wf 80 beta manual

WebFOCUS Client Repositoryand Security Authorization8.0 Beta

DN4500988.0611

Cactus, EDA, EDA/SQL, FIDEL, FOCUS, Information Builders, the Information Builders logo, iWay, iWay Software,Parlay, PC/FOCUS, RStat, TableTalk, Web390, and WebFOCUS are registered trademarks, and DataMigrator andMagnify are trademarks of Information Builders, Inc.

Adobe, the Adobe logo, Acrobat, Adobe Reader, Flash, Adobe Flash Builder, Flex, and PostScript are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Due to the nature of this material, this document refers to numerous hardware and software products by theirtrademarks. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by theirrespective companies. It is not this publisher’s intent to use any of these names generically. The reader is thereforecautioned to investigate all claimed trademark rights before using any of these names other than to refer to theproduct described.

Copyright © 2011, by Information Builders, Inc. and iWay Software. All rights reserved. Patent Pending. This manual,or parts thereof, may not be reproduced in any form without the written permission of Information Builders, Inc.

WebFOCUS

Contents

Preface................................................................................................................5Documentation Conventions..............................................................................................6

Related Publications..........................................................................................................7

Customer Support.............................................................................................................7

Information You Should Have.............................................................................................8

User Feedback..................................................................................................................9

Information Builders Consulting and Training.......................................................................9

1. Introducing WebFOCUS Client Repository and Authorization Security.........11Creating a Security Model................................................................................................12

2. Security Basics..............................................................................................17Groups...........................................................................................................................18

Users.............................................................................................................................19

Operation sets................................................................................................................20

Folders...........................................................................................................................23

Rules.............................................................................................................................26

Rules Overview........................................................................................................26

Creating Rules for Folder Resources.........................................................................26

Creating Rules for Groups........................................................................................29

Creating Rules for Operation Sets.............................................................................33

3. Creating Users With Predefined Groups........................................................35Default Groups, Operation Sets, and Rules.......................................................................36

Creating a Managed Folder for Users to Access.................................................................36

4. Sharing and Ownership..................................................................................41Sharing How, Who, or Permissions...................................................................................42

Ownership Permissions...................................................................................................43

5. Managing User Content ................................................................................45Managing Private User Content........................................................................................46

WebFOCUS Client Repository and Security Authorization 3

6. Effective Policy.............................................................................................47Order of Precedence........................................................................................................48

Viewing Your Own User Effective Policy.............................................................................49

Viewing Effective Policy for Other Users.............................................................................52

Viewing Folder or Item Properties.....................................................................................53

7. Operation Sets...............................................................................................57Default Operation Sets....................................................................................................58

Legacy Operation Sets.....................................................................................................67

8. Individual Operations.....................................................................................75Configuring Operations....................................................................................................76

9. Default System Rules....................................................................................87System Rules Information................................................................................................88

10. Use Case Scenarios.....................................................................................91Service Provider Architecture............................................................................................92

Creating HelpDesk Administrator (Reset Password Only)....................................................99

Sharing........................................................................................................................101

Ownership....................................................................................................................107

A. Glossary.......................................................................................................109Key Concepts...............................................................................................................110

Reader Comments...........................................................................................113

4 WebFOCUS

Contents

WebFOCUS

Preface

This documentation provides an introduction to the new WebFOCUS Client Repository andAuthorization Security model. It is intended for developers who are responsible for developingsecurity for WebFOCUS applications.

How This Manual Is Organized

This manual includes the following chapters:

ContentsChapter/Appendix

Describes the purpose and basic functionality ofWebFOCUS client security. It also includes importantquestions whose answers will help you structure anappropriate security model.

Introducing WebFOCUSClient Repository andAuthorization Security

1

This chapter introduces the basic concepts of thenew WebFOCUS Client Repository security model,including how to create groups, subgroups, users,OpSets, and folders.

Security Basics2

Explains how to create users with groups that havealready been created. It also expands on some ofthe basic concepts introduced earlier.

Creating Users WithPredefined Groups

3

Introduces the concepts of sharing and ownershipand describes the operations on which sharing relies

Sharing and Ownership4

Describes how to manage user content.Managing User Content5

Describes how to determine or manage the effectivepolicy for a user.

Effective Policy6

Lists and explains the default and legacy operationsets.

Operation Sets7


ContentsChapter/Appendix

Lists and describes the individual operations.Individual Operations8

Lists and describes the Default Rules and SystemRules.

Default System Rules9

Illustrates use cases to help understand andconfigure certain types of functionality within the newMR Repository and Security Authorization model.

