new mr repository & security universal object access brian a suter vp webfocus product...
TRANSCRIPT
New MR Repository & Security Universal Object Access
Brian A SuterVP WebFOCUS Product
DevelopmentApril 20, 2023
Copyright 2009, Information Builders. Slide 1
76x Security Structure - Review
Copyright 2009, Information Builders. Slide 2
WebFOCUS Managed Reporting SecurityRelease 76x and Earlier WebFOCUS Managed Reporting SecurityRelease 76x and Earlier
Internal (default) repository stored as HTM files on Application Server (basedir)
Authentication – Internal or External Authorization - Internal or External (RDBMS, Active Directory, LDAP)
using Realm Driver
BrowserMachine
Application Server/Web Server
WebFOCUSServer
WF
Servlet
& M
R (In
ternal)
Rep
osito
ry
DB2OracleSybaseInformixTeradata…
MR (External) Authorization (SQL RDBMS, Active Directory, LDAP)
Java Client
External Authentication
WebFOCUS 76x Managed Reporting Security User Authorization WebFOCUS 76x Managed Reporting Security User Authorization
Groups
Users Domains Reports
Role(*) Launch Pages
Documents
Role is assigned directly to user.
A user has only ONE role.
77x Repository and Security
Copyright 2009, Information Builders. Slide 5
77 Repository
File System model: Domains are top level folders N-depth folder/file tree No special purpose folders
Implemented in RDMS tables Derby shipped and installed Any RDBMS supported Audit, backup, clustering
Special rules eliminated
Copyright 2009, Information Builders. Slide 6
Groups & Users
Groups Groups can have sub-groups, sub-sub-groups, etc. Users are assigned to Groups (or sub-groups) Users can belong to multiple groups All users are in the EVERYONE group
User Authorizations Group membership usually authorization Matches standard LDAP/AD models User “flags” eliminated
User Management
Copyright 2009, Information Builders. Slide 7
Security Rules
All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations – the WHAT On some Folder (a resource) – the WHERE
Examples: Group RepDev has Developer on folder /Sales Group EVERYONE has RunReports on folder /Sales
WHO – WHAT – WHERE
Copyright 2009, Information Builders. Slide 8
Security Rules (continued)
Permissions are inherited down the tree RepDev inherits Developer permissions on folder
/Sales/Forcasts
Single User can have specific rules on every object Folder or file Recommend only as the exception!
Copyright 2009, Information Builders. Slide 9
Different roles on different folders
Copyright 2009, Information Builders. Slide 10
Permissions Sets - WHAT
Named list of permissions on very granular operationsWF ships with a set of defined permission sets
Customers can create their own Reusable for multiple rules
Usually declare what a subject can DO (permit) Can declare what can not be done (deny)
Abilities are never implied if an individual operation is not permitted or denied – it is
an effective deny
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 11
Creating and controlling Rules
“Access Rules” context menu choice Specifies the WHERE of the rules to be created
Users need to be permitted to change rules on a resource
Group to sub-group inheritance A rule for a group is inherited by sub-groups
WHO - WHAT – WHERE
Copyright 2009, Information Builders. Slide 12
Example of setting Access Rules
Copyright 2009, Information Builders. Slide 13
Permission Sets – List of Operations
Everything is an operation: Create file, Create folder, Run report, Run differed,
Schedule a report, Manage schedules, Create access lists, Create distribution lists, Update properties, Update Execution properties, Read file, Write file, Delete, Change Ownership, Share, ...
Launch InfoAssist, Launch Editor, Launch security central, Launch RC admin, Launch developer Studio tools, ...
Create groups, Assign users to groups, Make rules for the Group (group as subject), Share with Group,...
Create User, Update user status/password, ... Create PSET, Update PSET, Delete PSET, ...
Copyright 2009, Information Builders. Slide 14
Private Files & Folders (aka MyReports)
Private files can exist anywhere you allow them Private folders recommended
Private files can be owned by users or by Groups “In development”
Private files can be shared With specific groups/users
Two special Permission-Sets: Owners have PrivateFilePermissions on PrivateFiles Sharees have SharedFilePermissions on SharedFiles
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 15
Example of setting Shares
Copyright 2009, Information Builders. Slide 16
User and Group Administration
Users are permitted operations to act on groups Create sub-groups Assign users to groups Assign users from groups Manage users in groups
Names, passwordsUser management
GlobalUserAdmin has ManageUsers on /EVERYONE
Copyright 2009, Information Builders. Slide 17
Everything is a Resource – a WHERE
/WFC /Repository
Sales Domain, etc. /UserInfo – preference files, deferred receipts
/SSYS /GROUPS /USERS /PSETS
/WEB - APPROOT application directories In the works
/VIEWS/viewname/tabname
Copyright 2009, Information Builders. Slide 18
Thank you!
Copyright 2009, Information Builders. Slide 19