home-DTAP    IAF    Mindset    Glossary    DTAP    Security    (Ir)responsible    Project
Infra life cycles     BU advance details    Soll-Ist Tmplt     Version tools       top  bottom

DTAP lcm scm - soll ist, templates


DTAP build SAAS prod

As middelware has his own requirements and own challenges.

It is hell of a job to get all misunderstandings caused by of business application and OS layer views out of it.

Some OS are more common than others, making it more easy to get a working situation. Unix (Linux) is the toughest to undertand well.
A worked out Unix (Linux) sample of middelware buisness and OS is at My Gathered Samples



Infrastructure components Life cycle

This is daily life. Using words and limited view of environments leading to much misundertanding


DTAP lifecycle

Middleware - tooling A,P

Statement:
The versions of the A and P environment (machines) of Middleware and OS level should be exact equal.
There is no other way the be able to find shortcoming in functionality at the business level.

Statement:
Newer versions of the A and P environment (machines) of Middleware and OS level should be tested with a well known production version of business logic with "regresion test". There is no other way the be able to find shortcoming in functionality at lower levels having impact at the business level.

Middleware - tooling LCM

The life cycle management of middelware.... To describe later




Failed dependicy Business logic

The life cycle management of business logic can not be managed by setting up machines.
Although you are naming machines D,T,A,P the business process does not match to machines. Trying to do this will fail.

The reason is: You are not sure the introduced difference in OS and Middleware will be the root-cause of a erroneous deployment to production.

Operating System - Hardware - Locations

The life cycle management of middleware.... To describe later

There is many hardware with a list of available operating systems.
Think of it by



Infra life cycles     BU advance details    Soll-Ist Tmplt     Version tools       top  bottom

Business advanced details

This is daily life. Using words and limited view of environments leading to much misundertanding


DTAP Business logic

Business Logic

promote ship/deploy

The business logic can be maintained within a DTAP approach.

The get an exact identical copy from out of the softwarelibrary, it is sensible to clean up the target destination first.

With SAS the meta data servers in use DTAP segregation can be indicated as Lev4=D Lev3=T Lev2=A Lev1=P


DTAP business logic parallel

parallel development

The business logic can be maintained parallel, tested in parallel. In the Picture 5 parallel options are given: x (emergency-fix), standard, parallel-1 (u), parallel-1 (v), parallel-1 (w)
The letters x,u,v,w are used because they have no other meanings with DTAP.



Business data

DTAP business data

primary process, bu

believe You need also business data. This is a part to segregate very well within DTAP. The best way the do it is by a well defined security approach.
Sometimes it is tried failing security to solve by hardware isolation. This can work well with the classic business logic development.

Analytics - Mining

like hell Analytics - Mining ha an other goal. It is about to find information not known yet. As there is no process defined yet to find that information the only option is to develop the analytics on production-data.
This can be allowed as long the business data is not updated (just read-only) or isolated from the primary process location (data warehouse, data marts).
When there is an isolation defined on the level technology (networking) this is an impossible situation to get working.



DTAP accept data

Acceptance of production data

believe The resulting report of an analytics process done by dtap approach or directly on production data must be approved before published.

The approvement of the report can use words as acceptance quality etc. This process is total different to life cycle management of software or segregation of test-data. Altough the same words are used a diferent action and the approval is a different way are executed.

It is production business software and production business data that must be used. Just the report / result must be reviewed. The picture helps hopefully to understand. Needing a duplication of production data.




Infra life cycles     BU advance details    Soll-Ist Tmplt     Version tools       top  bottom

Soll Ist Templates

Legend explanation used codes

The information in my tables looks as very much information. The attempt is to define a template to be used by all middleware and all business applications.
As they can be overwhelming in Rbac projects in big organizations, it is very little I have left over of such a administration.

If this design template is accepted, the authorization process can set up highly automated. The same solution rolling out over and over again. Avoiding re-architecturing and all discussions.

Middleware Installation

Description needed Accounts
The technical owner (see OS security) can not be a personal account (key) therefore Non Personal Accounts must be used
The NPA´s classified why and when needed are:

Accounts group connections - Accounts directories files
-
m
i
-
m
c
-
m
l
inst<NPA> *
conf<NPA> **
beh<NPA> ***
adm<NPA> ***
spwn<NPA> ***
exec<NPA> ***
root
-
m
i
-
m
c
-
m
l
  -
m
i
-
m
c
-
m
l
-
.
r
inst<NPA> r-x r-x
conf<NPA> rst r-x
beh<NPA> rst r-x
adm<NPA> r-x
spwn<NPA> rst r-x
exec<NPA> rst r-x
root u-x


As runtime data does not be to be created by the technical owner, other accounts are able to become the owner of a file.
Even personal accounts are possible to be in place. Analysts and end-user-computing are causing this. In temporary data like " Unix \tmp " this a common situation.

