioin
› Consider auditing how management monitors Banner access
:
Review of classes granted to users
Review of terminated user access
Review of objects granted directly
Banner & Oracle are “tightly coupled” –
creates security enhancements & risks.
Banner security can be bypassed
through poor Oracle database security
Third-party applications may require
extra audit effort to understand; don’t forget about SOC/SSAE 16 Audit Reports!
Questions?
Jeff White – Jeff.White@cot.tn.gov Timothy Hollar – Tim.Hollar@cot.tn.gov