Interesting things about ECM

2010/05/20

Oracle UCM – Security model, ACLs and performance

Filed under: Oracle UCM, Security, Stellent — Tags: , , — Anthony Fast @ 6:26 am

Source: http://bexhuff.com/2009/09/the-deep-dark-secret-origin-of-oracle-ucms-security-model#comment-4629

Maybe somebody should revise the Oracle® Universal Content Management guide, “Managing Security and User Access,” where it says on page 7-4: “If you enable accounts and use them, you cannot disable them without losing data. DO NOT enable accounts unless you are certain that you want to use them.” Either the documentation is wrong, or you lose data. It says nothing about the “appearance” of having lost data.

Page 3-3 of the same piece of documentation says: “The number of security groups should be kept at a minimum to provide optimum search performance and user administration performance. If your security model requires more than 50 security classifications, you should enable accounts and use them to control user permissions.” I take this to mean that the performance degrades noticeably (or can degrade noticeably) after you scale beyond 50 security classifications. Later, the documentation cites an example where changing a single permission can take 10 seconds. Not to be a pain in the ass, Bex, but how does this support your statement “This model scales very well”?? (I take it back. I am being a pain in the ass.)

One last carp. You say that “ACLs are horribly slow and impossible to administer.” For this particular CMS application, that may be true, I don’t know. All I know is that ACLs are the de facto industry standard way of doing this sort of thing. When you choose Door No. 3 and invent a nonstandard approach to solving a problem for which the wheel has already been invented, you only end up needlessly confusing and scaring analysts — and making customers read documentation, something they hate doing.

At any rate, I did learn a lot from your excellent writeup. Thanks for doing it. I feel better now. 😉

Answer by bex: http://bexhuff.com/2009/09/the-deep-dark-secret-origin-of-oracle-ucms-security-model#comment-4630

Don’t know why that’s there… the content you checked in is still in the repository, and the metadata is still safe and sound in the database. Users will lose access to these documents, until you either update all your users, or update all of the values for “account” in the database to blank. You can do batch metadata changes with the Archiver tool… which should be done prior to turning off accounts anyway.

I take this to mean that the performance degrades noticeably (or can degrade noticeably) after you scale beyond 50 security classifications.

In general, performance degradation is due to the complexity of the security model, and not the number of groups or accounts. For example, if you have 100 classifications, but most users can only access one or two classifications, you won’t see many problems. The “security clause” I mentioned above would be pretty small… However, if every user gets access to 50 classifications in different ways, then you’re likely to see performance to degrade a bit because of the increased complexity of the SQL in the security clauses. This can be fixed with some database tuning, however. Some of the admin applets — like User Admin — load more slowly depending on the number of security groups, but that’s rarely a big deal.

All I know is that ACLs are the de facto industry standard way of doing this sort of thing.

Slow searches are also the de facto industry standard 😉

ACLs are easy, which is why everybody does it that way. We took a look at how everybody else did it, and knew that they were doing it in a way that would require a ton of hardware in order to function, a ton of maintenance, and a ton of risk. We didn’t want to go that route… and what we came up with was pretty close to how LDAP does things. Seems to me like a good gamble that paid off…

I cannot name names, but I encourage you to talk with enterprise architects in industries with serious security concerns — like financial and government — to ask them what they think of ACLs in general. As I said, you still can do ACLs with Oracle UCM, but you’ll need beefier hardware.

Advertisements

2010/03/05

Should Oracle be on your Web CMS shortlist?

Filed under: Oracle UCM, Performance, Security, Stellent, WCM — Tags: , — Anthony Fast @ 1:58 pm

Source: http://www.jboye.com/blogpost/should-oracle-be-on-your-web-cms-shortlist/
August 31st, 2009 by Janus Boye

Oracle is among the largest global enterprise software vendors and like IBM and Microsoft, Oracle entered the CMS marketplace via an acquisition (Stellent in 2007). Oracle Universal Content Management (UCM) is based on the original Stellent product now fully rebranded, much improved and leading the market according to IT analyst Gartner. Does this make Oracle an obvious and safe candidate on your Web CMS shortlist?

