Fine-grained Security Policies within a Portal Lab by zgm52709

VIEWS: 9 PAGES: 31

									Fine-grained Security Policies within a Portal Lab
“Securing Microsoft Sharepoint Libraries Using Cisco Enterprise Policy
Manager (Cisco EPM) And Microsoft Forefront Identity Manager (FIM)
2010”
Published: April 2010


Abstract
Administrators are often asked to provide groups of users a central repository for team or
project documents. Since multiple users have access to these repositories, documents that are of
a sensitive nature may require additional security. In this lab, two three tools are used to create
and then add properties to the existing authorization process and to add the flexibility needed
to assign different permissions to individual files within a document repository. The tools used
are Microsoft Forefront Identity Manager (FIM) 2010 for property creation and user provisioning
and management, and Cisco Enterprise Policy Manager (Cisco EPM) for the creation and
enforcement of rules that add security to a document repository and Microsoft SharePoint as
the portal.




                                                                                                      1
Table of Contents
Introduction....................................................................................................................................................................... 3

Lab Scenario ...................................................................................................................................................................... 4

   Business scenario ........................................................................................................................................................ 4

   Solution architecture and workflow ..................................................................................................................... 5

Lab Products and Solutions ........................................................................................................................................ 7

   Microsoft Forefront Identity Manager (FIM) 2010 .......................................................................................... 7

   Cisco Enterprise Policy Manager ........................................................................................................................... 7

Lab Execution.................................................................................................................................................................... 9

Lab Walkthrough .......................................................................................................................................................... 10

   Add and then bind new user property and create new user in FIM 2010 .......................................... 10

   Synchronize changes to Active Directory ....................................................................................................... 14

   Define rules in Cisco EPM ..................................................................................................................................... 18

   Replicate and then enforce rules........................................................................................................................ 26

Conclusion ...................................................................................................................................................................... 28

Appendix: The Interop Vendor Alliance............................................................................................................... 29

Table of Figures ............................................................................................................................................................ 30




                                                                                                                                                                                  2
Introduction

Administrators are often asked to provide groups of users a central repository for team or
project documents. Since multiple users have access to these repositories, documents that are of
a sensitive nature may require additional security. In this lab, three tools are used to create and
then add properties to the existing authorization process and to add the flexibility needed to
assign different permissions to individual files within a document repository. The tools used are
Microsoft Forefront Identity Manager (FIM) 2010 for property creation and user provisioning
and management, Cisco Enterprise Policy Manager (Cisco EPM) for the creation and
enforcement of rules that add security to a document repository and Microsoft SharePoint
Server 2007 as the portal.

In this lab, SharePoint is the collaboration portal designed to give groups of users a central
repository for team or project documents. SharePoint provides a security model that is based on
permission levels, such as Contribute and Read. This model works in most common scenarios,
but in some cases more flexibility is needed for controlling access to documents in SharePoint.
These cases can include environments that have higher auditing requirements and documents
that contain highly sensitive information. Microsoft Forefront Identity Manager (FIM) 2010 and
Cisco Enterprise Policy Manager (Cisco EPM) are used to add flexibility and more fine-grained
control to the SharePoint security model. FIM 2010 is used to manage users, group, and
properties in an existing identity management system, such as Active Directory Domain Services
(AD DS), formerly known as Active Directory Directory Services. Cisco EPM is used to define rules
that utilize properties of the user object in AD DS and the metadata of a SharePoint site to
provide fine-grained access control over documents published on a SharePoint site.




                                                                                                      3
Lab Scenario

Business scenario
The Finance department of an organization needs to produce periodic filings for the U.S.
Securities and Exchange Commission (SEC). The department wants to create a SharePoint site
called Financial Reports for the documents that are needed. However, some documents for the
SEC filings are of such a sensitive nature that access needs to be limited to one or just a few
financial analysts. SharePoint‟s security model does require authorization when a user attempts
to gain access to individual sites and document libraries, but the department would like
additional requirements to be a part of the security check that is performed. For example, only
users that are at a US location and that have full time employee status should be granted access.
Also, Finance department employees are assigned a clearance level. This clearance level must be
included as part of the security check.




