abcs of security in the cloud webinar
DESCRIPTION
Authentication, authorization, and data access controls are standard requirements for most data-centric apps. And in a traditional client-server environment, these are often the most time-consuming features to implement, even for experts. In this session, you'll learn about Database.com's unique approach to user authentication with OAuth, user types, and a built-in and flexible data sharing model. Watch this webinar to learn about: :: Common authentication patterns such as OAuth and SAML :: How functional access controls provide simple administration of a user's permissions :: How record-level access provides granularity of control at enterprise scale :: How all three authorization and authentication patterns work together to do most of the work for you Date: This webinar took place on Feb 23, 2012 More details: http://wiki.developerforce.com/page/Webinar:_SecurityTRANSCRIPT
![Page 1: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/1.jpg)
sfdc_ppt_corp_template_01_01_2012.ppt
Security in the Cloud Webinar
Adam Torman Senior Product Manager
@atorman
Bud Vieira Senior Product Manager
@aavra
Chuck Mortimore Senior Director, Product Management
@cmort
![Page 2: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/2.jpg)
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2011. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
![Page 3: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/3.jpg)
@forcedotcom / #forcewebinar Developer Force Group facebook.com/forcedotcom
![Page 4: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/4.jpg)
http://bit.ly/sfcloudstock
![Page 5: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/5.jpg)
Agenda
§ Force.com Overview § Authenticating Database.com Users
§ Provisioning Database.com Users
§ Controlling Access
§ Key Take Aways
§ Q&A
![Page 6: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/6.jpg)
Enterprise Data Collaboration Platform
§ Trusted by the enterprise § Designed for social collaboration
§ Open for any language, platform, or device
§ Support for mobile applications
![Page 7: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/7.jpg)
Chuck Mortimore Sr. Product Management Director
Core Security
![Page 8: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/8.jpg)
Authentication and Database.com
§ Two primary mechanisms for authentication § Direct db access with a privileged user
– 1 highly privileged user to access the data
– Classic integration and database connection model
§ Individual user accounts – Each user has a named account
– Propagates Identity all they way to the database tier – Can simplify the development of authentication
– Allows granular authorization at the data tier
![Page 9: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/9.jpg)
What is OAuth?
§ An open protocol to allow secure API access in a simple and standard method from desktop and web applications
§ Standardization of common, successful API patterns
§ Standard track in IETF – Salesforce.com, Google, Microsoft, Facebook, Twitter, Yahoo,
Oracle, etc.
![Page 10: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/10.jpg)
Why Use OAuth § Simple
– Protocol is HTTP based.
– Interfaces are already done – Allows you to focus on your value add
§ Works great for mobile – Salesforce mobile and desktop clients are switching
– No need for API token
§ Stops the password anti-pattern – Reduce the security and management issues with passwords
![Page 11: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/11.jpg)
Direct DB Access with a Privileged User
§ User Name / Password Flow – Used for simple server to server integration use-cases
POST /services/oauth/token HTTP/1.1!Host: login.salesforce.com!grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&redirect_uri={REDIRECT_URI}&username={USERNAME}&password={PASSWORD}!!!!!HTTP/1.1 200 OK!Content-Type: application/json!!{"id":"https://login.salesforce.com/id/00D300000000mlxEAA/00530000000gKV8AAM","issued_at":"1313612089200","instance_url":"https://cmort-developer-edition.my.salesforce.com","signature":"NRbIb/EnYBfxKz9hApUI70Pl/Rog1S8ArsTHoxbj4eg=","access_token":"00D300000000mlx!AQoAQKtgvm50TODcRU3QboID1DctJIssSMRPWIdVmXcAF9vbqIppVOGIVGZ6MR2xzS2TjQix.bW3ZHH9OnColDSH.5fg_rM"}!
![Page 12: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/12.jpg)
Individual User Accounts
§ Web Server Flow – Web servers can protect secrets. Code returned to callback
URL and exchanged for a token via a POST
§ User Agent Flow – Used for Javascript, Mobile, and Desktop. Token returned
directly to callback URL behind # fragment
![Page 13: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/13.jpg)
How Does It Work?
1) Device opens a browser with authorization URL
2) User is Authenticated
3) User Authorizes App
4) Tokens returned to device
![Page 14: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/14.jpg)
What the User Sees:
Authentication Authorization
![Page 15: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/15.jpg)
Step 1: Open a URL
https://login.salesforce.com/services/oauth2/authorize ?response_type=token
&client_id={YOUR_CLIENT_ID}
&redirect_uri={YOUR_REDIRECT_URI}
https://login.salesforce.com/services/oauth2/authorize? response_type=token&client_id=MyClient&redirect_uri=myapp%3A%2F%2Fcallback
![Page 16: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/16.jpg)
Step 2: Parse the Response
{YOUR_REDIRECT_URI}# access_token={SESSION}
&refresh_token={LIKE_A_PASSWORD}
&instance_url={USERS_INSTANCE}
&id={IDENTITY_URL}
myapp://callback#access_token=czZCaGRSa3F0MzpnWDFmQm &refresh_token=5Aep8615VRsd_GrUz3LAcJl&redirect_uri=myapp%3A%2F%2Fcallback &instance_url=https%3A%2F%2Fna1.salesforce.com &id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00DD0000000FJCR%2F005D0000001B5bx
![Page 17: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/17.jpg)
Step 3: Use your Token
GET /some/resource HTTP/1.1 Host: na1.salesforce.com
Authorization: Oauth czZCaGRSa3F0MzpnWDFmQm
![Page 18: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/18.jpg)
Using a Token
§ Token Response: – XML or JSON
– access_token: an API only SID – refresh_token: a token you can use to get new access_tokens
– instance_url: the user’s instance – id: a url that is both a unique id for the user and a getUserInfo
§ Using it with the API – REST: HTTP Header: “Authorization: OAuth <access_token>”
– SOAP: place access token in SOAP header like a SID
![Page 19: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/19.jpg)
Identity URL Service
§ Return a central identity url – https://login.salesforce.com/id/{orgid}/{userid}
§ Basic profile information similar to GetUserInfo
§ Discovery service for API endpoints
§ Chatter Status and photos
§ Working to standardize this as “OpenID Connect”
![Page 20: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/20.jpg)
Configuring a Client Setup/Administration/Create/Remote Access
![Page 21: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/21.jpg)
Demo Time!
