I am pretty new to Hybris. I am a bit curious about the activities that are taken care of by the production support team in Hybris. please share the information about what are the activities generally a production support person take care.
Maybe this can give you some idea:
Study guide for SAP Certified Support Specialist - SAP Commerce 1811: https://cxwiki.sap.com/display/education/Study+guide+for+SAP+Certified+Support+Specialist+-+SAP+Commerce+1811
I think the scope can be quite big, and it will depend on your contract / agreement. It could cover things like:
Handling day-to-day operations (e.g. backups)
Managing releases or patches
Managing users (e.g. Creating/Updating accounts manually)
Operating Backoffice (e.g. Reloading the widgets, etc) or PCM
Monitoring the system (e.g. Using DynaTrace)
Fixing performance issues
Fixing synchronization issues
Setting up the infrastructure (e.g. clustering, caching, logging, etc)
Being familiar with integration with other services (e.g. Data Hub)
Knowing how to indetify and fix issues / problems in general
etc
Is it possible to learn Azure practical skills without paying or providing my card info?
I found out about the https://portal.azure.com/. And about the modular tutorials https://learn.microsoft.com/en-us/learn/browse/?products=azure. But I am not sure whether or not it will be feasible for me to cover all important for the commercial development topics with just the free resources above.
Maybe there are other ways to learn Azure profoundly without paying or providing my card info? It is an important question for me, because I really want to learn Azure a lot, but if there is no free plan to learn it, then I will have to pick something else (e.g. AWS or Heroku).
Here learning Azure implies being able to access theoretical knowledge base and documentation (both of which I am sure are present) and also being able to use a fully free (and without any card info) sandbox environment. And the question is a doubt that such a free sandbox environment exists.
The Microsoft Learn resource is very good and free. I use it all the time. However, not every learning module is free. Some require an account. This might be around 5% that require your own Azure account.
Can you learn Azure for free with Microsoft Learn? Absolutely YES. There are almost 1,000 modules on the site to choose from. I recommend this site even for very experienced Azure developers. For example, the VPN Gateway modules are free to practice with.
Microsoft Learn
After a while I was able to come over the Azure sandboxes. And that is what I was looking for in the question. E.g. this article explains how to use them.
Has anyone used the Azure Information Protection scanner for scanning files on internal networks? We are looking to use this for identifying all Personally Identifiable Information (PII) to meet the General Data Protection Regulation that goes into effect May 25, 2018.
I am looking for feedback on anyone's experience with this.
Thanks,
Roger
The EMS (Enterprise Mobility+Security) team recently announced GA (general availability) of the AIP Scanner.
They are also introducing an AIP SDK that you can use to apply labels, classification and protection in custom developed software. (AIP SDK is currently in private preview). I also wrote a small blog post about this.
I have not used AIP Scanner in production-scale environments yet, but the labs and proof-of-concepts I have worked with shows great potential in this product.
Note that only the following data stores are supported:
Network shares that use CIFS (SMB) and are exposed as UCN paths
Local folders on the server (must be a Windows Server 2012R2/2016) that
runs Azure Information Protection Scanner
Libraries and sites on SharePoint 2016/13
I have used the AIP Scanner (embedded in legacy 1.x client) for identifying PII data across CIFS based shares and SharePoint on-premise environments.
One more advantage of the scanner is that you can run it in Discovery mode where in you can pull up a report on matches instead of actually labeling the files.
Note:
The label setting in AIP Console should be having "automatic" to allow the AIP
scanner to actually apply the label.
AIP Scanner is not yet GA in the new Unified Labeling Client (2.x) - where it talks to Security & Compliance Center
Current AIP Scanner cannot be extended w.r.t custom rules like in SCC where custom sensitive information types can be created.
Does anyone know how to understand the security or penetration test coverage?
I found the traditional method for functional test coverage measurement is not quite useful for security test. Because for security test, actually, you don't need to cover every logic branch. If you cover the whole URLs and parameters, basically, you cover everything.
Any idea?
Thanks.
One possible metric for coverage of a web application security assessment is the range of issues tested for. At a bare minimum, the OWASP Top 10 issues should be tested for, but a high quality assessment will properly assess business logic and application specific issues. Also, the tester should have an understanding of any specific technologies used by the web application (e.g. Adobe Flash, Google Gears).
Penetration testing is a specialist activity, so get a trustworthy and respected company to perform the testing. In the UK, the CHECK scheme is highly respected, a list of certified companies can be found here: http://www.crest-approved.org/member_companies.php
Full disclosure: I work for Verizon Business who offer penetration testing services.
Has anyone written XACML Implementations other than the Sun XACML Implementation and XEngine?
Who uses them in their products?
Which vendors provide a PDP? I read something about a WebLogic XACML Provider. What other products support XACML?
This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj
XACML is used in a wide variety of industries today. Trying to summarize what's been said
There are 2 types of implementations today:
open-source implementations
They are either backed by commercial organizations, foundations, or universities.
These include:
(Sun-backed) SunXACML (http://sunxacml.sourceforge.net/) - very much dead on its own but used in other products such as WS02's offering (see below)
(R&D-backed) SICSACML (http://www.sics.se/node/2465) backed by SICS, the Swedish Institute for Computer Science, and now taken up by Axiomatics (www.axiomatics.com)
(University-backed) Heras AF (http://www.herasaf.org/heras-af-xacml.html): Orange is using their product. Orange is one of the leading telecommunications providers in Europe.
