7. Security Configuration At Install
• Determines the initial configuration
Minimal
settings for Caché Services and
Security Normal
• Changes: Locked Down
– System-wide settings
– User accounts
– Service properties
19. OS Authentication
• User identified to Caché by OS user identity
• User authenticates to the OS using the native mechanism
• Only available for server-side processes
– Terminal
20. LDAP
• Already in use at many sites.
• Allows centralized user storage.
21. Delegated
• User-defined authentication mechanism
• Re-use existing custom/legacy authentication code for new,
modern applications.
• Code is in the ZAUTHENTICATE routine.
• The authentication code can be any user-defined:
• Caché ObjectScript
• Embedded SQL
• Class Method(s)
• $ZF callout code.
22. Kerberos
• Most secure authentication type.
• Used by Windows.
• Requires a Kerberos Domain Controller
– eg, Windows Domain Controller
26. Exercise 3: Authentication Types
• Change the authentication types allowed in the Inventory
application to make users have to provide a username and
password to log in.
29. Terminology
• Asset: something that is protected:
– A Caché database
– Caché SQL connection
– Ability to perform a backup
30. Terminology
• Resource: something which protects an asset:
– Database Resource (i.e. %DB_Samples)
– Administrative Resource (i.e. %Admin_Manage)
– Development Resource (i.e. %Development)
– Service Resource (i.e. %Service_CSP)
– User Defined
31. Terminology
• Permission: allows you to perform an action
– Read (R): View (but not change) the contents of a resource
– Write (W): View or change the contents of a resource
– Use (U): Use a resource, such as an Application or Service
32. Terminology
• Privilege: grants permission to do something with a resource
protecting one or more assets
– A privilege is written as a resource name followed by a permission
separated by a colon:
Example: %DB_SAMPLES:Read
33. More about Privileges…
• Privileges can be made Public.
• Effectively, this is equivalent to all users holding that privilege
– Example: if the %Service_CacheDirect:Use privilege is Public, then
any user can connect to Caché using the Caché Direct technology
• Caché provides a function to check on privileges held by the
current process:
– $SYSTEM.Security.Check(Resource,Permission)
34. Exercise 4: Public Resource
• We've decided that all authenticated users of our system
should be allowed to run this application. We will make the
database which holds the code publicly readable so that
everyone can run it.
35. Roles
• Role: a named collection of privileges
– Multiple users typically need the same set of privileges.
– Sets of privileges can be defined once and shared.
– Privileges are only assigned to roles.
– Privileges are not assigned directly to users.
– A user can have more than one role.
36. Exercise 5: Roles and Resources
• We will add code to our Inventory application to individually
control access to the functions in the application, and create
roles and resources to allow users to access them
37. Three ways to get Roles...
• At user login
• Granted by an application
• Code stored in CACHESYS can set $Roles
39. Exercise 6: Application Roles
• Instead of having database access in the roles, we will have
the application give this to users. The application will
control access to the database.
40. Matching Roles
• Only the users who have the first role get the second role.
41. Exercise 7: Matching Roles
• We may not want all users to be able to access all the data
on entering the application. Demonstrate how matching
roles can be assigned to selected users.
46. Why Audit?
• Allows monitoring of system
• Deterrent
47. What events are audited?
• System defined events
• User defined events
48. Where is it kept?
• Audit data is stored in a database called CACHEAUDIT.
• Protected by the %DB_CACHEAUDIT resource.
– No user should have access to this resource directly.
• View via SMP, terminal utilities, SQL, APIs, etc.
49. Exercise 9: Viewing the Audit Log
• We demonstrate using the audit log to see what has
happened on the system.
51. Join the Global Summit Community
We’ve established an online community where you can:
• talk about the Global Summit
• get helpful product information
• share your thoughts about sessions
• ask questions of presenters
• assemble a group to meet for dinner or social events,
etc.
community.intersystems.com