Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
Directory Services andYour Enterprise RtPM
Presented by:John MatrangaCTO, Omicron Consulting
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
AbstractYour company is rolling out Active Directory (AD), Novell Directory Services (NDS) or SunOne Directory Service or IBM SecureWay Directory.
What are directory services? What is AD and NDS? How do directory services fit with your PI Server and Portal infrastructure?These are the types of questions that John will cover as he outlines Directory Services and what role they play in moving your PI Server to an Enterprise Level RtPM Infrastructure.
DISCLAIMER:This talk is designed to be a primer, there will be some OSIsoft specifics for what is today. Also there will be some forward looking, non- OSIsoft endorsed ideas that will be used as examples.
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
AgendaDirectory Services
General OverviewUses Examples
LDAPHistoryUse
PI and Security - A few notesRtPortal and Directory Services
SPS OverviewRtPortal Issues
Q/A & Resources
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Directories
Non-electronic DirectoriesPhone BookHealthcare Providers Parts Catalog
Electronic DirectoriesUsersWeb Sites (Yahoo List)Printer Resources
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Directory Service Attributes
Special Purpose Database – Resource LookupNot Just a Normal Database, But Optimized
Write Few, Read Many TimesOften Contain Certain Types of Data
Servers, Printers, File Systems, Applications, Users, Profiles, Etc..
Not Designed For Complex QueriesHierarchically Organized Standard NamespaceRemote Access - LDAP
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Drivers for a DirectorySingle Unified Security
THE Security Service (“The C/S” Subsystem) Single Source of UsersSingle Source of Role Based ProfilesAuthorization & Authentication
What & WhoDynamic Indirection
List Based Management – eg. Mail ListsRole Based Solutions
CostsMultiple Create/Update/Delete ListsNo Need for Specific Security DBAs
Integration
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Domain Name System (DNS)Domain Name System (DNS)widgets.org
na.widgets.org euro.widgets.org asia.widgets.org
hq.n
a.w
idge
ts.o
rg
west central east uk german france japan australia new zealand
we.
na.w
idge
ts.o
rg
ce.n
a.w
idge
ts.o
rg
ea.n
a.w
idge
ts.o
rg
uk.e
uro.
wid
gets
.org
ge.e
uro.
wid
gets
.org
fr.e
uro.
wid
gets
.org
jp.a
sia.
wid
gets
.org
oz.a
sia.
wid
gets
.org
nz.a
sia.
wid
gets
.org
headquarters
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Directory Architecture
Directory objects have attributes Object and attributes are protected by ACLs
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel
Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101
Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101
DevicesDevicesDevicesDevices
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Shared Folder Objects
A shared folder directory object abstracts a shared folder or Dfs volume
A UNC path points to the resource
OU OU OU
OU
Domain
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Printer Objects
A printer directory object abstracts a shared printer
The printer object attributes include:The printer’s UNC pathPrinter model and capabilities
OU OU OU
Domain
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Object Access
Access to directory objects is controlled via Access Control Lists (ACLs)Why is this important?
DirectoryObject
DirectoryObject
ACL
Sales Managersread access
Sales Managersread access
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
ACLsAccess Control Lists
Access – What can be done?Control – Who can do it?Lists – One to many
Role Based or User BasedAny number of Groups
Groups, Groups of what?Roles, Users, Points,Etc.
Central ManagementStandard Management SO?
Gets OSIsoft ‘out of the business’
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Example Object ClassesUser
Given-Name, Address, Picture …Print-Queue
Print-Language, Print-Status …Computer
Operating-System …Organizational-Unit
Organizational-Unit-Name …Forward Looking OSIsoft
Points, Point Classes, Digital States, Calculations, etc.
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
What is Active Directory?
