DSP Security Enhancements

BOAUnited

NOTE: Original Request 16887 was created on March 15, 2012

Here is a list of DSP Security Enhancements that have been requested over the years, mostly the same features that already exist in the custom CranSoft Role Security WebApp that was incorporated into the DSP 6.0 framework, and now the revised DSP Role Security WebApp that is still in use at Target Corporation.  This DSP Role Security WebApp is now installed on the ORT POC environment, and Product Management can view the functionality there, as well as use it for a testing ground if needed.

 

  1. Visibility of Pages attached to out-of-the-box DSP WebApp groups, so if we want to add a WebApp group to a Role, we know what we are giving them access to.
  2. Visibility of Security Definitions attached to Pages:
    1. Go to "Security Definitions" page
    2. See the "Pages" column that displays the number of Pages attached to the Security Definition
    3. Click on "Pages" to display those Security Definitions
  3. For new WebApp groups created, need the ability to copy Pages from any existing WebApp group.
    1. Standard DSP does not allow display of all WebApps via Admin > WebApps, and thus we cannot see the standard WebApp Groups, nor the Pages attached to those WebApp Groups
  4. For new Roles, ability to copy all security from existing Role.
    1. Copy WebApp Groups and Security Definitions from and existing Role
  5. Eliminate User-specific security in framework (no business need, all security should be granted via a Role)
    1. Eliminate "Admin > Security > WebApp Security > Groups > Users" option
    2. Eliminate "Admin > Security > Security Definitions > User Specific Security Definitions"
  6. Support detailed security auditing/reporting/workflow for everything related to security
    1. Who has access to what, and how (Role, WebApp group, Transform report security, DCS zSource, etc.)
      1. Go to "Role Definitions" page, which summarizes all Security Definitions for all Roles, and allows activating/deactivating all Security Definitions for a given Role
      2. Go to "Role Definition Key Values" page to see all possible Key Values and which ones are active and not active for each Role.  This page also allows you to specify that any "future" key values created in the future be automatically added to a Role.
    2. Negative auditing (verify that Roles do not have access to sensitive pages/data)
      1. The Role Definition Key Value page allows you to see what Key Values a specific Role does not have access to
    3. Compare Page access between two Roles
      1. Go to "DSP Security Roles" page, then the vertical view of a specific Role
      2. Edit the "Compare To Role" field, and click on "Compare Role Pages" which displays all pages in DSP, and which Pages each of the Roles has access to
    4. Warn if sensitive fields are not encrypted (password fields)
      1. Workflow service page that sends email warning to DSP Administrators if a field in the CranSoft table "DatasourceTableColumnEncryption" is not encrypted, or if any "password" field in the framework is not encrypted.
    5. All Pages a Role has access to
      1. From the "DSP Role Security" page, click on Pages button
  7. Support reading of Active Directory group membership in the case where an Active Directory group controls DSP access:
    1. Auto creation of users
      1. Add the AD group that controls DSP access on the "AD Groups" page, and check the "Authenticates Users" button.  Stored procedure will auto-create all DSP users in that AD group, and populate the UserID, Name, WindowsUserName, and EmailAddress fields pulled from Active Directory
    2. Auto expiration and deletion of users
      1. If a DSP User is no longer in the AD Group that authenticates users, populate the "Expiration Date" in the User table with yesterday's date.
      2. After the "Delete Expired Users Window" specified in Parameters has passed, delete the user from DSP.
    3. Attribute mapping of members
      1. Go to the "AD Attribute Mappings" page.  Maintain the Active Directory attribute to DSP mapping (table ztADAttributeMapping)
  8. Support reading of Local Server group membership
    1. On the "AD Groups" page, add the Server and associated Local Group, and check the "Local Group" button
    2. PowerShell script will populate members of Local group
  9. SQL Server database security controlled by DSP Roles to:

          a. Prevent viewing and copying of DSP framework and WebApp designs by third parties

          b. Prevent viewing of sensitive fields that may not be encrypted, such as logins/passwords

          c. Prevent modification of core framework and WebApps

           d. On the "Database Types" page, create the desire Database types, and specify if security for the database type will be managed via a NT User or a NT Group (AD Group)

           e. On the Databases page, change a database to the desired Database Type

  • Guest
  • Jan 31 2017
  • Shipped
  • May 22, 2017

    Admin response

    Enhancements to the Security of the DSP, including User Management, has been in the queue for some time. This Idea has many requirements in them and not every one will be implemented, especially with the exact detail here.  But an overhaul and general enhancement to the Security has many planned features in the backlog in a 7.x release.

    If you want to see exactly which features are in and which are out then the ideas will need to be split up into feature level components and not just one catch all.  Breaking these into separate Ideas will allow us to better  track, promote, review properly.  It may turn out that these requirements get released over the course of a few different releases. 

    Changing this to status of Planned.


  • Attach files
  • Jake Cohen commented
    22 May, 2017 05:27pm

    We need the security revamped, it's a pain point for all clients, all new installs, and there are security concerns that customers have as well.

  • Guest commented
    13 May, 2017 12:16pm

    We cannot break these up, since that will lead to an even more fragmented security model than we already have. It must all be integrated, just like it is in the existing DSP Role Security web app. Security is in need of a major redesign, and we need to devote the resources to design it right. Please include me on any design discussions to make sure requirements are communicated and understood. Thanks! 

    Kurt

  • +3