This is one of the topics that describes the architecture of the STEP solution. The full list is defined in the STEP Architecture topic here.
This section briefly covers the main aspects of security in relation to STEP.
Authentication
Authentication of users in STEP can be configured in the following ways:
- Default user database maintained internally in the STEP database
- LDAP
- LDAP with Kerberos
The LDAP authentication methods allow STEP to be integrated with any existing user authentication infrastructure. The advantages are that users do not need to maintain an extra password for STEP and that the password policies of the central authentication mechanism are inherited to STEP.
Data Protection
The access to data in STEP is under fine-grained control by the application servers and is configured via the workbench client. User actions are set up and attached to user groups and the specific users then get permissions due to membership of one or more of these groups. Granting of permissions is positive in the sense that the user actions specify what the users are allowed to do (not what they are not allowed to do). If a user is a member of two different user groups with overlapping sets of privileges, the resulting set of privileges will be the union of the two groups. For more information, refer to the Users and Groups section of System Setup documentation here.
Network Security Considerations
The STEP cluster consists of the Oracle database server and the application servers which must be on the same physical network with no firewalls between them. For more information, refer to the Network Consideration topic here.
Local OS Security
As with any secure system, only trusted users should be granted access to any of the servers in the cluster (Oracle database and the application servers). This protects against local privilege escalation attacks which can be numerous and hard to guard against, but also limits the possibility for performance interference.