We find that Oracle UCM does not come up often in standalone Web CMS selections, which is why it did not appear on our 2009 CMS Shortlist. According to Oracle sales pitches, the product has experienced increased adoption in recent years. As the Oracle customer list is very long and Oracle is known for upselling to the install base and for including UCM in larger deals, this sounds plausible.

Depending on your specific requirements, there are several reasons which might make Oracle a meaningful inclusion on your shortlist.

  • Oracle has continued to invest engineering resources in the product and made several recent improvements to the WCM part of UCM including usability, personalisation and accessibility.
  • As a large software vendor, you may already have a strong existing relationship with Oracle. If this the case, your stakeholders will probably appreciate getting a proposal from Oracle.
  • If you have a strong requirement to manage non-web content, eg. documents, this will play well with the product’s strengths.

Before you go ahead and add Oracle UCM to the shortlist here’s a few bullets for your consideration:

  • License and implementation cost will require a serious budget. The starting price is either US $115k  per-CPU or $2,300 per system user. Moreover, Oracle implementation partners are not known for attractive hourly rates.
  • Usability might have been improved, but still existing customers on the newest version of the product are so frustrated with poor usability that they publish commentaries like Oracle, can you improve your poor usability please? by Mark Morrell at BT.
  • You will need to learn the proprietary “Idoc Script” language for Site Studio until 11g release comes out.
  • UCM is a complex product and will be overkill for many scenarios.

Oracle is planning to release the much-anticipated 11g version of Oracle UCM later this year, which we look forward to studying closer. In the mean time, consider talking to Oracle on getting more information about what’s coming.

Comment on this article by Kas Thomas August 31st, 2009 21:49, Source: http://www.jboye.com/blogpost/should-oracle-be-on-your-web-cms-shortlist/

I would add another precautionary bullet point, having to do with the rights model. Study the UCM roles and rights model carefully and compare it against your requirements; that’s my advice. Maybe @bex or someone with deep UCM experience can educate me here, but I find the UCM rights model a tad unconventional. It defines a security group as a collection of files (not users). It maps rights to roles, then users to roles. Each security group is accessible to appropriately privileged roles.

If you create more than 50 security groups, system performance (initially at the admin level, but eventually at the user level) begins to take a hit, at which point Oracle suggests you turn on a feature called Accounts, which is a more granular, hierarchical permissions model. But if you choose to enable “Accounts,” you can’t go back to a non-accounts-enabled model without losing data (according to Oracle’s own documentation).

The whole thing seems a bit scary to me, but maybe that’s because I don’t understand it, which is not infrequently the case with things that scare me.

2009/10/15

A Letter to EMC About Federations

Filed under: Documentum, Performance, Security — Tags: , — Anthony Fast @ 10:23 pm

Source: http://wordofpie.com/2009/09/20/a-letter-to-emc-about-federations/

Dear EMC,

Hey there.  How are you doing? It was nice running into you at the AIIM Seminar last week.  I’ve been trying to tell people that CenterStage is not intended to take SharePoint out as we discussed.  People are listening, but only time will tell if it will matter.

I want to talk to you about an issue that I’ve been encountering.  I’ve talked to you about this before, but I’m not sure that you were paying attention.  I just wanted to mention it again to let you know that this is actually important.

I just spent 11 hours of my weekend creating a Federation in a production environment.  It wasn’t the only thing being done to the environment this weekend, but it was a big-old dependency for many other tasks.  We were creating a new repository and don’t want to manage our users (15K), or the corresponding ACLs, in multiple locations. Since a single repository was out of the question, we went the federated route.

Here is the creation process…I create a Federation in the global repository.  It then creates a Federation object in the member repositories and then exports the users, groups, and roles into a file.  That file is then ingested into the member repositories.  The issue is, problems are always encountered during the process.  You’ve told me that there is no recovery or “fix”.  The answer, according to your tech support, is to delete the Federation and repeat the process.  The deletion doesn’t always work and I have to confirm that the data in the database for all repositories reflect the deletion.  There are a few service restarts in there to make sure that caches are clear as well.