Figure 1: Effective permissions



To add additional properties to the authorization process and to add the flexibility needed to
assign different permissions to individual files within the Financial Reports document library, two
tools are used: FIM 2010 for user management and provisioning and Cisco EPM for the creation
and enforcement of rules.




                                                                                                  4
Solution architecture and workflow
Administrators can use FIM to manage user accounts and other resources that are in a directory
service. They can also manage the directory services schema, create new properties, and create
bindings between the properties and properties in a directory services application. In this lab,
FIM 2010 is used to add a new property named ClearanceLevel to the user object in Active
Directory Domain Services (AD DS). We will then use ClearanceLevel and other existing
attributes to configure additional user requirements that must be met before a user can gain
access to a document.

To gain read access to a document in the Financial Reports document library a user must:

      Have membership in the Finance group in Active Directory (Department=Finance)

      Attempt to access the document from a U.S. location (Location=US)

      Have membership in the Full time employee group in Active Directory
       (EmployeeType=Full Time Employee)

      Be assigned a clearance level that is greater than the clearance level defined in a
       document‟s metadata. Users with a clearance level of 10, the highest clearance level
       available, can access all documents in the Financial Reports document library even if that
       user is not a member of the Finance department or is not at a US location.




Figure 2: Tasks performed by each application or service

                                                                                                   5
In the second part of the lab, Cisco EPM used to the create rules that control access to
documents within the Financial Reports document library. These rules enforce additional access
requirements on documents that are in a SharePoint document library. To do this Cisco EPM
needs data about the objects and properties that reside in AD DS and needs data from
SharePoint about the site structure and security configuration settings. Cisco EPM can connect
directly to AD DS to obtain data on the directory objects and properties. To obtain the
information needed from SharePoint, a Cisco EPM agent needs to be installed on the SharePoint
server. The agent passes SharePoint configuration and security information to Cisco EPM and
also enforces the rules that are defined in Cisco EPM.

The rules defined in Cisco EPM can be fine-grained to the level of a single document and can be
applied to individual document actions such as open, modify, and change. These rules can be
configured to control access based not only on the identity of the user, but also on other
properties such as location of the user, whether the user is on a corporate-managed computer,
and the time of day that the user attempts to gain access.




                                                                                                 6
Lab Products and Solutions

Microsoft Forefront Identity Manager (FIM) 2010
FIM 2010 is an identity management system that is designed to set policy and monitor security
and workflow from a centralized location. It enables organizations to leverage existing identity
infrastructure investments including directory services, databases, line of business applications,
and strong authentication systems such as third-party certificate authorities and one-time
password devices. It increases security and compliance through policy management and enables
administrators to enforce deployment and management of strong credentials.

FIM 2010 enables the integration of a broad range of network operating systems, e-mail
applications, databases, and flat-files by supporting connectors for Active Directory, Novell, Sun,
IBM, Lotus Notes, Microsoft Exchange Server, Oracle databases, Microsoft SQL Server™
databases, SAP and others. Using FIM 2010, organizations can connect and synchronize
disparate sources of identity information in their company, cutting down the need to install
software on target systems.

A key goal of FIM 2010 is to decrease the amount of time IT professionals spend on simple tasks
by enabling end users to perform self-service tasks such as password reset, group management,
and distribution list management. To help users perform these tasks, FIM 2010 includes self-help
tools that are built into the SharePoint and Microsoft Office Outlook interfaces. Self service for
users enables IT professionals to concentrate their time on long term initiatives rather than on
simple everyday tasks.


Cisco Enterprise Policy Manager
Cisco EPM enables IT professionals to administer, enforce, and audit authorization for a variety
of platforms, operating systems, and applications. Historically, authorization has been handled
by each individual application. Using Cisco EPM, organizations can remove the authorization
process from the logic of individual applications and services and handle it instead through a
centralized interface.

Using Cisco EPM, administrators can create and configure rules that are based on attributes that
exist in these external data sources. This removes the need to replicate all user resource
information into directory services applications and the need to maintain synchronization
between multiple stores. Cisco EPM uses granular access policies that are administered
independently at multiple levels. For example, corporate-wide policies can be applied

                                                                                                     7
consistently to all, while line-of-business or departmental policies can be independently
managed and enforced.

