{"id":1437,"date":"2016-04-19T15:45:19","date_gmt":"2016-04-19T21:45:19","guid":{"rendered":"http:\/\/www.designandexecute.com\/designs\/?p=1437"},"modified":"2024-08-31T10:34:37","modified_gmt":"2024-08-31T16:34:37","slug":"security-patterns","status":"publish","type":"post","link":"https:\/\/www.designandexecute.com\/designs\/security-patterns\/","title":{"rendered":"Security Design Patterns in Data Warehousing"},"content":{"rendered":"<p><span data-preserver-spaces=\"true\">Security is the top priority in the digital economy. We are plagued with issues if we build systems that are silo because we cannot make relationships in the data. If we create connected systems, we need to create logical boundaries and constrict how this valuable insight is accessed and shared. The approach is to give the right information at the right level to the people who need it at the right time. In simple language, you get information on a need-to-know basis. Segmented security means we must stratify security levels into key categories or become segmented as needed. The standard security design issues fall into the following categories.<\/span><\/p>\n<ol>\n<li><span data-preserver-spaces=\"true\">The user\u00a0<\/span><strong><span data-preserver-spaces=\"true\">does not have access<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0to the information they need (usually a binary approach of you have access or not)<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Cross Silo Analysis<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0is difficult and impossible in some cases (usual security to multiple applications)<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Multi-Hierarchy views<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0of the same data make reporting and security hard to be aligned (If the security is tied to a hierarchy, then what happens when different lines of business use multiple hierarchies)<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Special Case processing<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0is hard to segment and can create a disconnect.<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Administer and Re-Certification<\/span><\/strong><span data-preserver-spaces=\"true\">, keeping pace with attrition, mergers, and transfers. Inter-organization type restructuring must be easily accounted for.<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Transactional and Analytic security synch<\/span><\/strong><span data-preserver-spaces=\"true\">. Analytic applications of the future need to consume data and spew embedded knowledge in the reports or aggregated data back to the user. Data<\/span><strong><span data-preserver-spaces=\"true\">\u00a0<\/span><\/strong><span data-preserver-spaces=\"true\">capture of transactional systems and reporting of analytic systems security will need to synchronize if they are different data models. They are usually separate for the performance of both functions.<\/span><\/li>\n<\/ol>\n<h2><strong><span data-preserver-spaces=\"true\">Benefits of Good Security and Data Democracy Design Pattern<\/span><\/strong><\/h2>\n<ul>\n<li><strong><span data-preserver-spaces=\"true\">Reduce the cost of delivering data<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0by making the user more self-sufficient and will reduce the time to get the data, the turn around time between the request and data given to the user<\/span>\n<ul>\n<li class=\"ql-indent-1\"><span data-preserver-spaces=\"true\">Leverage the same security model for both the transaction and the reporting systems by reducing delivery costs, training costs, and complexity to maintain and sync both.<\/span><\/li>\n<li class=\"ql-indent-1\"><span data-preserver-spaces=\"true\">There is also less administrative cost over the long haul to administer the security.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong><span data-preserver-spaces=\"true\">Good data democracy means high access and high frequency of use.\u00a0\u00a0<\/span><\/strong><span data-preserver-spaces=\"true\">Give more visibility to the data and give the end user a higher value of the application as they will come to trust the data and use it more. The more data is used, the more the data and the processes will change. It is the insight gained that will drive the change.<\/span><\/li>\n<\/ul>\n<p><span data-preserver-spaces=\"true\"><strong><a href=\"http:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy.jpg\" rel=\"attachment wp-att-2280\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-2280\" src=\"http:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-300x278.jpg\" alt=\"hierarchy\" width=\"300\" height=\"278\" srcset=\"https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-300x278.jpg 300w, https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-100x93.jpg 100w, https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-150x139.jpg 150w, https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-200x186.jpg 200w, https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy-450x418.jpg 450w, https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy.jpg 459w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/strong>Most enterprise designs have between 10-20 levels of hierarchy. This level of granularity tends to satisfy the most demanding requests but is still flexible for a large enterprise. A starting point in thinking of how to segment the levels into\u00a0<\/span><strong><span data-preserver-spaces=\"true\">security archetypes<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0can be as follows:<\/span><\/p>\n<ol>\n<li><strong><span data-preserver-spaces=\"true\">The single-user<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0profile<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">The line manager<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0who manages a few users to a few dozen users<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">The functional manager<\/span><\/strong><span data-preserver-spaces=\"true\">, who manages a few line managers to a few dozen line managers, typically needs to see the data of any or everybody in their direct or indirect command.