Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Clusterpoint wikipedia , lookup
Asynchronous I/O wikipedia , lookup
Expense and cost recovery system (ECRS) wikipedia , lookup
Data analysis wikipedia , lookup
Database model wikipedia , lookup
Information privacy law wikipedia , lookup
Data vault modeling wikipedia , lookup
3D optical data storage wikipedia , lookup
Group Audit Department: Project ICARUS Information Collecting And Risk Uncovering System A SAS SAS Datawarehouse Datawarehouse A on OpenVMS OpenVMS (AXP) (AXP) on UBS Giampaolo Trenta Juni 98 / 1 •The Group internal Audit department (GADE) of the Union Bank of Switzerland (UBS) •GADE is a control instrument reporting directly to the president of the board of the directors. •ICARUS was the project to implement a data warehouse •The data warehouse is intended to support the work of the business auditor •A new approach for auditing: macro analysis rather than micro analysis •Data on the warehouse are available for a longer period of time than on the production system •Trend analyses and cross comparisons between periods are possible •We want to use the data analysis capabilities of SAS •We already discovered interesting properties of rate deviations in FX 1 Data Delivery Swiss Data Trading Data (international) London Zurich New York Geneva Lugano Tokyo Hong Kong TCP/IP Tokyo DECnet (national) SAS Data Warehouse on OpenVMS UBS Singapore Swiss Banking System ABACUS UBS Giampaolo Trenta Juni 98 / 2 •We collect UBS trading data (Foreign Exchange) from around the globe •We collect data from our Swiss banking system (ABACUS) •Due to the sensitivity of the data we need strong security while also requiring flexibility •Legacy aspects with a GADE application called IDA+ required DECnet support •TCP/IP support is also required •The system do not have to require intensive support •The system must run as automatically as possible (management by exceptions) •The system must deliver the best possible price/performance ratio •All this aspects spoke for OpenVMS on Alpha •AlphaServer4100/300 with 512MB RAM and 2x2GB and 8x4GB Disks •Control level based on RAID capabilities (level 2 sysdisk, level 5 data disks) 2 File Processing mailbox detached OpenVMS process 3 process flow get notification tify no 3 read file ID 4 move file 5 enqueue loader it dat a 6 process data loader 5 enqueue 7 move file 2 7 4 trans m SAS program 1 move file move file data flow RCV ARCH DATA external influence internal influence UBS Giampaolo Trenta Juni 98 / 3 •Data is delivered in form of ASCII files •File transfer applications support the POSTPROCESSING •Supported network protocols are TCP/IP and DECnet •No matter the used protocol file processing schema is always the same •The range of influence of the process delivering the data is keep as small as possible •Only trusted processes and users are allowed to access the database •The use of a mailbox eliminates the need for polling •The post processing process performs an asynchronous write on the mailbox •A detached process perform a synchronous read on the mailbox •The same process submit the process running SAS and the data loader program •This introduces a convenient point to control execution namely a queue •The queue is also used to serialize data loading jobs and avoid concurrent access •The moving files (rename) can be considered an atomic operation 3 Data Loader Objective Data load is correct and complete or the target dataset has not been changed Problem No transaction processing and support and therefore no rollback in SAS Strategie Data load into a WORK dataset if no errors occured then append the WORK dataset to the target dataset ASCII work dataset target dataset work dataset UBS Giampaolo Trenta Juni 98 / 4 •Executed in batch mode •The integrity of the database has the highest priority •The loader has to deal with possible error conditions during parsing of the delivered files •An administrative SAS database with statistics on loaded data is also updated •Database updates are conservative 4 Business Model Product: FOREX Regions ZHR Switzerland X GEN LUG X NY TOK SIN LON X X Europe X Americas Asia Pacific Divisions HK X X X X X X Private Banking Consumer & Corporate Investment Banking X X X X X Asset Management UBS Giampaolo Trenta Juni 98 / 5 •The business model has to be taken into consideration when organizing