Post on 17-Oct-2020
PLM World ‘06
Teamcenter Enterprise
Fulfilled the Company security demands
Nissim CohenH.A.A.K Technologies Ltd.(Subcontractor of McKit System Ltd. – The exclusive distributor in Israel of UGS PLM Ltd.)
haak@inter.net.il+972-4-8769243
• Motivations and Goals
• Company concern
• Organization and Project
• User and roles
• Partners
• Security & Protection
• Evaluation
• Related Work
• Conclusion
Outline
Motivations
• Why fulfill the Company security demands?– Expand business opportunities without stripping
secured data by:- Outsourcing
Reduce manufacturing cost- Share information with partners.
Extendability of the business volume
• What is challenging?– Openness– Sharing– Mutual isolation, security and protection
Goals
• To build a value-added secure application service, based on a shared infrastructure, achieving:– On-demand creation and provisioning– Privacy– Isolation– Protection– Reports– Accountability
Company concern
Partner1
Company
Partner2
Partner3
Partner2
Local Producer 2
Local Producer 1
Commercial Company
Defense Company
•Partners, Contractors- All over the place.
•Third Party Services- potentially exploitable
•Employees- short term job history
- Loss of the ‘job for life’ mentality
drive into, low loyalty.
*
*
*
Company Security Demands
· Single Signon(SSO)· Access restriction· Access authorization· Application disable/hide features· Organizations/Projects Isolation· Compartment
··
LDAPDirectory
Engi
neer
ing
Ente
rpris
e
Com
mun
ity
Proj
ect
Req
urm
ts Single SignonService
Single SignonClient Library
UserWorkstation
Servers
User
Generates TC SSO credential & interfaces with identity server
Single Signon(SSO)
• Organization– A company– A company division – An external partner or producer.
• Project– A framework for a business undertaking with
fixed goals to achieve with given resource:A product A product Major assembly
(Secured organizations)
Organizations and Projects
User is restricted to access only the
information that necessary to do his job,
with that access defined by the role the
user plays in the company.–
User and roles
• External producer– He is provided with the needed information to
to produce the Work Ordered by the company.
• A contract Partner.– He is provided with the needed information to
to manufacture a product assembly, basedon the commercial contract agreement.
Partners
Security & Protection
Teamcenter Enterprise
. Provides Administration Objects asconditions, message accesses rules ,role assignment, users and groups, to build the security infrastructure.
. The system restricts users to access filesattached to Business Items using the Active Control List (ACL).
Teamcenter Enterprise Objects
· Admin objects· Process objects· Configuration objects,· Business items objects· Data items objects· Dynamic dialogs objects.
· .
Typical Objects Relation
Assembly
Folder
SpcDoc
DesDoc
Dir
DesDoc
AttachAttach
Translat
Describe
Contains
Attach
Result CmChNtIt
Result
Result
Depend
Attach
Dir
Contains
AttachAttachAttach
AttachAttach
Is For ItemAdded Item to Doc
Folder MasterFolder
Rev BFolder
Rev A
Package-SRR
Rev A
DesDoc1
MasterDesDoc1
Master
SpcDoc1
Master
Config_1
RevEffRevEff RevEff
RfpRelated SpcDoc1
Rev B
DesDoc1
Rev B
SpcDoc1
Rev A
ChangeOrder
Program
PartDoc
Assembly
Rev A
Typical Structure Document Objects Relation
Project A02Project A01 Project B01
Organization A01 Organization B01
Typical Security demand
Teamcenter Enterprise Rules
· Default system access is: Not Allowed.
· Rules , accessing to user,group or role, to a defined activity, defined by a message or a group of messages, with :Message Access (MsgAcc), based on a condition
. Actions (e.g. ChekIn, Submit etc.) are defined by the role the user plays in the company.(i.g. Configuration managers, Reviewers)
. Allow Query Access to Business Items.
. Restricted users from performing Actionsto BusItems, based on Organization, Project and Security
.
. Restricted users accessing to DataItems, based onProject and Security level (i.g. secrete and up ..)
. Restrict users to limited projects on all security levels.
Evaluation
. Security is built with MsgAcc rules and Conditions.
. Actions defined by the role and Access to Business Items, is ok as long we keep the amount of MsgAcc rules and Conditions to a reasonable number.
. Rules are not fully indexed. Raising the number ofMsgAcc rules and Conditions, may affect system performance.
. Difficult to maintain an analyze problems.
Solving security with provided tools
· The solution should not affect the performance, orthe Integrity of the system
· The customization security solution is in addition to the Teamcenter Enterprise Rules. .
