Security Considerations with

MultiSite Collaboration
- Ayan B.
Agenda
• Multisite Basics

• Multisite Deployment

• Sharing Write Access to Shared Data

• Multisite Collaboration Accessors

• Object Protection & Ownership

• Multisite Security Considerations

• Best Practices

2012 by AyanB 2
Multisite Basics

• XYZ Corporation has offices at above global locations with separate DBs

• During product development, the engineering sites in Detroit & London occasionally share small amounts of
data with one another and with their suppliers in São Paulo and Tokyo

• After product development completes, engineering data is exported to the Detroit manufacturing site

2012 by AyanB 3
Multisite Basics …(cntd.)

2012 by AyanB 4
Multisite Basics …(cntd.)

2012 by AyanB 5
Multisite Basics …(cntd.)

• Data Replication

• Data Synchronization

• Publish/Unpublish to ODS

2012 by AyanB 6
Data Replication

2012 by AyanB 7
Multisite Deployment

2012 by AyanB 8
Sharing Write Access to Shared Data
• Transfer Ownership
• Remote site imports object with “Transfer of Site Ownership”
• When remote site gains the ownership of object, the object can be
modified
• When all modifications are made, site ownership is transferred back
original owning site
• Ownership access by remote users is controlled by owning site using site
preferences and AM rules

• Remote Checkin/Checkout
• When remote checkout is performed, replica object is checked-out at the
owning site
• Remote checkout status on the master object is turned ON
• When all modifications are done on replica, it is checked-in to the owning
site via remote checkin
• Remote checkout status on the master object is turned OFF
2012 by AyanB 9
Multisite Collaboration Accessors

• Site=site_id
This is used to specify a particular site by its unique site ID

• Remote Site
This is similar to world, it represents all other sites

2012 by AyanB 10
Object Protection & Ownership

• In collaborative environments (multisite), level of complexity is very

high in order to extend object protection across entire network
• Multisite collaboration uses concept of “owning-site” in addition to
“owning-user” & “owning-group”
• Access control on replica data
• If “owning-user” & “owning-group” of the master object are defined at the
importing site, then replica will be owned by same user and group
(ownership is fully preserved)
• If “owning-user” & “owning-group” of the master object are not defined at
the importing site, then the replica will be owned by the user performing
import and that user’s current group will be the owning group.
• If TC_retain_group_on_import (site preference) is TRUE, original
group will be preserved

2012 by AyanB 11
Multisite Security Considerations

• Multisite collaboration security mechanism only apply AM rules at the site

level
• The remote site’s privileges are checked against the owning site’s AM rule
tree
• Access to individual objects at the owning site are not validated against the
individual remote user’s privileges
• An individual remote user’s privileges are currently enforced by site
preferences
• Enhanced multisite security allows access to remote operations based on user
ID (based on boolean value of TC_check_remote_user_priv_from_sites
site level preference)
• Remote checkout

2012 by AyanB 12
Best Practices
• Before laying down the multisite security model, identify all security issues that
must be addressed and implemented. Document all.
• Publish high-level objects
• Specify at least one target site when exporting an object
• If possible, use rules-based object protection at all sites and define similar rules so
that access to shared objects is uniform across the entire Multi-Site Collaboration
network
• Define a consistent set of users for all sites whenever possible
• Remote checkin/checkout is used over import with transfer ownership whenever a
smaller/lower level replica data need to be modified

2012 by AyanB 13
 Q&A

Email
ayan_b23@yahoo.co.in

2012 by AyanB 14