Office of the accountant general a e kerala
Download
1 / 72

OFFICE OF THE ACCOUNTANT GENERAL (A&E), KERALA - PowerPoint PPT Presentation


  • 229 Views
  • Uploaded on

OFFICE OF THE ACCOUNTANT GENERAL (A&E), KERALA. Management of Security in VLC Software.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OFFICE OF THE ACCOUNTANT GENERAL (A&E), KERALA' - gino


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Office of the accountant general a e kerala l.jpg

OFFICE OF THE ACCOUNTANT GENERAL (A&E), KERALA

Management of Security in VLC Software


Slide2 l.jpg

Security in VLC Software is administered by a user with DBA privileges, VLCADMIN, and is managed through the Administration Module.The Security and Administration module provides extensive security features to safeguard the data from both unauthorised viewing and intentional tampering. In addition, it maintains the users and defines users by creating roles and functions, audits all deleted records and checks SQL facilities. Security is provided by granting specific privileges to roles and then assigning roles to users. Roles are created by the administrator for every module by granting the type of access, full or read only, on related database objects depending on the module requirement and the status and responsibilities of the user. It is invoked from the Modules drop down Menu.


Slide3 l.jpg

The first screen of the Administration Module offers the Menu for all Administration activities.

The Main Menu item are

  • Module other Administration

  • Roles

  • Users

  • Report

  • Exit


Slide4 l.jpg
Before going into the finer details of the sub menus Menu for all Administration activities.a detour for a brief look at the security features in Oracle


Database security concepts l.jpg
Database Security Concepts Menu for all Administration activities.

  • Confidentiality, integrity, and availability are the hallmarks of database security.

  • Securing your database involves not only establishing strong password policy, but also adequate access controls.

  • Security is also about the weakest link. Databases should not provide a point of weakness.


Database security concepts contd l.jpg
Database Security Concepts (Contd…) Menu for all Administration activities.

  • Security in Oracle has several layers.

  • The first layer of security is, of course, the RAW assignment and management of users.

  • The second layer is the high-level system grants that give the user permission to create, alter, and use database objects such as tables, indexes, and clusters.

  • The third layer of security is the object-level grants that allow users to interact with database objects.

  • The fourth layer is the column grant layer that grants or restricts access to the specific columns inside a database object.

  • The fifth layer involves the use of policies and contexts to control row level access. The final level of security deals with controlling access to system resources such as CPUs and is accomplished through the use of profiles and resource plans and groups.


Slide7 l.jpg
In VLC Software the VLCADMIN user creates users using the ‘User Creation and Role Allocation’ sub menu under the ‘Users’ menu item


Slide8 l.jpg

  • Data is protected by ‘User Creation and Role Allocation’ sub menu under the ‘Users’ menu item

  • Defining the types/levels of users

  • Defining area of work for each user

  • Providing various tiers of security for each user

  • Types of Users :

  • Data Entry Operators

  • Supervisors

  • Management


Slide9 l.jpg

  • VLC Software incorporates an added security feature. ‘User Creation and Role Allocation’ sub menu under the ‘Users’ menu item

  • All sub menu actions are protected from unauthorised users.

  • Each action calls for a separate log on thus preventing unauthorised users from adding/deleting or modifying Users, Roles or Modules.


Slide10 l.jpg


User grants and privileges l.jpg
User Grants and Privileges master is created. It is followed by the creation of Roles.

  • Privileges specify the type of Data Manipulation Language (DML) operations, which the user can perform upon data.

  • Two distinct categories of privileges within a database are :

    • System Privileges

    • SchemaObject Privileges


User grants and privileges contd l.jpg
User Grants and Privileges(Contd…) master is created. It is followed by the creation of Roles.

  • System Privileges

    System privileges allow users to perform a particular systemwide action or a particular action on a particular type of schema object. For example, the privileges to create a tablespace, table or to insert or delete the rows of any table in the database are system privileges. Many system privileges are available only to administrators and application developers because the privileges are very powerful.


User grants and privileges contd13 l.jpg
User Grants and Privileges(Contd…) master is created. It is followed by the creation of Roles.

  • Schema Object Privileges

    Schema object privileges for tables allow table security at the level of data manipulation language (DML) and data dictionary language (DDL) operations.

