Banner overview. Authentication to Banner & 3 rd Party Apps. Authorization to Banner & 3 rd Party Apps

25  Download (0)

Full text

(1)

Banner overview

Authentication to Banner & 3

rd

Party Apps

Authorization to Banner & 3

rd

(2)

Section 1

Higher Education Enterprise Resource Planning (ERP) system.

 Original vendor – SunGard Higher Ed

› Now supported by Ellucian

Ellucian serves 2,400+ higher

(3)

Banner INB

– Internet Native Banner

The functional user Interface for

accounting, human resources, and

other administrative staff

Banner SSB

– Self Service Banner

The web-based interface to Banner

functionality for students & Finance

reporting functionality

 Includes multiple distinct “systems” or

modules:

Finance

Human Resources

Financial Aid

(4)

Distributed architecture generally

includes:

Application Server

Database Server

Job Scheduling Server

Web Server (Luminis)

This is not meant to be a comprehensive list – only the basics

Oracle Database Application

(5)

 Many available for varied purposes  Common 3rd Party Apps:

SciQuest E-Procurement

Touchnet U.Commerce

Authentication The process of identifying a user – usually by a user name

and password Authorization The function of specifying or granting access rights to resources in information systems

(6)

Section 2

 When a user connects to Banner, that user

also connects to the Oracle database

All Banner INB accounts require individual

Oracle database accounts. Banner SSB accounts do not work the same way.

 Banner INB authentication & authorization

use Oracle database info & processes

› Security is configured by granting privileges to a

(7)

Oracle uses a User Name & Password

to identify a user

Stored encrypted in the SYS.USER$ Table

Authentication requires one Oracle

privilege:

CREATE_SESSION

Step 1 • Enter user name/password• Enter user name/password

Step 2 • Oracle checks credentials• Oracle checks credentials

Step 3

• Oracle checks privileges/security rights:

• Default Role(s)

• Directly granted privileges

• PUBLIC account privileges (granted to everyone)

• Oracle checks privileges/security rights:

• Default Role(s)

• Directly granted privileges

(8)

Method 1:

Direct Login

Oracle Database Password Profiles

Login to App Server directly via web browser

Method 2:

Web-Facing PortalDirectory Service Password PoliciesLogin to Luminis web server first, then connect to App Server

(9)

Banner Direct Login Page

Oracle Credentials

 Uses the internet browser and

Oracle

Fusion Middleware Forms Service

-a J-av-a JRE Plug-in to displ-ay the B-anner Forms in an Oracle Java Applet

Example URL:

http://APPPRD.ExampleCollege.edu:##

#0/forms/frmservlet?config=prod

(10)

Luminis Web Server Login Banner Direct Login Page Oracle Credentials Active Directory Credentials or LDAP

Luminis Web Server can use a directory

service for user authentication

› Login requires directory service credentials › Possible to configure as Single Sign-On or as

another layer of network security.

 Direct login via Oracle credentials may

(11)

All paths to authentication should

have proper controls if both

methods are used!

Method 2 Banner INB Method 1 DBA_PROFILES  PW Verify Function

› “IF” Function for password complexity

V$PARAMETERS includes other security

PROFILE RESOURCE_NAME RESOURCE LIMIT

DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED

(12)

 UAC can override other group policy

settings

› Codes to consider:

Value Description

512 Enabled Account

544 Enabled, Password Not Required

66048 Enabled, Password Doesn’t Expire

(13)

 Authentication for each 3rd party

application can vary.

 Must inquire about how authentication &

security are configured.

 Also, consider network security such as

Virtual Private Networks (VPN)

SciQuest can be synchronized with

Active Directory.

› Uses AD credentials for authentication  Touchnet generally uses built-in security

and authentication.

› Unique login URL for each user

› Unique Touchnet user IDs and passwords › Touchnet has its own password controls

(14)

Look before you leap!

› Identifying relevant control points is key.  Determine the layers of network security  All Banner INB accounts can access the

Oracle database directly – increases risk!

Section 3

Your system administrator has

determined that your current activity is providing a level of enjoyment beyond that which is allowed on company time. Your enjoyment will now be disabled. You may continue with this activity, but you may not enjoy it. See your system administrator for more information.

(15)

Oracle database security structures

serve as “building blocks”

 Oracle security configuration can either

strengthen or undermine

security

Banner uses “Role-based” security

 Banner “

Roles

” = Oracle Roles › Containers for Oracle system privileges › Can be password-protected

 A Banner “

Class

” is used to group Roles

& database objects together in one container

(16)

 However, Banner objects can also be

directly granted outside of a class;

increases risk of security being undermined.

Banner CLASS

Role

(Oracle Privs.)

