Presented at Collaborate 2016 in Las Vegas
Date: 04/13/2016
Oracle WebCenter Content default security model is based on
group membership - RBAC (Role Based Access Control) and is not sufficient to handle fine-grained authorization models where authorization decision could be on the basis of a combination of document attributes and roles. It is not
aligned with the ABAC (Attribute Based Access Control) model - which helps prevent threat from inside the organization. Oracle Entitlements Server (OES) is a standards-based, policy-driven security solution that provides real time fine-grained authorization for enterprise applications such as WebCenter. By integrating Oracle WebCenter Content with OES, corporations can provide high performance fine-grained and coarse-grained access control for enterprise content using a centralized and consistent approach.
This session provides fine-grained authorization approach
for WebCenter using Oracle Entitlements Server. This session will also demonstrate a live demo and implementation UseCase from College of American Pathologist,IL. It will provide Q & A session for the attendees to ask any question.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Build Fine-Grained Authorization for WebCenter Using Oracle Entitlements Server (OES)
1. Session ID:
Prepared by:
Build Fine-Grained Authorization
for WebCenter Using Oracle
Entitlements Server (OES)
1351
Shyam Kumar – AST Corporation
Zeeshan Baig – AST Corporation
2. Introduction
Shyam Kumar is the Vice President of Middleware Practice at AST
Corporation, Naperville (Chicago), IL & responsible for all aspects of
the middleware business including strategic account management
and solution architecture.
Speaker at following industry forums/conferences –
– Airport E-Business Users’ Roundtable
– 5th International SOA, Cloud + Service Technology Symposium, London
– APTA - 2013 Fare Collect-TransITech - Phoenix, AZ
– North Central Oracle Apps User Group(NCOAUG) - Chicago
– Oracle HCM Users Group (OHUG)
– Collaborate (OAUG/IOUG)
– Oracle Open World (OOW)
Zeeshan Baig is an Oracle ACE and works as Solution Architect at
Middleware Practice at AST Corporation, Naperville (Chicago), IL &
responsible for enterprise architecture for large Cloud, Mobile, Security and
Integration Projects..
Speaker at following industry forums/conferences –
– North Central Oracle Apps User Group(NCOAUG)
– RMOUG
– Collaborate (OAUG/IOUG)
– KSCOPE
3. Our Brands Our Services Oracle Specialized
Enterprise Resource Planning
Business Intelligence
EPM-Hyperion
Middleware
CRM/CX
MDM-EDQ
Configure/Price/Quote
Managed Services
Education / Oracle University
Project Advisory Services
EBS Financial Management
EBS Human Capital Management
EBS Supply Chain Management
Database
BI Applications
BI Foundation Suite
Hyperion Planning & Financial Management
Essbase
Oracle Data Integration
Application Development Framework
Service Oriented Architecture
WebCenter Content
Access Management Suite Plus
Identity Governance Suite
WebLogic Server
2015, 2013, 2011, 2009
Oracle Excellence
Award Winner
2015, 2014
Chicago Tribune Top 100
Workplaces Award Winner
2014, 2013, 2012
Inc. 5000 Fastest Growing
Companies Award Winner
2014, 2012
Best & Brightest Companies to
Work For Award Winner
Specialized. Recognized. Preferred.
3
4. Agenda
• Authorization Overview
• Understanding Oracle Entitlement Server
• Oracle Entitlement Server Demo
• WCC – OES Implementation Approach
• Implementation Case Study
• Q & A.
4
5. Insider Threat
5
“Does our organization have a way to detect
unauthorized access to our data?”
“…less than 10 percent of companies actually have proactive monitoring
of security controls - Authorization?”
58% Information Security Incidents Attributed to Insider Threat
93 % of U.S. Organizations Are Vulnerable to Insider
9. OES provides an implementation of fine-
grained authorization
Use policies to protect application resources
Oracle Entitlement Server (OES)
10. The PAP is the OES Admin Server manages the policies
and artifacts related to security
SM Engine are the process referred as OES client
High-Level Architecture
11. WebCenter – Security Overview
WebCenter Content Security
Security Groups
• Similar to Roles
• Non-Hierarchical
• Performance
overhead
Accounts with SG
• User level
• Could be Hierarchical
• Could become
Complex and out of
control
OES
• Policy Based approach
• Attribute Level control
• Custom Functions
• Integration with DB or
LDAP
12. WebCenter – Supported Operations
WebCenter Content Document
Operation Description
Oracle Entitlements Server
Controls
Check-in Creating new revision of the
document
Who can perform document check-
in operation
New Check-in Uploading new document Who can perform a new document
check-in operation
Check-in similar Similar to New Check-in. Inherits
properties set during previous new
document upload
Who can perform check-in similar
document operation
Checkout Checkout existing document for
modifications
Who can perform document
checkout operation
Undo Checkout Discard checked-out document Who can perform discard
document checkout operation
Delete Delete revision of the document Who can perform document delete
operation
Update Update metadata or attributes of
the document
Who can perform document
update operation
Search Perform document search
operation
What user can see in the
document search results
Read Read content of the document Who can perform document read
operation
Download Download the document Who can perform document
download operation
13. The OES client(Security Module (SM), is embedded
inside the Content Management; this SM provides
both
• Policy Decision Point (PDP)
• Policy Enforcement Point (PEP)
WebCenter – OES Integration
14. WebCenter – Integration Roadmap
Migrate WC
Policy Store
to OES
Install UCM
Connector
for OES
Create
Policies in
OES
15. WebCenter – Demo Outline
OES Policy Overview
Policies for WebCenter
Create Check In Policy for Directors
Attribute Based Policy Scenario
17. CASESTUDY.
College Of American
Pathologist
Northfield, Illinois
World’s largest association
composed exclusively of board
certified pathologists and is the
worldwide leader in laboratory
quality assurance. More than
7,000 laboratories are accredited
by the CAP, and approximately
23,000 laboratories.
Build an Enterprise Security Platform, a strategic initiative for CAP’s future growth
and expansion to the international market, requiring a highly‐secured
infrastructure for its customers.
BUSINESS
NEEDS
• Create foundation for Enterprise Security
• Consolidation of identity data, creating a centralized identity store using Oracle Internet
Directory & Oracle Virtual Directory
• Implementations of policy‐driven automated provisioning, enhancing security and compliance
by leveraging Oracle Identity Manager
• Self‐service user registration and profile management
• Single Sign‐On (SSO) using Oracle Access Manager
• Federated identity management and cross‐domain SSO using Oracle Identity Federation
• Fine‐grained portal entitlement and delegated administration using Oracle Entitlement
Server
• Integration with over 25 legacy systems
• Identity governance, and IT audit monitoring and reporting
SOLUTION & BENEFITS
18. 250,000 Users and 40,000 members
250 Policies
Dynamic Policies
OES Implementation Overview
Sun Lab Inc
3M Lab
Enterprise OES Platform
OID
Authentication
Store
Database
Policy
Store
CAP Staff
John– the
Lab Admin
John – the
Pathologist
OES Replacement to CrossLogix
Integration with Enterprise OIAM Systems
WebService Based Integration
Oracle Entitlements Server (OES) is a standards-based, policy-driven security solution that provides real time fine-grained authorization in Application, Service-Oriented Architecture (SOA) and Database environments…. Oracle Entitlements Server can serve as the authorization engine for all the content managed by Oracle WebCenter Content using RBAC and ABAC policies