    Object privileges allow a user to perform a particular action on a specific object including tables, views, sequences, procedures, functions, and packages. For example, the privilege to insert rows into a particular table is an object privilege. Object privilege grants always include the name of the object for which the privilege is granted.


Managing system and object privileges l.jpg
Managing System and Object Privileges master is created. It is followed by the creation of Roles.

  • The user’s ability to supply a valid username and password can be used as a first level of authorization for a user to access a database or specific database tables.

  • Additional techniques that can be used to further manage system and object privileges are:

    • Roles

    • Stored Procedures

    • Network Facilities

    • Views


Using roles to manage privileges l.jpg
Using Roles to Manage Privileges master is created. It is followed by the creation of Roles.

  • A Role mechanism can be used to provide authorisation. A single person or a group of people can be granted a role or a group of roles. One role can be granted in turn to other roles. By defining different types of roles, administrators can manage access privileges much more easily.


Use of roles l.jpg
Use of Roles master is created. It is followed by the creation of Roles.

  • Roles are collections of system, object, and row grants. This allows the DBA to collect all related grants for a specific application function under one object that can then be easily granted to your users with a single command. Using roles has several benefits:


Use of roles contd l.jpg
Use of Roles (Contd…) master is created. It is followed by the creation of Roles.

  • Reduces the number of grants and thereby makes it easier to manage security

  • Dynamically changes the privileges for many users with a single grant/revoke

  • Can be selectively enabled/disabled depending upon the application


Use of roles contd18 l.jpg
Use of Roles (Contd…) master is created. It is followed by the creation of Roles.

  • Roles can be used for most system and object privileges. Privileges granted through a role cannot be used for creating a stored object (views, packages, triggers, java, procedures, and function). You need to grant privileges directly to the user for this


At user level the privileges are assigned in vlc software as given below l.jpg
At user level the privileges are assigned in VLC software as given below:

The privileges for.

  • Data Entry operator (Select + Insert + Update + Delete),

  • Supervisors (select + Update Check Flag),

    - Management (Select)

  • Area of work for each user

    • Each user would be working on a particular module or a part within a module. This is determined by providing privileges to roles


Overall security is managed in vlc software in 3 security tiers l.jpg
Overall security is managed in VLC Software in 3 security tiers

  • Tier I: Log on Level- Through Password protection

  • Tier II: Menu level. The user can operate that Module which is assigned to him - Through Roles.

  • Tier III: Form/Report Level. Only those tasks that the role permits -Through Modules.


User administration passwords l.jpg
User Administration - Passwords tiers

Oracle supports a number of passwords features. You need to consider all of the following when you set password standards:

  • Passwords aging and expiration: To help ensure that a password will not be compromised, passwords should be changed on a system at least every three months. The decision of whether to enforce password aging and expiration should be identified in the security plan. The longer a password remains in effect for an account, the greater the possibility that the password can be compromised.


User administration passwords contd l.jpg
User Administration - Passwords (Contd….) tiers

  • Password reuse : If a password will be permitted to be reused, restrict its use to no more frequently than every seventh password cycle. A better approach would be to completely exclude a password that has been used from being used by that person again.

  • Failed login attempts : The number of failed login attempts that will be tolerated on a system should be defined in the security plan. You must also determine the actions that should be taken when the number of failed login attempts has been exceeded.


User administration passwords contd23 l.jpg
User Administration - Passwords (Contd….) tiers

  • Account locking and unlocking : If account locking is going to be enabled, you can define the personnel who will be in charge of performing the account unlocking.

  • Passwords in Oracle can now be aged and expired.


In oracle one can manage passwords through profiles some of the parameters one can control are l.jpg
In Oracle one can manage passwords through profiles. Some of the parameters one can control are:

  • FAILED_LOGIN_ATTEMPTS - failed login attempts before the account is locked

  • PASSWORD_LIFE_TIME - limits the number of days the same password can be used for authentication

  • PASSWORD_REUSE_TIME - number of days before a password can be reused

  • PASSWORD_REUSE_MAX - number of password changes required before the current password can be reused


One can manage passwords through profiles some of the parameters one can control are contd l.jpg
One can manage passwords through profiles. of the parameters one can control are:Some of the parameters one can control are: (Contd…)

  • PASSWORD_LOCK_TIME - number of days an account will be locked after maximum failed login attempts

  • PASSWORD_GRACE_TIME - number of days after the grace period begins during which a warning is issued and login is allowed

  • PASSWORD_VERIFY_FUNCTION - password complexity verification script

VLC Software incorporates the Oracle Security features through its menus. A detailed look at the software will clarify how it is implemented in the VLC Software


A detailed look at security and administration module of vlc software l.jpg
A Detailed look at Security and Administration Module of VLC Software

The first step in the implementation of the Security features is the creation of the Module Master


Slide27 l.jpg

  • VLCADMIN user has the privilege to create this Master table. Login as VLCADMIN user to use this menu item.

