The Tsecurity system provides authentication and authorization services to custom applications running on the Windows platform. It extends the native authentication services provided by Windows to allow these custom applications to authenticate users defined either on the local machine or in the Active Directory (AD). In addition, it manages lists of users to be provided privileges to these applications and exposes methods for access to these lists.
...
Expand | ||
---|---|---|
| ||
Following is a flow chart of the sequence of events during authentication: Further information about the various timeout periods described in the above flow chart can be found in the Tsecurity Service Configuration [LINK]section of this manual. |
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Simply put, a Tsecurity Application is merely the definition of the associations between various domain members and the special subset of privileges that they are given. The term application in this sense does not necessarily refer to a single executable program; although it may be the case that the Tsecurity Application only governs a single executable program, it is better to think of a Tsecurity Application more generally as a set of rules used by a piece of software to control access to itself. As an example, consider a group of custom-built screens for a rolling mill control system. The system owner would want his mill operators to be able to control the schedule through the Preset screen. Maintenance personnel would also be able to adjust the schedule, but should additionally be able to run various tests from the Diagnostics screen. And above all, engineers should be given rights to both the Preset and Diagnostic screens, as well as being able to adjust any system tuning parameters from the Tuning screen.
Following are definitions of some key terms used within a Tsecurity Application:
Continuing the rolling mill example from above: In order to manage security for the rolling mill applications, the system owner would define a Tsecurity Application named RollingMillScreens. Within this application there would be three privilege classes defined: Operators, Maintenance, and Engineers. In addition, there would be three privileges defined: ModifyPreset, RunDiagnostics, and TuneSystem. Privileges would be assigned to application privilege classes as follows:
Once the privilege classes and associated privileges have been defined, the system owner would need to add domain members to each of the appropriate privilege classes. For instance, Joe the Operator would be added to the list of members of the Operators group, Jane the Maintenance Tech would be added to the list of members of the Maintenance group, and Bob the Engineer would be added to the list of members of the Engineers group. Alternatively, if there is an Active Directory group already defined that contains of all engineers for the rolling mill, this AD group could be added to the Engineers application privilege class in the RollingMillScreens Tsecurity application and any domain user contained in that group in the Active Directory would be given all three of the above rights specified for the Engineers application privilege class.
This complete set of information, including the privileges, application privilege classes, domain members, and each of their interrelationships, comprises a Tsecurity Application. The definition for each Tsecurity Application is stored on the host in a separate XML file called an Application Security Configuration File (ASCF). These are described in detail in Application Security Configuration Files [LINK]. |
Expand | ||
---|---|---|
| ||
It is important to point out that under the Tsecurity framework the Tsecurity system itself is not responsible for preventing unwanted access to resources; rather it is a tool that allows other custom software to quickly, easily, and reliably determine if a given user should be provided access to some resource within that custom software. Given that a Tsecurity Application is merely a definition of user access rules within a set of software, it is important to realize that the software itself is ultimately responsible for managing its own the security. Generally speaking, a custom Tsecurity client would use Tsecurity in the following fashion:
|
...
Expand | ||
---|---|---|
| ||
The Tsecurity system comes in two different installation packages. First, Tsecurity is included as an integrated piece of a full TSENTRY installation. Alternatively, Tsecurity can be installed as a standalone package. However, both the standalone version of Tsecurity and the integrated version installed with TSENTRY cannot both be installed on the same system at the same time. If a host must be converted from a TSENTRY system to a plain Tsecurity host, or vice versa, the original software should first be uninstalled before installing the new version. In either case, the latest installation files can be obtained from the support section of the TSENTRY web site: http://www.tsentry.com. Once Tsecurity has been installed (either as part of a TSENTRY installation or as a standalone package) there are two additional steps that must be completed before the system will be fully operational:
|
...
Expand | ||
---|---|---|
| ||
The installation process registers the Tsecurity service on the local host. This service is configured to automatically start with Windows and executes under the Tsentry account, which is a local account on the Tsecurity host also created by the installation process. This service is described in more detail in the Tsecurity Service [LINK] section. |
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
The following registry changes are made by the installation process:
|
...