Cisco EPM simplifies the administration of SharePoint sites because it removes the process of
creating access policies and permissions from SharePoint. SharePoint designers or site owners
can focus on compiling content for the site while administrators establish the security for the
site. Cisco EPM integrates with SharePoint using agent software that works like an add-on and
executes natively within the SharePoint server. The Cisco EPM agent intercepts all requests to
the SharePoint server and evaluates the request against policies that are configured using the
Cisco EPM administration interface. Site administrators can utilize existing policy templates to
create rules for SharePoint sites. These rules can then be reused when new sites are deployed.




                                                                                                   8
Lab Execution
The scenario implemented in this lab is composed of following basic steps.



      Add and then bind new user property and create new user in FIM 2010

           o   An administrator uses FIM 2010 to add a new property and then binds that
               property to the user object in AD DS. The administrator can then create a new
               user and set the value for that property.



      Synchronize changes to Active Directory and create new users

           o   After the changes have been approved, the FIM 2010 repository can be
               synchronized with AD DS.



      Gather needed data

           o   The rules that add additional security to documents in a SharePoint site are
               created in Cisco EPM. Cisco EPM connects to and then read the properties that
               are defined in AD DS. These properties are needed when defining rules in Cisco
               EPM. Additionally, an Cisco EPM agent that is installed on the SharePoint server
               replicates metadata, such as site information, document libraries, user
               permissions, and document properties from SharePoint to the Cisco EPM server,
               so that this metadata can be also be used when creating the new access rules.



      Define rules in Cisco EPM

           o   Rules that control access to SharePoint assets are created using the Cisco EPM
               administrative console.



      Replicate and then enforce rules

           o   The new rules are then replicated to the SharePoint site. After the rules are
               replicated to SharePoint, the Cisco EPM agent is then able to enforce the rules by
               intercepting requests for access to the SharePoint site.


                                                                                                  9
Lab Walkthrough


Add and then bind new user property and create new user in
FIM 2010
The first part of this lab uses the FIM 2010 administrative console to create a property that we
will later map to a resource in Active Directory. On the Create Resource Type page in FIM 2010,
we named this new property PermissionLevel and we specified the data type, localization value,
allowed values and default value for it.




Figure 3 FIM – Create Resource Type page



We then create a new binding to associate the new PermissionLevel property to the User
object.




Figure 4 FIM - Create Binding page



                                                                                                   10
Figure 5 FIM - All Bindings page



If a workflow is defined that handles changes to the properties of the User object, the next step
would be for the designated approver(s) to approve the binding of the new PermissionLevel
property to the User object. The new property cannot be used until this step is completed.




                                                                                               11
After the new PermisisonLevel property is approved for User objects, the next step is to use this
new property in a specific user account. In this case, we create an example account for „John‟.
John is added to the AD security group Finance, which will be a required attribute in the access
rules that are configured in Cisco EPM later in this lab.




Figure 6 FIM – Create User page – General tab



The user account for John is assigned the Full Time Employee value in the Employee Type
field, which is another required attribute for the Cisco EPM access rule that we will configure
later in this lab.




                                                                                                  12
Figure 7 FIM – Create User page – Work Info tab



On the Extended Attributes tab, John is given a Clearance Level of 10, which is the maximum
clearance allowed. This will allow him access to all documents in the Financial Reports document
library.




Figure 8 FIM – User – Extended Attributes tab

                                                                                             13
Synchronize changes to Active Directory
FIM 2010 manages its own database so schemas need to be synchronized and the appropriate
mapping defined between FIM 2010 and a directory service, in this case Active Directory. We
need to define a mapping between the new property created in FIM 2010 with an equivalent
attribute in Active Directory. This can be done using the FIM 2010 Synchronization console.

In this lab, we create a mapping between the PermissionLevel property defined earlier in FIM
2010 and the ClearanceLevel property in Active Directory. In this way when changes to users
are replicated from or to Active Directory, the PermissionLevel property is automatically
mapped to the ClearanceLevel property.




Figure 9 FIM - Properties page



Gather needed data

                                                                                               14
After the mapping between properties is defined, the changes made in FIM 2010 must be
replicated to Active Directory. Using the Synchronization Service Management console we can
force synchronization or allow synchronization to happen automatically based on the frequency
defined for the Synch service.




