Presented at Collaborate 2016 in Las Vegas Date: 04/13/2016 Oracle WebCenter Content default security model is based on group membership - RBAC (Role Based Access Control) and is not sufficient to handle fine-grained authorization models where authorization decision could be on the basis of a combination of document attributes and roles. It is not aligned with the ABAC (Attribute Based Access Control) model - which helps prevent threat from inside the organization. Oracle Entitlements Server (OES) is a standards-based, policy-driven security solution that provides real time fine-grained authorization for enterprise applications such as WebCenter. By integrating Oracle WebCenter Content with OES, corporations can provide high performance fine-grained and coarse-grained access control for enterprise content using a centralized and consistent approach. This session provides fine-grained authorization approach for WebCenter using Oracle Entitlements Server. This session will also demonstrate a live demo and implementation UseCase from College of American Pathologist,IL. It will provide Q & A session for the attendees to ask any question.

1. Session ID:
Prepared by:
Build Fine-Grained Authorization
for WebCenter Using Oracle
Entitlements Server (OES)
1351
Shyam Kumar – AST Corporation
Zeeshan Baig – AST Corporation

2. Introduction
Shyam Kumar is the Vice President of Middleware Practice at AST
Corporation, Naperville (Chicago), IL & responsible for all aspects of
the middleware business including strategic account management
and solution architecture.
Speaker at following industry forums/conferences –
– Airport E-Business Users’ Roundtable
– 5th International SOA, Cloud + Service Technology Symposium, London
– APTA - 2013 Fare Collect-TransITech - Phoenix, AZ
– North Central Oracle Apps User Group(NCOAUG) - Chicago
– Oracle HCM Users Group (OHUG)
– Collaborate (OAUG/IOUG)
– Oracle Open World (OOW)
Zeeshan Baig is an Oracle ACE and works as Solution Architect at
Middleware Practice at AST Corporation, Naperville (Chicago), IL &
responsible for enterprise architecture for large Cloud, Mobile, Security and
Integration Projects..
Speaker at following industry forums/conferences –
– North Central Oracle Apps User Group(NCOAUG)
– RMOUG
– Collaborate (OAUG/IOUG)
– KSCOPE

3. Our Brands Our Services Oracle Specialized
 Enterprise Resource Planning
 Business Intelligence
 EPM-Hyperion
 Middleware
 CRM/CX
 MDM-EDQ
 Configure/Price/Quote
 Managed Services
 Education / Oracle University
 Project Advisory Services
 EBS Financial Management
 EBS Human Capital Management
 EBS Supply Chain Management
 Database
 BI Applications
 BI Foundation Suite
 Hyperion Planning & Financial Management
 Essbase
 Oracle Data Integration
 Application Development Framework
 Service Oriented Architecture
 WebCenter Content
 Access Management Suite Plus
 Identity Governance Suite
 WebLogic Server
2015, 2013, 2011, 2009
Oracle Excellence
Award Winner
2015, 2014
Chicago Tribune Top 100
Workplaces Award Winner
2014, 2013, 2012
Inc. 5000 Fastest Growing
Companies Award Winner
2014, 2012
Best & Brightest Companies to
Work For Award Winner
Specialized. Recognized. Preferred.
3

4. Agenda
• Authorization Overview
• Understanding Oracle Entitlement Server
• Oracle Entitlement Server Demo
• WCC – OES Implementation Approach
• Implementation Case Study
• Q & A.
4

5. Insider Threat
5
“Does our organization have a way to detect
unauthorized access to our data?”
“…less than 10 percent of companies actually have proactive monitoring
of security controls - Authorization?”
58% Information Security Incidents Attributed to Insider Threat
93 % of U.S. Organizations Are Vulnerable to Insider

6. Authorization Concepts
6
Grant “trade” privileges for the Account resource when user is in Account Trader Role:

7. Fine-Grained & Coarse-Grained Authorization
•Role Based (RBAC)
•Less Restrictive
Coarse-
Grained
•Attribute Based
(ABAC)
•More Restrictive
Fine-
Grained
7