To get the middelware to the business the installation group and configuration group, are to be connected to the business account (indication by column -m.)

As all accounts are NPA´s the limitation of em. is always included. Solved by nosshd(unix) or equal measures.
Middleware supporting Business
_
s
d
_
s
t
_
s
a
_
s
p
_
b
d
_
b
t
_
b
a
_
b
p
_
m
.
e
m
.
h
m
.
x
s
d
x
s
t
x
s
a
x
s
p
x
b
d
x
b
t
x
b
a
x
b
p
x
m
b
x
m
i
x
m
m
  x
m
b
x
m
i
x
m
m
Midw admin bu spoc(1) * * * * * * * * * *
Infra admin os spoc(1) * * * * * * * * * *
Infra maintenance (1) *
(several different middleware)
Midw admin bu spoc(2) *
Infra admin os spoc(2) *
Infra maintenance (2) *


The implementation of the business environment is requiring that level of technical skills it is better to let it be implemented by specialists (infrastructure).
It most have controlled (auditable) access tot these business NPA´s. For that the change user (x..) rights are required.


The be able to test the whole line of business it is very sensible to have a business-like environment to do that. Call it a verification or education environment. It can be used for daily operations as logging and reporting.
There is nog business data involved no business logic. It will be a complete by security segregated environment.



Business environment segregations

Description needed Accounts
The technical owner (see OS security) can not be a personal account (key) therefore Non Personal Accounts must be used

The NPA´s classified why and when needed are:

The naming of the related groups and directories is kept the same or almost the same. This is assuming that reading all these tables, the technical difference between a groups, an account and a directory is kept in mind.
Accounts group connections
_
s
d
_
s
t
_
s
a
_
s
p
_
b
d
_
b
t
_
b
a
_
b
p
_
m
.
e
m
.
h
m
.
x
s
d
x
s
t
x
s
a
x
s
p
x
b
d
x
b
t
x
b
a
x
b
p
applid_sd * * * *
applid_st * * * * *
applid_sa * * * * *
applid_sp * * * *
applid_bd * * * * * * * *
applid_bt * * * * * * *
applid_ba * * * * * *
applid_bp * * * * *


In these group connections every NPA is connected to a combination of groups it can be used to do privileged task. No direct login is permitted em.
The technical owners of the business logic (applid_s<dtap>) have switch user rights to be able to using with promoting
The technical owners of the business data (applid_b<dtap>) have several additional group right. On Unix these can be file-transfer Cron or other operational services hm.

Business directory and file access
Bu Logic -
.
d
-
.
t
-
.
a
-
.
p
  -
.
d
-
.
t
-
.
a
-
.
p
_sd directory - Files rwxr-xr-xr-x rwxr-xr-xr-x
_st directory - Files r-xr-xr-x r-xr-xr-x
_sa directory - Files r-xr-x r-xr-x
_sp directory - Files r-x r-x


The access to directories, first four-dtap columns, is identical to those of files, second four-dtap columns.
As business logic is promoted and deployed/shipped with strict processes using the technical owners this is guaranteed.

Bu Data -
.
d
-
.
t
-
.
a
-
.
p
  -
.
d
-
.
t
-
.
a
-
.
p
_bd directory - files (1) rwx rw*
_bt directory - files (1) r-x r-*
_bt directory - files (2) rsx rw*
_bt directory - files (3) rst r?*
_ba directory - files (1) r-x r-*
_ba directory - files (2) rsx rw*
_ba directory - files (3) rst r?*
_bp directory - files (1) r-x r-*
_bp directory - files (2) rsx rw*
_bp directory - files (3) rst r?*


The access to directories, first four-dtap columns, can be different to those of files, second four-dtap columns.
As business data does not be to be created by the technical owner other accounts are able to become the owner of a file.
Even personal accounts are possible to be in place. Analysts and end-user-computing are causing this.