                                                                                              15
Figure 10 FIM – Run Management Agent page



After synchronization is complete, the Synchronization Service Management console reports the
number of changes that were applied. The synchronization for this lab is FIM 2010 synchronizing
with Active Directory and includes the new user we created and the new property mapping
between PermissionLevel and ClearanceLevel.




Figure 11 FIM – Profile Name: Export User Name page




                                                                                            16
Figure 12 FIM – Profile Name: Full Synchronization User Name page



In the SharePoint site, we created a document library that we named Financial Reports.
Documents in this library will now have the ClearanceLevel property as part of the SharePoint
metadata. This property will be used by Cisco EPM to check if the user has the appropriate
permission needed to view or edit a document. Additionally, Cisco EPM and the Cisco EPM
agent can enforce rules that are based other properties of the User object. For example, later in
this lab we will configure Cisco EPM to require the user to be member of the Finance
department and also a full time employee.




Figure 13 SharePoint – Financial Reports document library




                                                                                                17
Define rules in Cisco EPM
The next part of this lab uses the Cisco EPM console. The first step is to create some application
attributes based on properties that are in Active Directory.




Figure 14.Cisco EPM – Manage Entities – Application Attributes



On the Application Attributes page, we select ADAttributes to use attributes that are defined in
Active Directory.




                                                                                                18
Figure 15 Cisco EPM – Application Name and Application Type fields



We create a new attribute based on the Department attribute defined in the User object. The
Attribute Type field specifies the Active Directory attributes to use. The Search Base field is for
the location of the attribute within the LDAP structure. In this case, we specify the entire domain
tree of Cisco-IVA.COM by typing DC=Cisco-IVA and DC=COM. We set the Attribute Filter field
to sAMAccountName=? to specify the name of the property to use.




                                                                                                 19
Figure 16 Cisco EPM – Manage Entities – Application Attributes – Search Base



We also create attributes for EmployeeType, Country, and ClearanceLevel, so that we can use
these properties later when creating access rules in Cisco EPM.

The next step is to create access rules in Cisco EPM for the Finance department SharePoint site.
Before creating access rules a SharePoint site must first be registered with Cisco EPM.




Figure 17 Cisco EPM – Global Resources




                                                                                               20
Figure 18 Cisco EPM – Global Roles



We define a new rule that will apply to the Contribute permission level in SharePoint. By editing
this permission level it is possible to see all the users in the SharePoint site that are assigned the
Contribute permission level.




                                                                                                    21
Figure 19 Cisco EPM – Global Roles




Figure 20 Cisco EPM –Manage Entities –Users




                                              22
We want the rules to apply to all users in the Contribute permission level. To do this we move all
users from the Users list to the Assigned Users list.




Figure 21 Cisco EPM –Manage Entities – Assigned Users



After we define all the users to whom the rule will apply, we can then define the settings of the
rule.



We set the Role Name to IVADynamicFinanceRole and then set the Role Status to Dynamic.




                                                                                                23
Figure 22 Cisco EPM –Manage Entities – Update Role



After naming the new rule, click Advanced and then click Simple Rules.

To read a document in the Financial Reports document library, a user account must meet the
following criteria:

       Have membership in the Finance group in Active Directory (Department=Finance)

       Attempt to access the document from a U.S. location (Location=US)

       Have membership in the Full time employee group in Active Directory
        (EmployeeType=Full Time Employee)

       Have a clearance level greater than the clearance level defined in the document
        metadata. (This setting overrides all other requirements in that a user with a clearance
        level of 10 can access the documents even if that user is not a member of the Finance
        department or is not at a US location.)




                                                                                                   24
igure 23 Cisco EPM –Manage Entities – Update Role - Simple Rule



The ClearanceLevel rule is defined in Cisco EPM. The attribute from Active Directory,
ADAttributes:ClearanceLevel, must be greater or equal to the attributes defined in the document
metadata.




Figure 24 Cisco EPM –Manage Entities – ClearanceLevelRule - LHS




                                                                                            25
Replicate and then enforce rules
Synchronization between Cisco EPM and the SharePoint site is handled by the Cisco EPM agent
that is installed and run on the SharePoint server. After the rule has been defined, it needs to be
associated to a SharePoint site so it can be enforced by the Cisco EPM agent.