  • Each module in the Software is given a Module Code.

  • The relevant Forms and Reports are attached to the module through this form.

  • The Form/Report Status flag is set to valid for the Forms/Reports to be available to users.

  • If a Form/Report is to be made inaccessible to all users this flag is set to invalid.


Slide28 l.jpg


Slide29 l.jpg

  • The 3 types are: Login as VLCADMIN user to use this menu item.

  • Data Entry Operators identified by D.

  • Supervisors identified by S and

  • Managers identified by M.

  • Again, depending on the type of access to objects, a further classification is made

    • ALL

    • Select

    • Insertetc.

  • The Role name is thus a combination of Module and the two classifications like AC_D_ALL1


  • Login as the owner of objects to create roles l.jpg
    Login as the owner of objects to create Roles Login as VLCADMIN user to use this menu item.

    • After creation of the role, objects necessary to run the functions for that role are attached to the role.

    • Depending on the groups of users, who will be assigned this role the privileges are checked in the check box. It could be All or a combination of Select, Update, Insert and Delete.

    • If All is checked, checking any of the other items will throw an error message.

    • And if one of the rest is checked, checking All will throw an error message.


    Slide31 l.jpg

    In the VLC Software, VLC is the owner of all objects. Therefore, even after attaching the objects to the respective roles ORA-00942 error will be thrown up when a user tries to work with Forms/Reports in this module. This is overcome by creation of Public Synonyms for all objects.Clicking ‘Create Synonyms’ button creates synonyms for all objects in one go.


    Slide32 l.jpg
    Once the appropriate Roles are created we are ready for creation of usersLogin as VLCADMIN to create users


    Slide33 l.jpg

    You can choose the user type from the List, type the user name, userID Password, Section, Default tablespace, Temporary tablespace and Profile. The user account status is set as ‘valid’ by default.If you want to temporarily block a user this flag can be set to invalid.The Role/Roles allocated to the user is attached in the lower block.


    Sql plus facilities l.jpg
    SQL*PLUS Facilities name, userID Password, Section, Default tablespace, Temporary tablespace and Profile. The user account status is set as ‘valid’ by default.

    • By default all SQL*PLUS privileges are disabled for all users.

    • Login as System to grant SQL*PLUS facilities.

    • The SQL*PLUS attributes can be selectively granted to a user by the System user.


    Slide35 l.jpg

    A user’s password usage and resources can be controlled through profiles.The Administrative module has a form to create/modify profiles.We can limit the numbers of sessions for a user, and set values for idle time, failed login attempts, password reuse time, password lock time, connect time, password life time, password reuse maximum and password grace time.Use of profiles is an easy and efficient method of enforcing password control .Among other things, it will ensure that users will change passwords regularly.


    Slide36 l.jpg

    After a user is created, the DBA communicates the userid and password (same as the userid, to begin with) to the user with instructions to change the password immediately.Passwords are changed using the following form:-The user logs in using the original password to this form.The new password is typed in the two text boxes.The program rejects passwords that are shorter than 6 characters.This, in fact, overcomes one of the vulnerabilities of Oracle in respect of length of password.Press the “Change Password” button and exit by pressing the “Exit” button.


    Restriction on forms and reports l.jpg
    Restriction on Forms and Reports password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • The ‘Forms and Reports for users’ sub menu under Users menu item is used to restrict use of Forms and Reports.

    • Only those Forms and Reports attached through this menu will be accessible to the user.


    Restriction on forms and reports contd l.jpg
    Restriction on Forms and Reports (Contd…) password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • Even from among those Forms and Reports attached to a user, the DBA can restrict usage through the ‘User Form Status’ Flag.

    • Only those Form/Reports whose status is ‘Valid’ is accessible to the user.

