OpenText™ Information Hub (iHub), is an enterprise-grade deployment server for secure interactive analytic applications, and is the foundation for standalone and embedded applications in the OpenText Analytics Product Suite. iHub supports various options to safely deploy and distribute analytics content. This white paper describes its multi-layered security approach, which includes security at different points through the content generation, access and manipulation processes. The application of security within these layers is flexible and you can choose the best security approach for your environment.

Security in iHubA comprehensive set of APIs enables central configuration and management of all security features

Table of Contents

A. Access to Reports and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

B. Restricting Access to Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

C. Controlling Layout Elements within Each Document . . . . . . . . . . . 5

D. Controlling User Operations within Content. . . . . . . . . . . . . . . . . . . . 5

E. Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

F. Malicious Code Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

E N T E R P R I S E I N F O R M A T I O N M A N A G E M E N T 3

SECURITY IN IHUBW H I T E P A P E R

OpenText Information Hub (iHub) was designed to support security as an integral part of any application and most of its features can be individually configured to your specific needs.

iHub supports various options to safely deploy and distribute analytics content. It is most easily understood when characterized and described as a multi-layered security approach. This layered approach includes security at different points through the content generation, access and manipulation processes. The application of security within these layers is flexible and you can choose the best security approach for your environment.

Many of these layers overlap, and you can often secure your iHub content in a variety of different ways that have the same result for the end-user. By integrating and embedding into hundreds of thousands of applications, iHub has become the analytics and reporting backbone for organizations.

The layers can be loosely grouped into seven categories:

A. Access to reports and files

B. Restricting access to data

C. Controlling layout elements within each BIRT design

D. Controlling user operations within BIRT content

E. Secure communications

F. Malicious code safeguards

A. Access to Reports and Files

Controlling user’s access to the iHub environment, its designs and associated files through the Information Console, iHub’s APIs, and the iHub Encyclopedia.

Layer 1

Login Security on the Information Console itself allows the user entry into the iHub environment.

This can be:

• Managed within a standalone Information Console workgroup deployment.

• Managed within an iHub deployment using the built-in user and role security features in the information console.

• Transparently integrated with an external security system like LDAP, Active Directory or a single sign-on system. When external systems are used, the iHub internal system is bypassed, so you don’t need to create or synchronize to a duplicate rights management system.

OpenText Information Hub (iHub) is an enterprise-grade deployment server for secure interactive analytic applications, and is the foundation for standalone and embedded applications in the OpenText Analytics product suite.

The fully featured deployment platform reduces the burden on IT leaders and their teams to manually build infrastructure components, shortening time to value for their embedded analytics applications.

E N T E R P R I S E I N F O R M A T I O N M A N A G E M E N T 4

SECURITY IN IHUBW H I T E P A P E R

Layer 2

iHub Encyclopedia Security manages the access to project volumes in the encyclopedia and their rights to partitions, volumes, folders, files, and report designs within the volume.

This means that:

• iHub can manage multiple instances, projects or applications and properly manage security and user rights to each encyclopedia volume using centralized administration tools. And, through the use of different URLs, each project can have its own environment, file system location, or even metadata database.

• Users can be subscribed to different groups, folders and files. Files can be dashboard configurations, pre-generated iHub Data Objects or documents (yesterday’s output, design or other documents stored in the encyclopedia), reports to be executed (on-demand transient designs or data objects), or pre-generated batch content that awaits their review.

• This permission structure is available to every system object and can be accessed through APIs from external applications through the Report Server Security Extensions (RSSE), or JavaScript API content, two of the documented sets of APIs to iHub that allow it to be manipulated programmatically.

B. Restricting Access to Data Layer 3

You can use iHub Encyclopedia Security to configure access to all content at the volume, folder and/or file level based on roles and privileges. In other words, users must also have rights to the content that is underlying a report, not only the report itself. With this level of security, each user has access to files and folders on a need-to-¬know basis. If the user does not have permissions to all or some of the data, the result set will be limited to what the user is authorized to access.

Layer 4

Pass-Through Security. At this layer, iHub provides you the option of passing user creden-tials down to underlying data sources. This provides the option to use the security of the data source to specify the access rights.