To do this we drag the new dynamic rule and drop it into the Finance department SharePoint
site.




Figure 25.Cisco EPM –Manage Entities – By Resources




                                                                                                 26
Figure 26.Cisco EPM –Manage Entitlements – By Resources



After the rule is associated to the SharePoint site, only users that satisfy the conditions of the
rule are allowed access to the site.




                                                                                                     27
Conclusion
SharePoint is a collaboration tool that can provide a centralized location for users to share and
protect team and project documents. If the documents are of a sensitive nature, security can be
added to the default SharePoint security infrastructure. Using FIM, an administrator can create
and then map properties to a directory service such as AD DS. Adding Cisco EPM and a Cisco
EPM agent enables administrators to create and then enforce rules that work within SharePoint.
These rules can apply to document libraries or even to individual documents within a document
library.




Links For more information:



Cisco EPM:

     http://www.cisco.com/go/policy



Forefront Identity Manager 2010:

     http://www.microsoft.com/ForeFront



SharePoint

     http://sharepoint.microsoft.com




                                                                                                  28
Appendix: The Interop Vendor Alliance
The Interop Vendor Alliance is an industry group working to identify and share opportunities to
better connect people, data, and diverse systems through better interoperability with Microsoft
systems and to jointly market the interoperability solutions of its members.

The organization serves as a collaborative forum for developing and sharing common
technology models, facilitating scenario-based testing of multivendor solutions, and
communicating additional best practices to customers and partners.

Since its formation in 2006, alliance membership has more than doubled as the IVA has
developed multiple interoperability labs, including System Management, Centralized Directory,
Federated Identity, Content Management, and Open XML.

You can learn more by visiting http://interopvendoralliance.com/.




                                                                                             29
Table of Figures
Figure 1: Effective permissions ......................................................................................................................................... 4
Figure 2: Tasks performed by each application or service .................................................................................. 5
Figure 3 FIM – Create Resource Type page ............................................................................................................. 10
Figure 4 FIM - Create Binding page ............................................................................................................................ 10
Figure 5 FIM - All Bindings page ................................................................................................................................... 11
Figure 6 FIM – Create User page – General tab ..................................................................................................... 12
Figure 7 FIM – Create User page – Work Info tab ................................................................................................ 13
Figure 8 FIM – User – Extended Attributes tab ...................................................................................................... 13
Figure 9 FIM - Properties page ...................................................................................................................................... 14
Figure 10 FIM – Run Management Agent page..................................................................................................... 16
Figure 11 FIM – Profile Name: Export User Name page .................................................................................... 16
Figure 12 FIM – Profile Name: Full Synchronization User Name page ....................................................... 17
Figure 13 SharePoint – Financial Reports document library ............................................................................ 17
Figure 14.Cisco EPM – Manage Entities – Application Attributes ................................................................. 18
Figure 15 Cisco EPM – Application Name and Application Type fields ..................................................... 19
Figure 16 Cisco EPM – Manage Entities – Application Attributes – Search Base ................................... 20
Figure 17 Cisco EPM – Global Resources .................................................................................................................. 20
Figure 18 Cisco EPM – Global Roles ............................................................................................................................ 21
Figure 19 Cisco EPM – Global Roles ............................................................................................................................ 22
Figure 20 Cisco EPM –Manage Entities –Users....................................................................................................... 22
Figure 21 Cisco EPM –Manage Entities – Assigned Users ................................................................................. 23
Figure 22 Cisco EPM –Manage Entities – Update Role....................................................................................... 24
igure 23 Cisco EPM –Manage Entities – Update Role - Simple Rule ........................................................... 25
Figure 24 Cisco EPM –Manage Entities – ClearanceLevelRule - LHS ........................................................... 25
Figure 25.Cisco EPM –Manage Entities – By Resources ..................................................................................... 26
Figure 26.Cisco EPM –Manage Entitlements – By Resources .......................................................................... 27




                                                                                                                                                                      30
This document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. This document does
not provide you with any legal rights to any intellectual property in any Microsoft product. You
may copy and use this document for your internal, reference purposes. You may modify this
document for your internal, reference purposes.

Distributed under Creative Commons Attribution-Noncommercial-No Derivative Works 3.0




                                                                                               31

								
To top