This is repeated until it works.  It isn’t helped that if a user is renamed in LDAP that the change doesn’t get reflected in the groups.  This causes the group to fail when it is moved to another repository because it can’t find the user.  Why the rename doesn’t work, or why you still use user names and not your unique object ids to do this linking, is for another day.

I finally got it all to work and my team is wrapping the deployment up, after many had to wait around for the Federation to complete.  Someone brought in Krispy Kreme, so we aren’t starving (though we probably all lost a few days from our life span).  I’m even coming to terms with missing the Tennessee-Florida game and the upset of Southern Cal by Washington yesterday.

Assuming that the process worked the first time, it should have been over and done in an hour or less.  My client is paying for the time. The problem is, I can’t get that 10 hours back with my wife or kids.  Half of my weekend is gone from this process and I want to know…

How are you going to help me make it up to my family?

See you soon.

-Pie

2009/10/05

ecmtechnicalsupport to Public Access to Records in Oracle UCM

Filed under: General, Hijacking, Oracle UCM, Security — Tags: , , — Anthony Fast @ 10:32 pm

Source: http://ecmtechnicalsupport.wordpress.com/2009/06/19/public-access-to-records-in-oracle-ucm-can-make-web-sites-vulnerable/

Public Access to Records in Oracle UCM Can Make Web Sites Vulnerable

I was recently surprised to find a lot of companies running Oracle UCM systems that were exposed in a way that someone could hijack the website. We were looking for documents related to generic properties forms on the internet and quickly found 4 large government and corporate companies with systems left wide open with material relating to their websites. We logged on as a guest user and we could have deleted the web content or checked out the content and checked in new content giving us control of what is on their websites. I was able to get the emails of the contributors from the system and emailed them to let them know that they need to lock down their site. It was interesting that I never got a response from any of the people and that the web sites are still exposed. When mixing critical business content and public access you can’t take security and rights issues lightly. In this case, a simple checkbox can make the difference between fast access to important ECM records and becoming a victim of HTML theft.

2009/09/30

Bex Huff: The Deep, Dark, Secret Origin Of Oracle UCM's Security Mode

Filed under: General, Oracle UCM, Performance, Security — Tags: , , — Anthony Fast @ 11:15 pm

Source: http://bexhuff.com/2009/09/the-deep-dark-secret-origin-of-oracle-ucms-security-model

The Deep, Dark, Secret Origin Of Oracle UCM’s Security Model

September 4, 2009 – 9:54am — bex

On a recent blog post about Oracle UCM — Should Oracle Be On Your Web Content Management Short List? — CMS Watch analyst Kas Thomas commented that he thought Oracle’s security model was a bit spooky. He admitted that this may be because he didn’t know enough about it: his concern stemmed from an overly stern warning in Oracle’s documentation.

Alan Baer from Oracle soothed his fears and said that the documentation needed a bit of work… The documentation mentioned that changing the security model might cause data loss, which is in no way true.It should say that changing the security model might cause the perception of data loss, when in fact the repository is perfectly fine… the problem is that when you make some kinds of changes to the security model, you’ll need to update the security settings of all your users so they can access their content.

Nevertheless, I thought it might be a good idea to explain why Oracle UCM’s security model is how it is…

Back in the mid 1990s when UCM was first designed, it had a very basic security model. It was the first web-based content management system, so we were initially happy just to get stuff online! But immediately after that first milestone, the team had to make a tough decision on how to design the security model. We needed to get it right, because we would probably be stuck with it for a long time.

  1. Should it be a clone of other content management systems, which had access-control lists?
  2. Should it be a clone of the unix file permissions, with directory and file based ownership?
  3. Or, should it be something completely different?

As with many things, the dev team went with door number 3…

Unix file permissions were simply not flexible enough to manage documents that were “owned” by multiple people and teams. The directory model was compelling, but we needed something more.

