Hi Nicole,
Having reviewed Matthew's answers, I've noticed that the processes/methodology he mentions seem very similar to ours here at The University of Auckland. My answers below refer to Campus Solutions 9.0
- Generally, how are your roles and permission lists designed - job description and say permission list by function?
A:
Roles were initially named around business roles eg XXX_GRADUATION etc
We started by identifying a matrix of business processes vs role access. From this information, we could identify some commonality in requirements. This allowed us to identify some common permission lists such as XXX_SA_VIEW. This quickly became quite a complex task and with changing requirements, proved complex to maintain for all but the most common permission lists.
UoA:
Same
- What is the average ratio of roles : permission lists? about 5 to 1
UoA:
Generally each role has at least one permission list designed specifically for that role, though where we have different levels of access for the same functional area, we've tried to utilise existing permission lists and build on them for higher levels of access. So the lowest level role would have a 1 to 1 role to permission list relationship, whereas a higher level role, might have three permission lists.
- Have you had any access or performance issues to deal with since the upgrade or implementation of version 9?
A: No significant issues.
UoA:
Same
- How is user profile creation managed - delivered mass change functionality or custom processes?
A: Custom Application Engine process for real time student provisioning when offer is accepted, to provision User profile , roles etc and network access.
UoA:
We do the same thing, though I'd also add that we also de-provision (but not delete) administrative users who have been terminated.
- Are there any performance issues or benefits in the profile creation method?
A: Using Application engine, is quite manageable and extensible as needs change.
UoA:
Agreed
- How are the role assignments performed - static or dynamic role rules?
A: Mostly static, via manual approval process.
UoA:
While students user profiles and roles are setup automatically, admin staff are assigned roles through a manual approval process. We do use a couple of dynamic roles but it's mostly manual.
- Have you experienced any issues with this method of role assignment?
A: We did have some dynamic role assignment but found not much advantage in this, as it relied on the Profile being created. The dynamic role rule isn't exactly dynamic, it needs to be scheduled/run to apply the changes. With your larger user base, you may find some benefit with it.
UoA:
Our dynamic roles are based on LDAP queries, for example: return a list of all employees, (our CS and HR environments are separate). When we run the scheduled Dynamic Role process, LDAP returns the membership meeting the criteria and populates roles even if a user profile does not exist for that person, so you have to do a cleanup afterwards - either delete the orphaned rows or create a user profile for them. Oracle have advised this is working as designed.
As an aside, it's perhaps worth mentioning that we export all our Roles\Rolesusers to our LDAP and AD as Groups\Members. The benefits of this is that these Groups\Members can then be used for permissions for other related systems or for access to folders on file servers. This provides the business with a greater level of accuracy and transparency with a lower maintenance overhead.
Cheers
Paul
_________________________________________
Paul Wescott
Application Security Architect
ITS Group Applications
The University of Auckland
Phone +64 9 3737599 x 87112
From: Matthew Bielby [
mailto:mbielby@usc.edu.au]Sent: Monday, 7 February 2011 3:28 p.m.
To:
anz.heug@list.heug.orgCc: <Nicole Hart
Subject: [anz.heug] - RE: version 9 application security and role assignment
Hi Nicole,
We went live with 9.0 Campus in late 2008, and HR/Payroll in early 2009.
- Generally, how are your roles and permission lists designed - job description and say permission list by function?
A:
Roles were initially named around business roles eg XXX_GRADUATION etc
We started by identifying a matrix of business processes vs role access. From this information, we could identify some commonality in requirements. This allowed us to identify some common permission lists such as XXX_SA_VIEW. This quickly became quite a complex task and with changing requirements, proved complex to maintain for all but the most common permission lists.
- What is the average ratio of roles : permission lists? about 5 to 1
- Have you had any access or performance issues to deal with since the upgrade or implementation of version 9?
A: No significant issues.
- How is user profile creation managed - delivered mass change functionality or custom processes?
A: Custom Application Engine process for real time student provisioning when offer is accepted, to provision User profile , roles etc and network access.
- Are there any performance issues or benefits in the profile creation method?
A: Using Application engine, is quite manageable and extensible as needs change.
- How are the role assignments performed - static or dynamic role rules?
A: Mostly static, via manual approval process.
- Have you experienced any issues with this method of role assignment?
A: We did have some dynamic role assignment but found not much advantage in this, as it relied on the Profile being created. The dynamic role rule isn't exactly dynamic, it needs to be scheduled/run to apply the changes. With your larger user base, you may find some benefit with it.
Hope this helps,
Matt Bielby
Senior Business Systems Analyst
IT Services
University of the Sunshine Coast
Australia
email:
mbielby@usc.edu.au<
mailto:mbielby@usc.edu.au>Phone: +61 (07) 5456 5521
>>> Nicole Hart <
nicole.hart@rmit.edu.au<
mailto:nicole.hart@rmit.edu.au>> 7/02/2011 12:05 pm >>>
Hello all,
RMIT is preparing to deliver student self service in Campus Solutions 9.0. As some security elements are new we would be happy to hear from you regarding your application security and it's performance, including in applications other than Campus Solutions.
We would like to get a feel for how other organisations have set up their application security and how security administration is performed.
Some questions...
- Generally, how are your roles and permission lists designed - job description and say permission list by function?
- What is the average ratio of roles : permission lists?
- Have you had any access or performance issues to deal with since the upgrade or implementation of version 9?
- How is user profile creation managed - delivered mass change functionality or custom processes?
- Are there any performance issues or benefits in the profile creation method?
- How are the role assignments performed - static or dynamic role rules?
- Have you experienced any issues with this method of role assignment?
Thank you for your response and your time.
Kind regards,
Nicole Hart.
SAMS Project
RMIT University.
-----End Original Message-----
CRICOS Provider Number: 01595D
This communication is intended for the recipient only and should not be forwarded, distributed or otherwise read by others without express permission. The views expressed in this email are not necessarily those of the University of the Sunshine Coast.
-----End Original Message-----
--
This message has been scanned for viruses and
dangerous content by MailScanner
http://www.mailscanner.info, and is
believed to be clean.