Microsoft’s Network Resource PlatformActive Directory is an integral part of Windows 2000 Server that delivers essential network operating system services:
Focal point for management of network elements (users, applications, devices, etc.) Trusted repository of security data for authentication and authorizationOpen platform for application development and integration with other systems
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy
Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy
Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy
A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability
ActiveActiveDirectoryDirectory
ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific
directory info directory info • PolicyPolicy
Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy
InternetInternet
Firewall ServicesFirewall Services• ConfigurationConfiguration• Security PolicySecurity Policy• VPN policyVPN policy
OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce
Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy
E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book
Windows 2000 Active Directory
Active Directory provides a focal point for management, security and interoperability
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
So Now We Have A Directory
Now what?
OU OU OU
OU
OU OU OU
OU
OU OU OU
OU
Directory
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Directory Access - LDAP
Open Standard, Originally Defactoby Major Network Players
Came From X.500:1990 - CCITTISO 9594, Data Communications Network Directory, Recommendations X.500-X.521DAP, then add “L”
Lightweight DirectoryAccess Protocol
Directory
LDAPServer
LDAPClient TCP/IP
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
LDAP ‘Models’Information
Describes the structure of information stored in an LDAP directory.
NamingDescribes how information in an LDAP directory is organized and identified.
FunctionalDescribes what operations can be performed on the information stored in an LDAP directory.
SecurityDescribes how the information in an LDAP directory can be protected from unauthorized access.
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
PI Security Document1. Overview2. Computer System Security
2.1 Physical Security2.2 File System2.3 Auditing2.4 User Database
3. PI Server Security3.1 Concepts3.2 Firewall Table3.3 Trust Table3.4 Users and Groups3.5 Backing Up the PI
Server
4. Procedures4.1 Enabling Auditing4.2 Configuring the
Windows Event Log4.3 Establishing Minimum
Audit Settings4.4 Secure Boot Settings4.5 Password
Management4.6 Requiring Login for
Piconfig at the Console4.7 Disabling the PI
Default User4.8 Users and Groups
http://support.osisoft.com/PIServer/WhitePapers/PI Security Best Practices.doc
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
OverviewRtWebParts Is Built Upon
Windows SharePoint ServicesWindows Server 2003IIS
RtWebParts Fits InOffice SharePoint Portal Server 2003
Windows Server 2003IIS
Windows Server 2003File AccessUser Authorization For Files & Resources
IISBasic Authentication Over HTTPSWindows Authentication – Internal
AD for Roles etcSPS Details
AD Tree Import and Synchronization treeRules For Targeting
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
SPS Overview User or Role BasedToday
File DirsFiles
PortalSites/ AreasPages
Rights To Change Page
DesignModifyPublic ViewPersonal View
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
SPS Site SettingsUsers and ACL RightsSame As For Files
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
New Site
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Security On The SecurityAs One Would Expect
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Excel IntegrationEmbed Actual Excel Spreadsheets Into The PortalHave Excel Drive Other Items On The Page (Trend Below)Allows For Direct, Secure Editing Of Spreadsheet (With Rights)Can Be Used For What-if An Analysis
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Sample Portal PagePersonalizedPage AccessResourceAccessPI Data Access
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
KPI ExampleParts Can Be Driven From PI, Relational, Web Services Sources Of DataCan Keep User “ID” OR Share
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Application Integration Example
Data Access (User Context)Custom WebPartsCan Be DrivenFrom ThePortal
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Applications Page
Integrated Security To THE Network DirectoryPlant Applications Menu – See What You GetRole Based Application AccessADAMNo Need For Extra Administration
Omicron Consulting1500 Market StreetPhiladelphia, PA 19102
John [email protected]
OSIsoft UC 2004
Questions and InformationJohn Matranga
CTO Omicron [email protected]
Other ReferencesPI Security Whitepaper
http://support.osisoft.com/PIServer/WhitePapers/PI Security Best Practices.doc
Microsoft http://www.microsoft.com/AD
LDAP (Open Standard, IBM Site for Good Overview)http://www.redbooks.ibm.com/redbooks/SG244986.html
SharePointSharePoint Portal Server Administrator's Guide (Online)