PLM World ‘06

Teamcenter Enterprise

Fulfilled the Company security demands

Nissim CohenH.A.A.K Technologies Ltd.(Subcontractor of McKit System Ltd. – The exclusive distributor in Israel of UGS PLM Ltd.)

haak@inter.net.il+972-4-8769243

• Motivations and Goals

• Company concern

• Organization and Project

• User and roles

• Partners

• Security & Protection

• Evaluation

• Related Work

• Conclusion

Outline

Motivations

• Why fulfill the Company security demands?– Expand business opportunities without stripping

secured data by:- Outsourcing

Reduce manufacturing cost- Share information with partners.

Extendability of the business volume

• What is challenging?– Openness– Sharing– Mutual isolation, security and protection

Goals

• To build a value-added secure application service, based on a shared infrastructure, achieving:– On-demand creation and provisioning– Privacy– Isolation– Protection– Reports– Accountability

Company concern

Partner1

Company

Partner2

Partner3

Partner2

Local Producer 2

Local Producer 1

Commercial Company

Defense Company

•Partners, Contractors- All over the place.

•Third Party Services- potentially exploitable

•Employees- short term job history

- Loss of the ‘job for life’ mentality

drive into, low loyalty.

*

*

*

Company Security Demands

· Single Signon(SSO)· Access restriction· Access authorization· Application disable/hide features· Organizations/Projects Isolation· Compartment

··

LDAPDirectory

Engi

neer

ing

Ente

rpris

e

Com

mun

ity

Proj

ect

Req

urm

ts Single SignonService

Single SignonClient Library

UserWorkstation

Servers

User

Generates TC SSO credential & interfaces with identity server

Single Signon(SSO)

• Organization– A company– A company division – An external partner or producer.

• Project– A framework for a business undertaking with

fixed goals to achieve with given resource:A product A product Major assembly

(Secured organizations)

Organizations and Projects

User is restricted to access only the

information that necessary to do his job,

with that access defined by the role the

user plays in the company.–

User and roles

• External producer– He is provided with the needed information to

to produce the Work Ordered by the company.

• A contract Partner.– He is provided with the needed information to

to manufacture a product assembly, basedon the commercial contract agreement.

Partners

Security & Protection

Teamcenter Enterprise

. Provides Administration Objects asconditions, message accesses rules ,role assignment, users and groups, to build the security infrastructure.

. The system restricts users to access filesattached to Business Items using the Active Control List (ACL).

Teamcenter Enterprise Objects

· Admin objects· Process objects· Configuration objects,· Business items objects· Data items objects· Dynamic dialogs objects.

· .

Typical Objects Relation

Assembly

Folder

SpcDoc

DesDoc

Dir

DesDoc

AttachAttach

Translat

Describe

Contains

Attach

Result CmChNtIt

Result

Result

Depend

PDF

Attach

Dir

Contains

PDF

AttachAttachAttach

AttachAttach

Is For ItemAdded Item to Doc

Folder MasterFolder

Rev BFolder

Rev A

Package-SRR

Rev A

DesDoc1

MasterDesDoc1

Master

SpcDoc1

Master

Config_1

RevEffRevEff RevEff

RfpRelated SpcDoc1

Rev B

DesDoc1

Rev B

SpcDoc1

Rev A

ChangeOrder

Program

PartDoc

Assembly

Rev A

Typical Structure Document Objects Relation

Project A02Project A01 Project B01

Organization A01 Organization B01

Typical Security demand

Teamcenter Enterprise Rules

· Default system access is: Not Allowed.

· Rules , accessing to user,group or role, to a defined activity, defined by a message or a group of messages, with :Message Access (MsgAcc), based on a condition

. Actions (e.g. ChekIn, Submit etc.) are defined by the role the user plays in the company.(i.g. Configuration managers, Reviewers)

. Allow Query Access to Business Items.

. Restricted users from performing Actionsto BusItems, based on Organization, Project and Security

.

. Restricted users accessing to DataItems, based onProject and Security level (i.g. secrete and up ..)

. Restrict users to limited projects on all security levels.

Evaluation

. Security is built with MsgAcc rules and Conditions.

. Actions defined by the role and Access to Business Items, is ok as long we keep the amount of MsgAcc rules and Conditions to a reasonable number.

. Rules are not fully indexed. Raising the number ofMsgAcc rules and Conditions, may affect system performance.

. Difficult to maintain an analyze problems.

Solving security with provided tools

· The solution should not affect the performance, orthe Integrity of the system

· The customization security solution is in addition to the Teamcenter Enterprise Rules. .