· ACL is the carrier using ValidateACLForUsr message
· Compartment of user access permission is done, by single indexed search of user, Organization and project
· Bypass query permission check, based on project and security
· Accessing level is based on Dialog action
customize security solution
Typical customer security demand
Security Action Table
Delete 70 70 70Delete
Action
AccessLvl
BusItemFile Relation
Create
Query
CheckIn
CheckOut
00 00 00
10 10 10
20 20
30
Submit
Revise 50
40
30
Delete 70 70 70
Di Rl Bi
V
Delete 70 70 70Delete
Typical customer security demand
Configuration
Manager.
Create
Query
CheckIn
CheckOut
Submit
Revise
Delete
Designer Reviewer Viewer
Di BiRl Di Di DiRl Rl RlBi Bi Bi
v v v
v v v
Action
v v v v v v v v v
v v
v
v
v
v v
v v v40
50
New
Legend
Exists-Vanila
Site.cfg
Switch
Exists – Cust.
BusItem:ValidateACLForUsr
rulesAllowed = 1
Override Vanila messages
File:ValidateACLForUsr
rulesAllowed = 1
ACLAllowed = 0
ACLAllowed = 1 or 0
Relation:ValidateACLForUsr
Related Work
20
30
50
Secrete
UnClasify
Security Level Table
Level Security
TopSecrete
Clasify40
Project TableUsr TableEditText
Expand Create Query
EditText HPGL
Dialogs Action
Message Access Rule
UserProjectOrgNmAccessLvl
Access permition Table
usr1prj1orgNm1orgNm2 prj1 usr1
000000707070
Security
Min.Security
Delete 70 70 70Delete
Security Action Table
Action
AccessLvl
BusItemFile Relation
CreateQuery
CheckInCheckOut
xx yy zz
00 00 0010 10 1020 2030
SubmitRevise 50
4030
Delete 70 70 70
Site.cfg
Switch
Share data with partners
Partner
Company
Producer
Send Compartment
Data to an external
Recipient, based on
contract agreement.
Partner Compartment
Partner
Dir
Company
Partner
Dir
TeamCenter EnterpriseERP
Request for Data
Budget account
Send Template
Send Delivery
Send Log
Send DialogSend Dialog
Send data to external recipient
Partner
TeamCenter Enterprise
Submit Send Delivery to Life cycle
Submitter Reviewer 1 Reviewer 2 Reviewer 3
Life cycle
Reject
ReleasedPassPassPass
SND0000111
D ATA
SND0000222 SND0000333 SND0000444
Assembly_2 Assembl_2
Folder_1 Folder_2Folder_2
SpcDoc DesDocTechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf Gjfgfghj.igs Gjfgfghj.hpg;;lkjkjkj.txt
D ATA
SND0000222
Assembly_2 Assembl_2
Folder_1 Folder_2Folder_2
SpcDoc DesDocTechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf Gjfgfghj.igs;;lkjkjkj.txt
D ATA
SND0000222
Assembly_2 Assembl_2
Folder_1 Folder_2Folder_2
SpcDoc DesDocTechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf Gjfgfghj.igs Gjfgfghj.hpg;;lkjkjkj.txt
D ATA
SND0000222
Assembly_2 Assembl_2
Folder_1 Folder_2Folder_2
SpcDoc DesDocTechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf Gjfgfghj.igs;;lkjkjkj.txt
Snd2ExtWl
Send Data Work Location
Send Data Work Location
Snd2ExtWL
SND0000111
D ATA
SND0000222 SND0000444
Folder_1
TechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf
D ATA
SND0000222
Folder_1
TechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf
D ATA
SND0000222
Folder_1
TechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf
D ATA
SND0000222
Assembl_2
Folder_1
TechDoc
Description RejectsRecipients
EC TC
Acvdsf.pdf
Send Data Dialog
Send Data Template (Getinfo)
Send Data Template (Create)
Send Data Delivery
Send Data Delivery
Send Data Db Log
Send Data Db Log
Send Data Status
Security Access Selection
Security Access Selection
Conclusion
•Fulfilling the Company security demands, is becoming increasingly important in the world of software.
•License enforcement, encryption, and authentication,are important, but not enough to Fulfilled the security demands.
•Don’t assume products you use are secure,the application security infrastructure, gives the frame.
•The need for On-demand creation and fast provisioning,
while keeping the product protected and isolated,
is becoming a complicated issue in the competitive world.•Make time for security. Add it to the project plan.
Questions?
For more information:
haak@inter.net.il
Thank you.