Expand | ||
---|---|---|
| ||
The Tsecurity service is fully configurable via a configuration file named Tsecurity.exe.config located in the same directory as the Tsecurity service binary executable. This is an XML file consistent with the application config file format specified by Microsoft .NET applications. For detailed information about the configuration of the Tsecurity service, refer to the TsecurityCfg [LINK] section of this manual. |
Expand | ||
---|---|---|
| ||
Following is a sample Tsecurity.config file:
|
...
Expand | ||
---|---|---|
| ||
The Tsecurity Administrators page is used to define the list of Tsecurity Administrators for the Tsecurity host. As described in the Managing Security Applications [LINK] section, a Tsecurity Administrator has full control of the Tsecurity system. Only a Tsecurity Administrator has the ability to create and destroy Tsecurity Applications and is responsible for specifying the owners of individual Tsecurity Applications. The name of each Tsecurity Administrator is listed as an owner of the special Tsecurity Tsecurity Application, which is stored in the Tsecurity.xml file in the ASCF folder specified on the System Parameters page. |
...
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The ASCF Editor screen displays all Tsecurity Applications owned by the currently logged in user (or all Tsecurity Applications configured on the host, in the case of the Tsecurity Administrator). The display uses a tree format to present all of the configuration parameters for each of the Tsecurity Applications. This format both provides the user with a complete view of all of the Tsecurity Applications as well as allowing him to drill down to any configuration parameter he wishes to view. Effectively this is simply a visual front end for displaying and modifying data and parameters contained in Application Security Configuration Files (ASCF); for more information about these parameters refer to the Application Security Configuration Files section. Each of the root nodes in the tree corresponds to an individual Tsecurity Application (and corresponding ASCF) owned by the current user. Beneath each root ASCF node are three subnodes:
In addition, the tree indicates all cross-links between objects in the Tsecurity Application configuration. For instance, if a user is associated with a particular application privilege class, that user will be listed under the Domain Members for the application privilege class, and also the application privilege class will be listed under the Application Privilege Class Memberships for the domain member. |
Info |
---|
“A-” as |
Expand | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Modifying a Tsecurity Application ConfigurationMost simple changes to a configuration, such as changing the Explicit SAK associated with a given application privilege class, can be made simply by left-clicking on a parameter value. The parameter value itself will become an editable field, which the user can modify appropriately. More complicated configuration changes, such as configuring a user for a Tsecurity Application, as well as many more options, are available by right-clicking at various locations within the display. Depending on where the user right-clicks, a context-dependent menu is presented with a variety of options. Each of the available menu options is described in the following table.
Find and Select User or Group FormThe Find and Select User or Group form is used to help locate directory objects for adding user accounts and user groups to Tsecurity Applications. This form is analogous to the native tools provided by Windows for managing users and groups within its own security infrastructure. The very top portion of the form provides an entry box for the ID and full name of the desired directory object and a set of options to define how this object should be treated, i.e. as a directory user or as a user group defined on the directory. Once the appropriate choices have been specified, the Accept button can be pressed to make the changes to the application configuration and close the form. Alternatively, the Cancel button can be pressed to cancel any choices and leave the configuration unchanged.