· ACL is the carrier using ValidateACLForUsr message

· Compartment of user access permission is done, by single indexed search of user, Organization and project

· Bypass query permission check, based on project and security

· Accessing level is based on Dialog action

customize security solution

Typical customer security demand

Security Action Table

Delete 70 70 70Delete

Action

AccessLvl

BusItemFile Relation

Create

Query

CheckIn

CheckOut

00 00 00

10 10 10

20 20

30

Submit

Revise 50

40

30

Delete 70 70 70

Di Rl Bi

V

Delete 70 70 70Delete

Typical customer security demand

Configuration

Manager.

Create

Query

CheckIn

CheckOut

Submit

Revise

Delete

Designer Reviewer Viewer

Di BiRl Di Di DiRl Rl RlBi Bi Bi

v v v

v v v

Action

v v v v v v v v v

v v

v

v

v

v v

v v v40

50

New

Legend

Exists-Vanila

Site.cfg

Switch

Exists – Cust.

BusItem:ValidateACLForUsr

rulesAllowed = 1

Override Vanila messages

File:ValidateACLForUsr

rulesAllowed = 1

ACLAllowed = 0

ACLAllowed = 1 or 0

Relation:ValidateACLForUsr

Related Work

20

30

50

Secrete

UnClasify

Security Level Table

Level Security

TopSecrete

Clasify40

Project TableUsr TableEditText

Expand Create Query

EditText HPGL

Dialogs Action

Message Access Rule

UserProjectOrgNmAccessLvl

Access permition Table

usr1prj1orgNm1orgNm2 prj1 usr1

000000707070

Security

Min.Security

Delete 70 70 70Delete

Security Action Table

Action

AccessLvl

BusItemFile Relation

CreateQuery

CheckInCheckOut

xx yy zz

00 00 0010 10 1020 2030

SubmitRevise 50

4030

Delete 70 70 70

Site.cfg

Switch

Share data with partners

Partner

Company

Producer

Send Compartment

Data to an external

Recipient, based on

contract agreement.

Partner Compartment

Partner

Dir

PDF

Company

Partner

Dir

TeamCenter EnterpriseERP

Request for Data

Budget account

Send Template

Send Delivery

Send Log

Send DialogSend Dialog

Send data to external recipient

Partner

TeamCenter Enterprise

Submit Send Delivery to Life cycle

Submitter Reviewer 1 Reviewer 2 Reviewer 3

Life cycle

Reject

ReleasedPassPassPass

SND0000111

D ATA

SND0000222 SND0000333 SND0000444

Assembly_2 Assembl_2

Folder_1 Folder_2Folder_2

SpcDoc DesDocTechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf Gjfgfghj.igs Gjfgfghj.hpg;;lkjkjkj.txt

D ATA

SND0000222

Assembly_2 Assembl_2

Folder_1 Folder_2Folder_2

SpcDoc DesDocTechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf Gjfgfghj.igs;;lkjkjkj.txt

D ATA

SND0000222

Assembly_2 Assembl_2

Folder_1 Folder_2Folder_2

SpcDoc DesDocTechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf Gjfgfghj.igs Gjfgfghj.hpg;;lkjkjkj.txt

D ATA

SND0000222

Assembly_2 Assembl_2

Folder_1 Folder_2Folder_2

SpcDoc DesDocTechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf Gjfgfghj.igs;;lkjkjkj.txt

Snd2ExtWl

Send Data Work Location

Send Data Work Location

Snd2ExtWL

SND0000111

D ATA

SND0000222 SND0000444

Folder_1

TechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf

D ATA

SND0000222

Folder_1

TechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf

D ATA

SND0000222

Folder_1

TechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf

D ATA

SND0000222

Assembl_2

Folder_1

TechDoc

Description RejectsRecipients

EC TC

Acvdsf.pdf

Send Data Dialog

Send Data Template (Getinfo)

Send Data Template (Create)

Send Data Delivery

Send Data Delivery

Send Data Db Log

Send Data Db Log

Send Data Status

Security Access Selection

Security Access Selection

Conclusion

•Fulfilling the Company security demands, is becoming increasingly important in the world of software.

•License enforcement, encryption, and authentication,are important, but not enough to Fulfilled the security demands.

•Don’t assume products you use are secure,the application security infrastructure, gives the frame.

•The need for On-demand creation and fast provisioning,

while keeping the product protected and isolated,

is becoming a complicated issue in the competitive world.•Make time for security. Add it to the project plan.

Questions?

For more information:

haak@inter.net.il

Thank you.