Lawson 8.1 Security
Download
Report
Transcript Lawson 8.1 Security
8.1 Lawson Security Overview
Del Dehn
Product Manager
Agenda
•
•
•
•
•
Security domains
Upgrade considerations
Summary
8.1 Technology project update
Questions and answers
Lawson Security Domains
8.1.0 Technology Security Domains
• User management
• Authentication
• Authorization
Lawson Security
Authorization
Authentication/
Single sign-on
Resource
Management
Lawson Security
• Business process focused security
• Central repository for security administration (Resources)
• Organizational modeling (Roles)
• Rules builder (Rules)
• Single sign-on
• Additive security paradigm
• Database auditing (front-end, back-end sign-on)
Lawson Security: Design Features
• Designed as a centralized service
– Callable by all Lawson layers
• Roles and Rules based
– An industry prevalent approach
• Driven by user and corporate information
– Flexible security to accommodate the customer’s business
structures
• Administration tool for policy modeling
– Test new structures or security policies
• Attribute based security
– Same concept as attributes in LDAP structures
• Fine grained securable objects
– For example, field level security
User Management
User Management Domain
Lawson Resource Management
• Central repository for globally interesting data
– user name, email address and roles
• Create custom attributes
• Structure – organizational chart modeling
• Non-organizational chart structures allowed
Organizational Modeling: Changes for Individuals
“Roles” domain
Small Company, Inc.
Changes to structures can be
made in a “drag and drop” fashion
CEO
CIO
Project Manager
Senior Programmer
CFO
Controller
Project Manager is
promoted to CFO
LDAP Server
Microsoft
ADAM 2003
Organizational Modeling: Changes for Groups
“Roles” domain
Big Company, Inc.
Changes to structures can be
made in a “drag and drop” fashion
CEO
VP of Sales
Director of Marketing
VP of Marketing
Director of Sales
Marketing
Manager
Sales
Manager
Marketing
Manager
Sales
Manager
Marketing
Manager
Sales
Manager
Marketing
Manager
Sales
Manager
Director of Marketing
with all of his/her
directly reporting
Marketing Managers is
moved to the direct
supervision of the
newly created position
of VP of Marketing
LDAP Server
Microsoft
ADAM 2003
Resource Management: Structure
Authentication
Authentication Domain
Lawson Authentication 8.1.0
– Single Sign-on
– Database (DB) user authentication
– Session management
– Secure credential storage
– Identity management
Single Sign-on for End Users
Authorization
Authorization Domain
The new Lawson Security model
•
•
•
•
•
Business process focused
Rules and Roles based
Granular security checking
Object oriented
Flexible policy modeling
– Allows organizational modeling for security
– Allows attribute driven policies
– Element based policies
• Allows for distributed administration
Authorization: Roles and Rules
• Roles
– Organizational roles
– Organizational structures
• Rules
– Rules builder
– Simple or complex
• Rules written for Roles govern the security privileges
of end-users assigned to a Role(s)
Benefits of Role-Based Security
• Transparency
– User’s roles are defined by business needs
– Security classes and privileges are defined by business tasks
• Stability
– Access needs for a task do not change often
– User’s roles change more frequently
• Efficiency
– Changing access for a given task accomplishes changes for
all affected users
Lawson Security: New Rules
• Rules apply to “securable objects”
–
–
–
–
–
–
Product lines
System codes
Forms and their fields
Drill Around®
Tables and the columns in a row
Environment objects – printers, etc.
Security Rules
• Rules can be unconditional
– Grant All Access/Deny Any Access
– Builds fast, efficient access control lists
• Rules can be unconditional but allow limited access
– Inquire only, for example
• Example
– ADD_EMPLOYEE class:
EMPLOYEE table: ALL_ACCESS
(users that are employees can view their own information)
Conditional Rules
• Data can be secured based on attributes of the user
– If (user.getAttribute(‘Department’)== ‘HR’) then ‘IACD’ else ‘I’
(if user is in HR Department, then can change information)
• Data can be secured based on the data values
– If (table.EMPLOYEE == user.getEmployeeId()) then ‘IACD’ else ‘I’
(user can change own information and see all others)
• Data can be secured using other kinds of functions
– Time of day, database reads, etc.
New Security Model
Rules express security policies
- Rule execution allows or denies access to a securable object
Security Classes group rules for common tasks
- Constitutes a task oriented privilege pack
Multiple security classes to Roles
- Easy creation of Roles with overlapping functionalities
Multiple Roles to users
- Allows for multiple responsibilities
A Security Policy Illustration
Users
Roles
John
Employee
Security
Classes
Securable
Objects
Employee Info
Jane
Form HR11
HR Manager
Manager Info
Mary
Payroll Manager
Check Printer
Payroll Access
Steve
Payroll Clerk
Note: Users can be assigned multiple Roles simultaneously
Lawson Security Securable Objects
Deny Access to a Form Field
Security “Off” – All Form Transfers are Available
*
Secured: Form Transfers are Hidden
Upgrade Considerations
Lawson Security: 8.1 release
• Provides security for all Lawson Portal based products
– LAUA security – not required
– Security extensions (Ex. HR security) - not required
• Lawson Security and LAUA security can operate
concurrently
– Lawson Security – Lawson Portal Users ONLY
– LAUA security – Lawson Portal Users and LID users
– Each end user must be secured by only one security mechanism,
not both
Transitioning to 8.1 Lawson Security
• Security mechanism assignment per end user
• Enables phased migration from LAUA security to
Lawson Security
• Migration from LAUA to Lawson Security by:
– End user
– Role
– Group
– Structure
– Etc.
• Not a “Big Bang” approach
Lawson 8.1 Technology Release
• 8.1 Technology = Environment, Internet Object
Services (IOS) and Lawson Portal
• 8.1 Technology will support:
– 8.1 Applications
– 8.0.X Applications
• Existing or upgrading 8.0.X Applications customers
are not “cut off” from implementing 8.1 Technology
• 8.0.X Applications customers can utilize 8.1
Technology features without needing to upgrade to
8.1 Applications
8.1 Lawson Security: Summary
• Flexibility and power to create security policies based on
how your organization does business
• Major components:
– Resource Management and LDAP (roles, structures)
– Authorization (rules engine)
– Authentication and Single sign-on (SSO)
8.1 Technology Project Update
The scheduled release of Lawson 8.1 Technology has
been moved to Lawson’s Q1FY06 (June – August
2005) after a recent review of the project’s milestones
and metrics.
This release is being measured against the quality
standards and milestones of Lawson’s CMMI
methodology and whole company readiness metrics.
The review indicated that an adjustment to the
proposed schedule would not only deliver much
improved performance, usability and security, but also
a quicker time to benefit for Lawson clients.
Questions?