Access Control Lists (ACLs) are certainly powerful and flexible, because you store who (Bob, Joe) gets what rights (read, delete) to which documents. The ACLs are set by the content contributors when they submit content. However, ACLs are horribly slow and impossible to administer. For example, I as an administrator have very little control over how you as a user set up your access control lists. Let’s say some kinds of content are so important that I want Bob to always have access, but Joe never gets access. If Bob gets to set the ACLs on check-in, then there’s a risk he gives Joe access. It’s tough to solve this problem in any real way without a bazillion rules and exceptions that are impossible to maintain or audit.

Instead, the team decided to design their security model with seven primary parts:

  • SECURITY GROUPS are like a classification of a piece of content. Think: restricted, classified, secret, top secret, etc. As Jay mentioned in the comments, these are groups of content items, and not groups of users.
  • ACCOUNTS are like the directory location of where a content item resides in a security hierarchy. Think: HR, R&D, London offices, London HR, etc. These are typically department-oriented, but its also easy to make cross-departmental task-specific accounts for special projects.
  • DOCUMENTS are required to have one and only one security group. Accounts are optional. This information is stored with the metadata of the document (title, author, creation date, etc.) in the database.
  • PERMISSIONS are rules about what kind of access is available to a document. You could have read-access-to-Top-Secret-documents, or delete-access-to-HR-documents. If the document is in an account, then the user’s access is the union of account and group permissions. For example, if you only had read access to the Top Secret group, and read access to HR, you’d be able to read Top-Secret-HR content. However, you would not see Top-Secret-R&D content.
  • ROLES are collections of security group permissions, so that they are easier to administer. For example, acontributor role would probably have read and write access to certain kinds of documents, whereas theadmin role would have total control over all documents. Change the role, and you change the rights of all users with that role.
  • USERS are given roles, which grants them different kinds of access to different kinds of documents. They can also be granted account access.
  • SERVICES are defined with a hard-coded access level. So a “search” service would require “read” access to a document, otherwise it won’t be displayed to the user. A “contribution” service would require that the user have “write” access to the specific group and account, otherwise you will get an access denied error.

This kind of security model has many advantages… firstly, it is easy to maintain. Just give a user a collection of roles, and say what department they are in, and then they should have access to all the content needed to do their job. It works very well with how LDAP and Active Directory grant “permissions” to users. That’s why it is usually a minimal amount of effort to integrate Oracle UCM with existing identity management solutions.

Secondly, this model scales very well. It is very, very fast to determine if a user has rights to perform a specific action, even if you need to do a security check on thousands of content items. For example, when somebody searches for “documents with ‘foo’ in the title,” all the content server needs to do is append a security clause to the query. For a “guest” user, the query becomes “documents with ‘foo’ in the title AND in the security group ‘Public’.” Simple, scalable, and fast.

There are, of course, dozens of ways to enhance this model with add-on components… The optional “Collaboration Server” add-on includes ACLs, along with the obligatory documentation on how ACLs don’t scale as well as the standard security model… The optional “Need To Know” component opens up the security a bit to let people to see some parts of a content item, but not all. For example, they could see the title and date of the “Hydrogen Bomb Blueprints” document, but they would not be able to download the document. The “Records Management” component adds a whole bunch of new permissions, such a “create record” and “freeze record.” I’ve written some even weirder customizations before… they aren’t much effort, and are very solid.

I asked Sam White if he could do it all over again, would he do it the same? For the most part, he said yes.Although he’d probably change the terminology a bit — “classification” instead of “role,” “directory” instead of “account.” In other words, he’d make it follow the LDAP terminology and conventions as closely as possible… so it would be even easier to administer.

I do think it is a testament to the skills of the UCM team that the security model so closely mirrors how LDAP security is organized… considering LDAP was designed over many years by an international team of highly experienced security nerds. I’m also happy when it gets the “thumbs-up” from very smart, very paranoid, federal government agencies…

Create a free website or blog at WordPress.com.