    • By setting status to ‘Invalid’, access can be denied to any Form/Report, notwithstanding the fact that those Forms/Reports are attached to the user.


    Audit of deleted records l.jpg
    Audit of Deleted Records password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • The Security and Administration Module provides auditing of deleted records.

    • It keeps track of all deleted records.

    • You can view the list of deleted records on screen.

    • This is accessed through the ‘List of deleted records’ submenu under ‘Module Other Administration’ menu.


    Slide40 l.jpg

    • You can also generate hard copies of the list of password (same as the userid, to begin with) to the user with instructions to change the password immediately.deleted records.

    • That was the preview of the report.

    • The Report is generated using the ‘List of deleted records’ submenu under the ‘Reports’ Menu.

    • Details are shown user-wise with date in the descending order.


    Relation between supervisors and deos l.jpg
    Relation between password (same as the userid, to begin with) to the user with instructions to change the password immediately.Supervisors and DEOs

    • VLC Software includes a feature whereby a supervisory user, with whom the software has established a supervisor-DEO relationship, is given the privilege to update, or delete records entered by DEOs.

    • These relationships are created through the ‘Supervisor DEO Master’ sub menu under the ‘Module Other Administration’ Menu.


    Relation between supervisors and deos contd l.jpg
    Relation between password (same as the userid, to begin with) to the user with instructions to change the password immediately.Supervisors and DEOs (Contd…)

    • Userids and usernames of all DEOs under a Supervisor are attached through this form.

    • Once the relationship is established the supervisor gets the privilege to update or delete records entered by DEOs supervised by him/her.

    • This is helpful in making corrections when the Supervisory user checks data entered by the DEOs.


    Need for enhancement through backend privilege management l.jpg
    Need for enhancement through Backend Privilege Management password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • Oracle has a few more facilities for privilege management like

      • Stored procedures

      • Views and

      • Virtual Private Database (VPD)


    Stored procedures l.jpg
    Stored Procedures password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • Through stored procedures you can restrict the database operations that users can perform.

    • You can allow them to access data only through procedures and functions that execute with the definers privileges.

    • For example you can grant users access to a procedure that updates a table, but not grant them access to the table itself.

    • Users who have only privilege to execute the procedure can invoke the procedure but they cannot manipulate table data in any other way.


    Views l.jpg
    Views password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • A view can limit access to only selected columns of the base table.

    • A view can provide view based security for the information in a table.

    • A where clause in the definition of a view restricts the display to only selected rows of the base table.

    • To use a view requires privileges only for the view itself and not on the base table/object underlying the view.


    Row level security l.jpg
    Row Level Security password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • Row level Access to data is a granular form of data access.

    • Access to particular rows is based on such considerations as the department to which the user belongs, his job responsibility and other significant factors.

    • Views are used to implement row level security.

    • There are two more effective approaches to row level security.

      • They are : Virtual Private Database (VPD) and Label Based Access Control.


    Virtual private database vpd l.jpg
    Virtual Private Database (VPD) password (same as the userid, to begin with) to the user with instructions to change the password immediately.

    • VPD is the ability to perform query modification based on security policy you have defined in a package.

    • It is associated with a table, view or a synonym.

    • VPD provides Fine Grained Access Control. FGAC is data driven, context-dependent and row-based.

    • VPD enables one to store data belonging to other sections/offices in the same schema, without their knowing about it.


    Label security label based access control l.jpg
    Label Security password (same as the userid, to begin with) to the user with instructions to change the password immediately.(Label Based Access Control)

    • Label Security uses the VPD feature of Oracle8i to implement row level security.

    • Access to rows are restricted according to a user’s security sensitivity tag or label to data rows.

    • Data is also marked with appropriate sensitivity label.

    • Label security is configured, controlled and managed by the Policy Manager utility.


    Label security label based access control contd l.jpg
    Label Security password (same as the userid, to begin with) to the user with instructions to change the password immediately.(Label Based Access Control) (Contd…)

    • Implementation of such fine grained control of privileges enhances security and prevents unauthorised access to a very large extent.

    • The modular structure of VLC software segregates data and imposes access restriction.

    • However, enhancement of privilege management through backend further fine tunes security.


    Thank you l.jpg
    Thank you password (same as the userid, to begin with) to the user with instructions to change the password immediately.


    ad