8. Authorization Policy Definition
Application Security Requirements are defined by ‘Business Experts’

9.  OES provides an implementation of fine-
grained authorization
 Use policies to protect application resources
Oracle Entitlement Server (OES)

10.  The PAP is the OES Admin Server manages the policies
and artifacts related to security
 SM Engine are the process referred as OES client
High-Level Architecture

11. WebCenter – Security Overview
WebCenter Content Security
Security Groups
• Similar to Roles
• Non-Hierarchical
• Performance
overhead
Accounts with SG
• User level
• Could be Hierarchical
• Could become
Complex and out of
control
OES
• Policy Based approach
• Attribute Level control
• Custom Functions
• Integration with DB or
LDAP

12. WebCenter – Supported Operations
WebCenter Content Document
Operation Description
Oracle Entitlements Server
Controls
Check-in Creating new revision of the
document
Who can perform document check-
in operation
New Check-in Uploading new document Who can perform a new document
check-in operation
Check-in similar Similar to New Check-in. Inherits
properties set during previous new
document upload
Who can perform check-in similar
document operation
Checkout Checkout existing document for
modifications
Who can perform document
checkout operation
Undo Checkout Discard checked-out document Who can perform discard
document checkout operation
Delete Delete revision of the document Who can perform document delete
operation
Update Update metadata or attributes of
the document
Who can perform document
update operation
Search Perform document search
operation
What user can see in the
document search results
Read Read content of the document Who can perform document read
operation
Download Download the document Who can perform document
download operation

13.  The OES client(Security Module (SM), is embedded
inside the Content Management; this SM provides
both
• Policy Decision Point (PDP)
• Policy Enforcement Point (PEP)
WebCenter – OES Integration

14. WebCenter – Integration Roadmap
Migrate WC
Policy Store
to OES
Install UCM
Connector
for OES
Create
Policies in
OES

15. WebCenter – Demo Outline
 OES Policy Overview
 Policies for WebCenter
 Create Check In Policy for Directors
 Attribute Based Policy Scenario

16. CUSTOMER CASE STUDY
Entitlement Server Implementation

17. CASESTUDY.
College Of American
Pathologist
Northfield, Illinois
World’s largest association
composed exclusively of board
certified pathologists and is the
worldwide leader in laboratory
quality assurance. More than
7,000 laboratories are accredited
by the CAP, and approximately
23,000 laboratories.
Build an Enterprise Security Platform, a strategic initiative for CAP’s future growth
and expansion to the international market, requiring a highly‐secured
infrastructure for its customers.
BUSINESS
NEEDS
• Create foundation for Enterprise Security
• Consolidation of identity data, creating a centralized identity store using Oracle Internet
Directory & Oracle Virtual Directory
• Implementations of policy‐driven automated provisioning, enhancing security and compliance
by leveraging Oracle Identity Manager
• Self‐service user registration and profile management
• Single Sign‐On (SSO) using Oracle Access Manager
• Federated identity management and cross‐domain SSO using Oracle Identity Federation
• Fine‐grained portal entitlement and delegated administration using Oracle Entitlement
Server
• Integration with over 25 legacy systems
• Identity governance, and IT audit monitoring and reporting
SOLUTION & BENEFITS

18.  250,000 Users and 40,000 members
 250 Policies
 Dynamic Policies
OES Implementation Overview
Sun Lab Inc
3M Lab
Enterprise OES Platform
OID
Authentication
Store
Database
Policy
Store
CAP Staff
John– the
Lab Admin
John – the
Pathologist
 OES Replacement to CrossLogix
 Integration with Enterprise OIAM Systems
 WebService Based Integration

19. Implementation Technical Architecture

20. Question & Answers
Contact Information
Shyam Kumar/Zeeshan Baig
skumar@astcorporation.com
630-347-0833