Saturday, December 28, 2013

Security Implementation in Carson and Cherry-point Refinery data


In Resume
Project
Security Implementation in Carson and Cherry-point Refinery data
Customer
BP International
Period
June-2010 to Aug-2010
Description
Two refineries Carson and Cherry-point have MAXIMO 4 setup. More than 1200 BO reports are running on MAXIMO repository there with no security.
BP needed to identify and separate the users to see each other reports even data also. Security will be application level, object level and location level. TCS responsibilities was helping BP functional expert to understand and propose the possible security model and implement it as a whole.  
Role
As a single resource top to bottom work.
Solution Environment
Windows 2003 server, XP SP3, Oracle 10g Database
Tools
Business Objects XIR3 (SP3)
Highlights
Involved in the below activities:

  1. Creating a security model and proposing to the client.
  2. Validating three layered security architecture(Location, object, application level)
  3. Editing Universe for applying class level filter , managed object restriction.
  4.  Mapping AD groups with BO groups (AD authentication)
  5. Creating User group Template.
  6. Added restriction on Folders, Users and Universe from CMC.

While I was busy with the NIKE project there was a project already started. Maximo upgrade project for three refineries in USA - Carson, California, Cherry-Point, Washington and Toledo, Ohio.  These three refineries have different type of complexity regarding the functionality and implementation purpose. TCS was started implementing Maximo 7 on those three locations.

                While designing the reporting structure on Maximo tools the analytics team came to understand that the reporting tool available in Maximo is not fit with the type of reporting they want or they have. It demanded a robust and excellent reporting system which solves their complex ad-hoc reporting purpose.

                When analytics team dig into the existing Business objects application, our analytics team discovered that there is no security enabled in the reporting environment and everyone can see everyone’s data. That was ridiculous and the reporting implementation will be after the Maximo upgrade. This means, they need to fix the big issue in existing environment. They have to implement the security before the requirement analysis starts for reporting.

                That was immediate requirement and I was pulled out from my running project and tag with a SME to implement the security.

                When I dig into the existing systems I came to know that Carson and Cherry-point have identical systems and have BOXIR3 as a reporting tool while Toledo has BO 6.5. Toledo is not interested to implement security as the structure was different there and very few employees have direct access to reports. They want to implement the security on Carson and Cherry-point and replicate it in Toledo when that will upgrade to BOXIR3 after Maximo implementation.

                Security requirement was very complex and at the end of the project I implemented the entire security pattern present in BO environment to match up to the goal. Let me explain the problem first in short and then I will explain a summarized detail of the implementation:

Problem Description:
Two refineries have active directory user authentication. All have their NT ID and the security will be based on that. User will be of four type by their access level – analyst, general, HR and special access. Analysts have majority access points and they can see a big amount of universe objects. Generals are common users who will not be able to see all the objects but a part of object list and will be given access based on their user id.
 
There will be a super user who will be given access for all the administrative roles like user authentication jobs or report movement from folder to folder but will not have access to universe designer. A super user can see multiple sites data. They can create report using multiple sites data.

Managers for each site will see their own sites data and also can see what the common users can see.  Managers will have administrative access on the groups to add or remove users from it. They cannot see other sites data.

Special access users will have set of objects access which is coming from different application. Those objects will not be visible to any other employee (sometime including managers).  There are also some special cases which require seeing a set of objects with predefined filter value which is not filtered out for other users.

No users except super user and administrator can edit or publish corporate documents reports. Also the SQL button will be removed from their view. 


Taking the above scenario (some additional secret rules) I build a security matrix and implemented the project: (A short summary is below)

Solution Process
  1. Created AD groups ( not distribution list) and arrange authentication
  2. Assign the users to the group
  3. Created Business Objects groups in CMC
  4. Created the report group
  5. Assigned the reports to the group
  6. Assigned the report groups to the user groups
  7. Created the restriction (Object names per restriction)
  8. Assign the restriction to the user groups
  9. Created duplicate class where class level security is needed
  10. Added filters on Class
  11. Created geography level classification in Manage access restriction and captured user id to make filter
  12. Restrict SQL button for all the users using CMS access control.


There are several other things which I am planning to put in PPT and put it in my blog. The whole structure of the security was so complicated and I cannot recollect it all. I got several client appreciations for implementing this as in future the same structure will be followed while combining all three universes. 

No comments:

Post a Comment