Business normal users
_
s
d
_
s
t
_
s
a
_
s
p
_
b
d
_
b
t
_
b
a
_
b
p
_
m
.
e
m
.
h
m
.
x
s
d
x
s
t
x
s
a
x
s
p
x
b
d
x
b
t
x
b
a
x
b
p
BU Developer * * * * * * * *
BU Tester * * * * * *
BU Acpt tester * * * *
BU User Standard * * *
BU User Analyst * * *


Granting the access to business users is the most simple off all. Granting the needed groups to their role.
The list of all middleware groups is combined it the -m. column.

The support staff at business side is a combination of other groups.

Some combinations of groups are not allowed underpinned by "segregation of duties" conforming the business policies and risk impact analyses.
Business support
_
s
d
_
s
t
_
s
a
_
s
p
_
b
d
_
b
t
_
b
a
_
b
p
_
m
.
e
m
.
h
m
.
x
s
d
x
s
t
x
s
a
x
s
p
x
b
d
x
b
t
x
b
a
x
b
p
BU Test Data manager *
BU Acpt Data manager *
BU Prod Data manager *


_
s
d
_
s
t
_
s
a
_
s
p
_
b
d
_
b
t
_
b
a
_
b
p
_
m
.
e
m
.
h
m
.
x
s
d
x
s
t
x
s
a
x
s
p
x
b
d
x
b
t
x
b
a
x
b
p
BU Software manager(D)T * * * *
BU Software manager(T)A * * * * *
BU Software manager(A)P * * * * *
Auditor * * * *





Legend of used indications
Group types
These are found at the rows
Acces rights from accounts (personal/nonpersonal) or logical roles(person) are granted by grouping them. The technical implementation can also be by groups. The only indication is member of the group or not by &qut*".

Three indications for types of groups in columns are used:
  1. Type of access
    • - = normal access
    • x = access by switch user. Logging auditing to be done
    • e = limited access. Not able to login directly. switching users required
    • h = additional other middleware tools to be added. Needed in favor of operational processing, not granted to other users. A standard list for every type "stack" build is to be made.
  2. Type of object/component
    • s = Business Logic
    • b = Business Data
    • m = Middleware
    • . = (not applicable)
  3. Segregation goal
    • d,t,a,p = Business segregation (groups/dir-files)
    • b = Business support role
    • m = Middleware maint role
    • i = Infra business spoc
    • i,c,l,r = Middleware segregation (dir-files)
    • . = (not applicable)


files directories
The group level access to files and directories is given. Directories and files behave different. See relevant os-security background or used middleware tool.

The tree letters of access to file/directory:
  1. r = read access
    - = (not applicable)
    u = (special attention/exception) only to files low level OS access -Setuid-
  2. w = write access
    - = (not applicable)
    s = file inherit group of directory(write)
    ? = creator of file decides, file gets his owner registered
  3. x = execute access
    - = (not applicable)
    t = Sticky-bit only owner of file or directory may delete files in directory (write)
    * = normally not applicable sometimes required


The columns are classified by the type of rights in connecting it to the grouping.

Middleware is different to segregation compared to business. The segregation in DTAP of the business is not needed.
To be able to do acceptance testing of infra components there should be no difference in infra with DTAP of the business.

The installation of infra components can not be owned by persons. Non Personalized Accounts (NPA-s) must be used. In some special cases even the root-key is involved. The files directories can be classified in



Infra life cycles     BU advance details    Soll-Ist Tmplt     Version tools       top  bottom

Version tools

papers
SVN Apache
Subversion exists to be universally recognized and adopted as an open-source, centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage; and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations.

papers
CVS
CVS (wiki)
CVS CVS is a version control system, an important component of Source Configuration Management (SCM). Using it, you can record the history of sources files, and documents. It fills a similar role to the free software RCS, PRCS, and Aegis packages.

papers
Endevor
endevor (wiki)
CA Endevor Software Change Manager automates your entire development process, adapting to specific business requirements while ensuring consistency and complete control, protecting your software assets and maintaining application integrity. Integration with IBM Rational Developer for System z improves productivity, accelerates time-to-delivery, and ensures the auditability of all programmer activities.

papers
SCLM
SCLM (wiki)
Rational looks to be the new promoted line or name.



Infra life cycles     BU advance details    Soll-Ist Tmplt     Version tools       top  bottom
home-DTAP    IAF    Mindset    Glossary    DTAP    Security    (Ir)responsible    Project

© 2012 J.A.Karman (18 apr 2012)