data •The implementation model has to reflect the business model •We have auditors assigned to regions or divisions •Regional view and/or product view •Both view must co-exists and be supported 5 Technical Implementation prg CH FX EU FX USA FX AS FX IB FX hardlink set file/enter=..... xx ACL warehouse data identifier=MGR, access=R+W+E+D ZHR adm PB identifier=IB_USR, access=R identifier=CH_USR, access=R FX identifier=*, access=none AM FX CC FX OpenVMS SAS UBS Giampaolo Trenta Juni 98 / 6 •Every auditor is assigned to a fixed home directory •All object accessible to him are directly accessible inside his subtree •In order to avoid duplication of datasets we define hard links •OpenVMS identifiers, based on access control lists, allow role based access control •SAS/SHARE and SAS/CONNET strictly observe user-based OpenVMS access control •Role-based access control rules on data don’t need to be continuously maintained •Identifiers granting and revoking is the only necessary administrative task 6 SAS/CONNECT SA S SAS TCP/IP VT Connection VT VMS Session SA S VT SAS VT Connection VMS Session SA S VT SAS VT Connection VMS Session Client Server VT = Virtuell Terminal UBS Giampaolo Trenta Juni 98 / 7 •There are many possibilities to access the data stored on the server •Behind SAS/CONNECT on TCP/IP there is in fact a terminal based connection •SAS on client acts like a virtual terminal, driven by the events generated by the GUI •This requires an OpenVMS interactive license for every concurrent client •However, data on the server can be processed strictly on the server (remote execution functions) •The authentication is performed directly by the OpenVMS login and passwords are sent in clear text •The SAS rel 7.0 will also have a spawner for OpenVMS (already available for UNIX and NT) •Thus the client will connect via the ‘spawner’ rather than the OpenVMS login •Note that every client requires a dedicated server process 7 SAS/SHARE SAS TCP/IP socket communication ICARUS_SVR SAS TCP/IP socket comm. SAS Client TCP/IP socket communication Detached VMS Process executing ICARUS_SVR.SAS Server UBS Giampaolo Trenta Juni 98 / 8 •A SAS/SHARE process can serve many clients concurrently •Authentication is performed directly by the share process based on OpenVMS username/password •There is no OpenVMS login (interactive/noninteractive) for users using SAS/SHARE •However, the OpenVMS context of the users is fully respected for access control •Network access could be an issue since SAS/SHARE makes libraries available over the network •In reality good performance has been observed especially using sql 8 SAS/SHARE Server Startup submit/user=icarus : : $run/detach/process=icarus_srv /uic =icarus/.. /priv =(nosame,netmbx,..) /error =icarus_srv_err.log /output =icarus_srv.log /input =icarus_srv.com sys$system:loginout.exe : : : $SAS /LS=80 /LOG=ICARUS_SRV_SAS.LOG icarus_svr.com /FULLSTIMER ICARUS_SRV.SAS : icarus_svr_startup.com icarus_svr.sas required privbilegies for ICARUS: NETMBX, TMPMBX, SYSNAM, AUDIT : %let TCPSEC=_SECURE_; %let AUTHENCR=REQUIRED; options comamid=TCP; proc server uavalid=yes oavalid=yes id=icarus; run; : UBS Giampaolo Trenta Juni 98 / 9 •The SAS/SHARE process must be up and running to allow user connections •Not like SAS/CONNECT where dedicated user processes are created on the fly •The SAS/SHARE process is implemented as a detached OpenVMS process running the SAS image and a SAS program •Requiring encrypted authentication 9 SAS/SHARE vs SAS/CONNECT SAS/SHARE SAS/CONNECT + authentication based on OpenVMS Auth. Database + + encryption username/password + + + no OpenVMS user processes (no OpenVms licenses) + + full OpenVMS access control data on server processed strictly locally (remote processing) users can be locked on OpenVMS level full OpenVMS audit on users users can change their password hidden terminal based connection scripting to build terminal session restricted security and audit on OpenVMS (e.g. disuser) OpenVMS password change? no remote processing functions network traffic could be an issue no ‘spawner’ in the current SAS 6.12 for OpenVMS OpenVms login with plaintext username/password every client session required OpenVMS license user could get DCL-prompt user can execute DCL-command UBS Giampaolo Trenta Juni 98 / 10 •Both product strictly observe OpenVMS and fully implement access control 10