<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">The executive<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0who manages more than one functional manager or the entire organization<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Peers visibility:<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0for security levels 2-5 (line manager, functional manager, and executive), there should be security for seeing peers and not seeing peers subgroups. This requirement depends on the company culture.<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Exclusions by Exceptions:<\/span><\/strong><span data-preserver-spaces=\"true\">\u00a0the design must account for exceptions that the business will want to shield from general viewing for whatever reason at the level.<\/span><\/li>\n<li><strong><span data-preserver-spaces=\"true\">Cross LOB and Geographic:\u00a0<\/span><\/strong><span data-preserver-spaces=\"true\">the design must account for both who you can see in the LOB but with the European restrictions of countries not able to see each other&#8217;s data. General Data Protection Regulation (GDPR) means even within the LOB, geographic limits must be nested into the underlying LOB security.<\/span><\/li>\n<\/ol>\n<p><span data-preserver-spaces=\"true\">A general design principle is to create groups for each level and assign all the rights to these groups as needed. This way, you can add people and remove them from the groups with little regard to the security rights of the group. Group-level security will allow inheritance and make the model more flexible if group nesting is supported.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">One thing to consider is if a user becomes associated with more than one group, then how do you want to manage this edge case? There are a few approaches to do the most restrictive of the two groups, thereby &#8220;AND&#8221; ing the rights with the lowest common denominator or rights. The second way is to &#8220;OR&#8221; the rights and give the most rights to the two groups. This is to be decided as you go about the design.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">I hope these design patterns help to mold your next build. I always appreciate some feedback, so feel free to share your thoughts.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">If you are interested in seeing many design patterns to consider in the Data Warehousing build process, then consider reading\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/www.designandexecute.com\/designs\/data-warehouse-design-patterns\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-preserver-spaces=\"true\">Design Patterns in Data Warehousing<\/span><\/a><\/p>\n<p>Stephen Choo Quan<\/p>\n<p><strong>Thanks for reading \u2764<\/strong><\/p>\n<div class=\"gv-post-content clearfix\">\n<p class=\"graf graf--h4\"><strong>Please say Hello On:\u00a0<a class=\"markup--anchor markup--h4-anchor\" href=\"https:\/\/www.instagram.com\/taylorchooquan\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/www.instagram.com\/garyvee\">Instagram<\/a>\u00a0|\u00a0<a class=\"markup--anchor markup--h4-anchor\" href=\"https:\/\/www.facebook.com\/stephen.chooquan\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/www.facebook.com\/gary\">Facebook<\/a><\/strong><\/p>\n<\/div>\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-design-and-execute\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"DGo38GdBSw\"><a href=\"https:\/\/www.designandexecute.com\/designs\/security-attribute-and-role-based-access-controls-abac-and-rbac\/\">Security: Attribute and Role Based Access Controls (ABAC and RBAC)<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Security: Attribute and Role Based Access Controls (ABAC and RBAC)&#8221; &#8212; Design and Execute\" src=\"https:\/\/www.designandexecute.com\/designs\/security-attribute-and-role-based-access-controls-abac-and-rbac\/embed\/#?secret=DGo38GdBSw\" data-secret=\"DGo38GdBSw\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Security is the top priority in the digital economy. We are plagued with issues if we build systems that are silo because we cannot make relationships in the data. If we create connected systems, we need to create logical boundaries and constrict how this valuable insight is accessed and shared. The approach is to give [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,7],"tags":[45],"class_list":["post-1437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bi-data-warehouse","category-faq","tag-security"],"jetpack_featured_media_url":"https:\/\/www.designandexecute.com\/designs\/wp-content\/uploads\/2016\/04\/hierarchy.jpg","_links":{"self":[{"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/posts\/1437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/comments?post=1437"}],"version-history":[{"count":6,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/posts\/1437\/revisions"}],"predecessor-version":[{"id":20755,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/posts\/1437\/revisions\/20755"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/media\/2280"}],"wp:attachment":[{"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/media?parent=1437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/categories?post=1437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.designandexecute.com\/designs\/wp-json\/wp\/v2\/tags?post=1437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}