Layer 5

Data Object Security. This security layer controls user access to a particular set of data provided by an iHub Data Object, i.e., allows you to filter data returned by query based on specific user rights that are specified within a Data Object.

For example, you can design an iHub Data Object that returns one set of data rows for one group of dashboard or report users, and a different set for another group of users. You can limit access to the following items in a data object:

• A data set, its rows and columns

• A cube, its measures, dimensions, dimension levels, and dimension members

Layer 6

Data Security Rules provide more granular control over who has access to the data. The rules can be assigned to categories, columns, or a combination of the two in data models, and applied both to data sources that access live data, and to data stores that access cached data.

Data Security Rules are reusable, declarative, efficient, and flexible, e.g. a user must meet all of the requirements of every Data Security Rule applied to the data in order to access the data. If a Data Security Rule combines security IDs and data values, the user must meet both requirements. It is possible to create and assign a Data Security Rule that uses multiple security IDs.

E N T E R P R I S E I N F O R M A T I O N M A N A G E M E N T 5

SECURITY IN IHUBW H I T E P A P E R

Layer 7

The basic functionality of Page Level Security (PLS) is to control user access to report pages and allows you to design a single report that meets the needs of a range of users. It is not only a security feature, but also supports and enables iHub’s renowned scalability, as this is the only IT-friendly way to scale a report for thousands or millions of users.

PLS uses an indexed, very large, master content object, which is the instance of a multi-user iHub document, generated and stored on the deployment server. When a user now requests the content, the View Service in iHub retrieves only the pages containing the data that the user is authorized to receive. PLS automatically assembles, paginates and presents that user’s document. To the user, PLS simply delivers a personalized report containing the user’s data. The user does not know that there is a larger report in the background.

Betty is country manager for France, her report looks like this:

When Larry, who is country manager for Canada, runs the same report he sees this:

For example, in a report that provides worldwide sales data by region and country, you can restrict user access to the content as follows:

• Each country sales manager can view only the pages that display sales data for their country.

• Each regional sales manager can view all the pages that display sales data for the countries in their region.

• The vice-president of sales can view the entire report.

Without page-level security, you would need to create multiple reports—one report for each user—and the administrator would have to define different security rules for each report, and manage multiple reports. In the sales report example, which presents data for three regions and eight countries, you would have to create 12 reports. For large companies, which typically have more hierarchical levels and more users, the number of reports increases exponentially.

Page Level Security is an important API for displaying analytics content generated by iHub.

SECURITY IN IHUBW H I T E P A P E R

www.opentext.com/contactCopyright © 2016 Open Text SA or Open Text ULC (in Canada). All rights reserved. Trademarks owned by Open Text SA or Open Text ULC (in Canada). (06/2016)05158EN

C. Controlling Layout Elements within Each Document Layer 8

This layer consists of Page Level Security applied to single components of a design. A user’s ID or role will determine what parts or sections of it will be rendered.

• This is determined by specific pages the users can receive in PLS.

• This is controlled by the dashboard definition stored for the user within the encyclopedia of IHub.

D. Controlling User Operations within Content Layer 9

All iHub product options support the ability to control what different end users can do with the same generated content.

• OpenText™ Analytics Studio templates can include mandatory and optional components on any ad-hoc content.

• OpenText™ Interactive Viewer can offer and restrict what operations a user can perform on delivered report content.

• OpenText™ Dashboards can control the gadgets users are allowed to receive, create or share within their dashboards.

E. Secure Communications Layer 10

iHub has enhanced communications security to protect data in transit. This prevents unauthorized third parties from making use of sensitive information being passed within IHub. The functionality includes the use of:

• HTTPS for all communications between the two consoles (Information Console, System Console) and iHub.

• Secure Sockets Layer for all communications between the iHub server processes and the encyclopedia metadata database.

F. Malicious Code Safeguards Layer 11

This layer secures the execution of code contained in iHub Designs. iHub Designs uses Java security capabilities to prevent unauthorized access to system resources by embedded Java or JavaScript. These security features provide an extra level of confidence that code from one instance cannot access resources on the operating systems for which it is not authorized.