In order to help eliminate typing mistakes, the middle section of this form provides a set of controls for searching for existing users and user groups either on the local Tsecurity host or in the Active Directory. This tool is used as follows:
Below the search configuration section is a list box to display the results of the search. Once the search has completed the results will be displayed here. Single clicking on an entry in the results list will display the selection at the top of the form, including the name of the user account or user group and the selection as to whether this object should be treated as a user account or a user group. The user can then click on the Accept button to make the selection official and close the form. Alternatively, simply double clicking on an entry in the results list will automatically accept the selection and similarly close the form. Note that if the Find and Select User or Group form was invoked to choose an owner for a Tsecurity Application, only user accounts will be displayed in the search results and the option to identify the selected object as a user group will be disabled. This is because Tsecurity Application owners must be individual user accounts; they cannot be user groups. Adding Privileges to Application Privilege Classes and Vice VersaOnce an application security group has been created in a Tsecurity Application, and a privilege has been added to the same Tsecurity Application, an association can be made between the two. Right-clicking on an application privilege class presents the Select Privileges for Privilege Class option in the displayed context-dependent menu. Choosing this option invokes the Select Membership form, which allows the user to make the desired selections simply by checking and unchecking memberships as desired. Pressing the Accept button makes any changes to the memberships official, while pressing the Cancel button cancels any changes made within this form. Alternatively, a privilege can be associated with an application privilege class simply by dragging and dropping one object over the other within the tree view of the Tsecurity Application: left-click-and-hold on the privilege name and move the mouse up over the desired application privilege class. Releasing the left mouse button will drop the privilege into the application privilege class so that it is now listed as one of the Privileges for that application privilege class. Adding Domain Members to Application Privilege Classes and Vice VersaOnce an application security group has been created in a Tsecurity Application, and a user has been added to the same Tsecurity Application, an association can be made between the two in several different ways. First, right-clicking on an application privilege class or on an application user presents the Select Domain Members for Privilege Class and Select Privilege Classes for Domain Member options, respectively, in the displayed context-dependent menu. Choosing either of these options invokes the Select Membership form, which allows the user to make the desired selections simply by checking and unchecking memberships as desired. Pressing the Accept button makes any changes to the memberships official, while pressing the Cancel button cancels any changes made within this form. Alternatively, a domain member can be associated with an application privilege class simply by dragging and dropping one object over the other within the tree view of the Tsecurity Application. To add a domain member to an application privilege class left-click-and-hold on the domain member name and move the mouse up over the desired application privilege class. Releasing the left mouse button will drop the domain member into the application privilege class so that he is now listed as one of the Domain Members for that application privilege class. At the same time, the application privilege class will be automatically added to the list of Application Privilege Class Memberships for the user object. By the same token, to add an application privilege class membership to a given domain member, left-click-and-hold on the application privilege class name and move the mouse down over the desired domain member. Releasing the left mouse button will drop the application privilege class into the domain member so that it is now added to the list of Application Privilege Class Memberships for the domain member. At the same time the domain member will be automatically added to the list of Domain Members for the privilege class. Retrieving Security Access Keys and the Authenticate User FormOnce a domain member and an application privilege class have been associated with one another, the association can be tested by right-clicking on the user name and choosing the Get Security Access Key menu item. If the user object corresponds to a real user account (Object Type is specified as User), and that user is configured to use explicit membership specified in the ASCF only when calculating his SAK (the Use Explicit Membership Only flag is set to True), the SAK can be calculated directly. If the selected user object corresponds to a real user account, but rather than only using explicit membership in the ASCF, it is configured to use implicit membership in domain groups when calculating his SAK (i.e., the Use Explicit Membership Only flag is set to False), then the Authenticate User form will be displayed to query how the SAK should be calculated. In this case, the password for this user must be supplied to access the group membership in the directory. This is because the Tsecurity host does not necessarily have the credentials necessary to browse the directory for this information. Alternatively, if the Do Not Supply Password box is checked, the Tsecurity host will be instructed to check Active Directory group membership using the any available domain browse accounts that it has been configured to use. Refer to the[LINK] Tsecurity Service Configuration section for more information about configuring the Tsecurity host to use domain browse accounts. In all other circumstances choosing the Get Security Access Key menu item allows the SAK to be retrieved for any arbitrary user. In this situation the Authenticate User form is displayed to retrieve the user name, password, and domain. The above will be the case when the selected user object corresponds to a user group (Object Type is specified as User). In this case a specific user for whom the SAK should be calculated has not been specified, and so the Authenticate User form must be displayed to retrieve this information. Saving a Tsecurity Application ConfigurationAny time a Tsecurity Application has been modified, it must be saved back to the host before the changes will be made official. If a Tsecurity Application has been modified but not yet saved, its name is displayed followed by an asterisk (*). A Tsecurity Application can be saved to the host by right-clicking on the Tsecurity Application name and selecting the Save Application menu item. |
...