WS02 is a company that was born from the Apache Synapse project and expanded into different areas successfully including XACML by using the initial SunXACML implementation (http://wso2.org/library/identity-server/user-management/xacml). I am not sure they have customers using XACML today.
Enterprise XACML (http://code.google.com/p/enterprise-java-xacml/) but not updates in nearly a year
Brad Cox also a neat approach to implementing XACML as described in his blog and paper at http://bradjcox.blogspot.com/
Commercial products
Oracle OES provides a SunXACML-based XACML 2.0 implementation. It is hard to know whether OES customers are using XACML features.
IBM Tivoli Security Policy Manager
Axiomatics Policy Server took SICSACML and marketed it in 2006 - their product fully implements XACML 3.0. Their customers include "one of the world's largest bank", Paypal, Bell Helicopter, Swedish National Healthcare service, SOS Alarm, and DATEV eG as listed at www.axiomatics.com/customers.html
There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.
Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.
I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.
WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.
Axiomatics also has a XACML solution, as does Jericho Systems.
WSO2 Identity Server (http://wso2.org/) is a open source entitlement engine which is based on the sunxacml. WSO2 Identity Server contains a nice XACML UI policy editor which can be easily used to create complex XACML policies. There is a PIP layer to plug any attribute finder module with it. Therefore you are able to find your attribute from any database, LDAP user store , web services and many more .... Also there are decision caching, policy caching and PIP level attribute caching to improve the performance. You can refer the implementation source code from here [1]
[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/
DATEV (a german IT service provider w 5800 employees) announced in 2010 that they will use XACML. Swedish software company Axiomatics will develop a Datev version of its identity management solution.
XACML implementations (Sun, XEngine, and EnterpriseXACML) are currently interpeters, which makes it hard to debug how a decision was reached since debuggers show the interpreter's internal code, not the policy itself.
I've written a compiler for DOD/DISA that transforms XACML directly to Java code. The goal was making policies easier to understand, not speed, but it is gratifying that compiled policies run in about a tenth the space and time as Sun's interpreter.
The compiler has now been verified by using the same Oasis compliance tests that Sun's interpreter uses. Out of ~400 tests, it passes all but 8. Current problem areas are cases the standard isn't clear on; Subject Categories and PolicySet IdReferences to name two.
I'm wiring it up as a SAML-P service this weekend. Release plans aren't final yet but we'll probably release it as open source on forge.mil as soon as the SOA version stabilizes.
Note added: There's a link to an AFCEA paper about it at http://bradjcox.blogspot.com/2011/03/compiling-xacml-to-java-source.html
BiTKOO (http://bitkoo.com) has XACML 3.0 integrated into its Keystone family of authorization management products. I'm the architect of BiTKOO's XACML core technologies (PDP, PAP, PEP).
A wide variety of organizations are now using XACML based solutions for authorization management. Most are large organizations - government agencies (foreign, domestic, military, and state), universities, media companies, industrial companies, etc.
I'm aware that this questions was posted a few years ago but it can be relevant right now to people looking for open source XACML implementations.
The project AuthZForce provide an opensource XACML 3.0 implementation with a multi tenant REST API along with a java based API. It also provide an XACML SDK.
AuthZForce is available on github, on the OW2 repository and a docker container as well as a debian package are available
http://github.com/authzforce
https://tuleap.ow2.org/projects/AuthzForce/
I'm one of the core developper of the project so feel free to reach me if you have any questions.
This may not be helpful as it's not a COTS product, but it may be of interest to you or others.
There is an open-source XACML implementation at http://code.google.com/p/enterprise-java-xacml/ which I've used recently. It covers the entire specification and has pretty decent policy evaluation performance considering it's not optimised.
You can have a look at http://www.herasaf.org/ . It is a highly developed open source project (Although I don't know which license they are under) I looks really promising, but there is still a lot of work to do.
If you are looking for an alternative to Sun XACML you should really have a look at HERAS-AF (www.herasaf.org). It's a very active project and their support is very good and fast responding (e.g. forum.herasaf.org). Code is in good quality and it provides very much extension points. The API is clear and very easy to use. Have a look at the getting started guide. It is developed and published under Apache2 license.
OpenAM, an open source access management and web Single Sign On solution, previously known as OpenSSO, provides a PDP and has support for XACML 3.0 for importing and exporting policies.
More information at openam.forgerock.org.
PicketBoxXACML, formerly JBossXacml also wraps SunXacml's implementation and provides an updated PDP. There's not alot of documentation out there on it, but it's open source.
Hi you might also want to have a look at ViewDS identity Solutions (see http://www.viewds.com). ViewDS have two XACML solutions. Access Sentinel which provides for externalised authorisation services with a PDP/PIP and two PAPs (DortNet & Java) and a variety of PIPS. Their product also supports Delegation, Roles Management & obligations. ViewDS Identity Solutions also have an LDAP Directory with its own integrated searching and matching engine and have XACML enabled the Directory. That is they use XACML to provide the Policy based authorisation system for accessing Directory information over the Web.
Here's an interesting discussion at Forrester blog http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead that actually updates the state of XACML as of 2013. Be sure to read the comments as well.