![Page 22: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/22.jpg)
Adam Torman and Bud Vieira Sr. Product Managers
Administration and Sharing
![Page 23: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/23.jpg)
User Provisioning § Add multiple users
quickly
§ Add single users with more detail
§ Use the sObject API for bulk
§ Use REST API
§ Use SAML for upsert
![Page 24: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/24.jpg)
User Provisioning with REST API
/services/data/v24.0/sobjects/User/!{!"Username" : "[email protected]", !"LastName" : "Bordello", !"FirstName" : "Gogol", !"Email" : "[email protected]", !"Alias" : "gUser", !"CommunityNickname" : "gogolbordello1234", !"IsActive" : false, !"TimeZoneSidKey" : "America/Los_Angeles", !"LocaleSidKey" : "en_US", !"EmailEncodingKey" : "ISO-8859-1", !"ProfileId" : "00e30000001btrSAAQ", !"LanguageLocaleKey" : "en_US", !"UserPermissionsMobileUser" : false, !"UserPreferencesDisableAutoSubForFeeds" : false!}!
/services/data/v24.0/sobjects/User/00530000004qkoH!GET: POST:
https://workbench.developerforce.com/login.php!
![Page 25: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/25.jpg)
How do Profiles and Sharing Work Together Keep the simple simple and make the complex possible
§ Profiles – What tables and columns
can I access – Read/Create/Edit/Delete
§ Sharing – What rows can I access
– Read/Write/Transfer/Full
Event Table ü Read ü Create ü Edit q Delete
ü Read ü Write Name Description
Authentication: A Practical Guide Practical Guide…
Keynote 1 Welcome to Dream…
q Read q Edit
![Page 26: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/26.jpg)
Demo: Access to the Dreamforce Event Object
Name Description
Authentication: A Practical… Practical Guide…
Keynote 1 Welcome to Dream…
Developer Zone Welcome Devs
Metallica! Killer Show
Event Table
![Page 27: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/27.jpg)
What’s a permission set?
§ Like profiles, a permission set is a collection of permissions and settings that allow users to do things in Salesforce.
§ What a user can do is determined by one profile plus permission sets
![Page 28: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/28.jpg)
Demo: Least Privilege Permissions
Event Table
Name Description Authentication: A Practical… Practical Guide…
Keynote 1 Welcome to Dream…
Developer Zone Welcome Devs
ü Read q Edit
Event Description Permission Set
q Read q Edit
Db.com w/Events Profile
![Page 29: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/29.jpg)
Highlights of the Sharing Toolbox
Role Hierarchy
Programmatic Sharing
Org Wide Defaults
!
Sharing Rules
management access to data
target access to specific groups
most granular – complete control
default sharing model for all users
![Page 30: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/30.jpg)
Demo: Opening up Sharing Access to Events
User Level Reason
Demo User Full Owner
Event Owner Full Owner
Demo User Read Sharing Rule
Demo User Read Custom
Event_Share Table
![Page 31: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/31.jpg)
Key Take Aways
§ We have many ways to handle single sign on – take your pick
§ There are privileged users, admin users, and everyone in between
§ Profiles and Sharing work together to keep the simple simple and make the complex scale
![Page 32: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/32.jpg)
Resources Security Wiki http://wiki.developerforce.com/page/Security Force.com Security Overview http://wiki.developerforce.com/page/An_Overview_of_Force.com_Security Security Implementation Guide https://na1.salesforce.com/help/doc/en/salesforce_security_impl_guide.pdf Security Cookbook Recipes http://developer.force.com/cookbook/category/security/recent I <3 Permission Sets DF11 Presentation http://www.youtube.com/watch?v=arXxUgH9cD4 Using Apex Managed Sharing to Create Custom Record Sharing Logic http://wiki.developerforce.com/page/Using_Apex_Managed_Sharing_to_Create_Custom_Record_Sharing_Logic Digging Deeper into Oauth 2.0 on Force.com http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
![Page 33: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/33.jpg)
Questions & Answers
Chuck Mortimore
Senior Director, Product Management
Bud Vieira
Senior Product Manager
Adam Torman
Senior Product Manager
http://bit.ly/securitywebinar
@atorman
@aavra
@cmort
![Page 34: ABCs of Security in the Cloud Webinar](https://reader030.vdocuments.us/reader030/viewer/2022020122/546d697caf79597b298b5382/html5/thumbnails/34.jpg)