OBJECTS

BANNER CLASS

Role Access Level Banner Object/Form

BAN_DEFAULT_M Read/Write FOMPROF BAN_DEFAULT_M Read/Write FAAINVE BAN_DEFAULT_Q Read Only GSASECR

Banner Classes are containers

for Role/Object assignments

(17)

 Users are assigned to Classes to

stream-line security management

Banner Class User User User User (1) Banner Classes  When associated with “objects” in a Banner Class  For Navigational Security 

“BAN_DEFAULT”

(2) Default Roles  Controls “default” privileges upon login  Oracle security construct 

“USR_DEFAULT”

Oracle roles are used in two different

capacities in Banner

(18)

Banner roles for Classes & Navigational

Security:

BAN_DEFAULT_M*  Full read/write access › BAN_DEFAULT_Q*

 Read-only access

*These roles are created upon Banner installation with an encrypted password that no human knows!

Banner-created Default RolesUSR_DEFAULT_M

 Full read/write access › USR_DEFAULT_Q

 Read-only access

USR_DEFAULT_CONNECT

 Ability to connect to the database/Banner only; provides no navigational access

(19)

USR/BAN_DEFAULT_M

CREATE SESSION SELECT ANY TABLE EXECUTE ANY PROCEDURE SELECT ANY SEQUENCE UPDATE ANY TABLE SELECT ANY DICTIONARY DELETE ANY TABLE INSERT ANY TABLE LOCK ANY TABLE

USR/BAN_DEFAULT_Q

CREATE SESSION SELECT ANY TABLE

These privileges provide full “write” access.

“Read only” Access

USR_DEFAULT_CONNECT CREATE SESSION

Connect Only

Step 1 •Navigate to a Banner form•Navigate to a Banner form Step 2

•Banner Checks for an Oracle role •E.g. BAN_DEFAULT_M

•Banner Checks for an Oracle role •E.g. BAN_DEFAULT_M

Step 3 •Banner Checks for the “object”•Banner Checks for the “object” Step 4

•Banner Decrypts Oracle Role Password

• This “activates” the role’s privileges only for that object

•Banner Decrypts Oracle Role Password

• This “activates” the role’s privileges only for that object

Step 5

•Access to object granted based on Role’s privileges

• E.g. BAN_DEFAULT_M = full read/write access

•Access to object granted based on Role’s privileges

(20)

Banner security manuals recommend

that all users be assigned one Default

Role

USR_DEFAULT_CONNECT

Assigning powerful roles as “Default”

can create security risks

Roles that are Password Protected in

Oracle (11g) must be invoked at an SQL prompt, even if assigned as DEFAULT

SET ROLE Statement with the password  No user can manually invoke the

BAN_DEFAULT

roles because no one

(21)

BAN_DEFAULT_M as a Default Role?

Low Risk!

 BAN_DEFAULT roles are

password-protected w/ system-generated, encrypted passwords.

USR_DEFAULT_M as a user’s default role?

Risky!

Grants the user full write access to

everything in Banner/Oracle that is not protected within another “schema”

› A Schema is “owned” by a database user & has the same name as that user.

(22)

BANSECR = default Banner security

administration account

 Only BANSECR can access or execute the GSASECR (Security Maintenance) form

“Distributed Security Administrators” can also access GSASECR

Depends upon the application!

 Example:

› Touchnet & SciQuest use internal security structure

(23)

 Obtain security data for Banner/Oracle › Key Tables Include:

 Obtain 3rd Party App security data › May require coordination with the vendor

Table Name Description

DBA_USERS Listing of Database Accounts/Status

DBA_ROLE_PRIVS All database accounts/default roles

GUVUACC “Object Access by User View” = All Banner Accounts, Classes, Objects, & Roles

Determine who has access to BANSECR  Evaluate accounts assigned

USR_DEFAULT_M or _Q as a Default Role  Evaluate users with access to make

changes on other security forms like

FOMPROF, Finance Security

(24)

User Authorization Documentation

› Consider how the entity documents user

access:

 By Role/Object or by Class?

› Consider whether specific “access levels” (i.e. classes) are requested and that

requests are not for access “like” an existing user.

Periodic Review/Reauthorizatioin

› Consider auditing how management monitors Banner access

:

Review of classes granted to users

Review of terminated user access

Review of objects granted directly

(25)

 Banner & Oracle are “tightly coupled” –

creates security enhancements & risks.

 Banner security can be bypassed

through poor Oracle database security

 Third-party applications may require

extra audit effort to understand; don’t forget about SOC/SSAE 16 Audit Reports!

Questions?

 Jeff White – Jeff.White@cot.tn.gov  Timothy Hollar – Tim.Hollar@cot.tn.gov

Figure

Updating...

References

Related subjects :