Use Case Scenarios10

Glossary of key concepts in this manual.GlossaryA

Documentation ConventionsThe following table lists and describes the conventions that apply in this manual.

DescriptionConvention

Denotes syntax that you must enter exactly as shown.THIS TYPEFACE

or

this typeface

Represents a placeholder (or variable) in syntax for a value thatyou or the system must supply.

this typeface

Indicates a default setting.underscore

Represents a placeholder (or variable), a cross-reference, or animportant term. It may also indicate a button, menu item, ordialog box option you can click or select.

this typeface

Highlights a file name or command.this typeface

Indicates keys that you must press simultaneously.Key + Key

Indicates two or three choices; type one of them, not the braces.{ }

Indicates a group of optional parameters. None are required,but you may select one of them. Type only the parameter in thebrackets, not the brackets.

[ ]

6 WebFOCUS

Documentation Conventions

DescriptionConvention

Separates mutually exclusive choices in syntax. Type one ofthem, not the symbol.

|

Indicates that you can enter a parameter multiple times. Typeonly the parameter, not the ellipsis points (...).

...

Indicates that there are (or could be) intervening or additionalcommands.

.

.

.

Related PublicationsTo view a current listing of our publications and to place an order, visit our TechnicalDocumentation Library, http://documentation.informationbuilders.com. You can also contactthe Publications Order Department at (800) 969-4636.

Customer SupportDo you have any questions about this product?

Join the Focal Point community. Focal Point is our online developer center and more than amessage board. It is an interactive network of more than 3,000 developers from almostevery profession and industry, collaborating on solutions and sharing tips and techniques,http://forums.informationbuilders.com/eve/forums.

You can also access support services electronically, 24 hours a day, with InfoResponseOnline. InfoResponse Online is accessible through our World Wide Web site,http://www.informationbuilders.com. It connects you to the tracking system and known-problem database at the Information Builders support center. Registered users can open,update, and view the status of cases in the tracking system and read descriptions of reportedsoftware issues. New users can register immediately for this service. The technical supportsection of www.informationbuilders.com also provides usage techniques, diagnostic tips,and answers to frequently asked questions.

Call Information Builders Customer Support Service (CSS) at (800) 736-6130 or (212) 736-6130. Customer Support Consultants are available Monday through Friday between 8:00a.m. and 8:00 p.m. EST to address all your questions. Information Builders consultants canalso give you general guidance regarding product capabilities and documentation. Pleasebe ready to provide your six-digit site code number (xxxx.xx) when you call.

To learn about the full range of available support services, ask your Information Buildersrepresentative about InfoResponse Online, or call (800) 969-INFO.


Preface

http://documentation.informationbuilders.com

http://forums.informationbuilders.com/eve/forums

http://www.informationbuilders.com

Information You Should HaveTo help our consultants answer your questions effectively, be prepared to provide the followinginformation when you call:

Your six-digit site code (xxxx.xx).

Your WebFOCUS configuration:

The front-end you are using, including vendor and release.

The communications protocol (for example, TCP/IP or HLLAPI), including vendor andrelease.

The software release.

Your server version and release. You can find this information using the Version optionin the Web Console.

The stored procedure (preferably with line numbers) or SQL statements being used inserver access.

The Master File and Access File.

The exact nature of the problem:

Are the results or the format incorrect? Are the text or calculations missing ormisplaced?

The error message and return code, if applicable.

Is this related to any other problem?

Has the procedure or query ever worked in its present form? Has it been changed recently?How often does the problem occur?

What release of the operating system are you using? Has it, your security system,communications protocol, or front-end software changed?

Is this problem reproducible? If so, how?

Have you tried to reproduce your problem in the simplest form possible? For example, ifyou are having problems joining two data sources, have you tried executing a querycontaining just the code to access the data source?

Do you have a trace file?

How is the problem affecting your business? Is it halting development or production? Doyou just have questions about functionality or documentation?

8 WebFOCUS

Information You Should Have

User FeedbackIn an effort to produce effective documentation, the Documentation Services staff welcomesyour opinions regarding this manual. Please use the Reader Comments form at the end ofthis manual to communicate suggestions for improving this publication or to alert us tocorrections. You can also use the Documentation Feedback form on our Web site,http://documentation.informationbuilders.com/feedback.asp.

Thank you, in advance, for your comments.

Information Builders Consulting and TrainingInterested in training? Information Builders Education Department offers a wide variety oftraining courses for this and other Information Builders products.

For information on course descriptions, locations, and dates, or to register for classes, visitour World Wide Web site (http://www.informationbuilders.com) or call (800) 969-INFO tospeak to an Education Representative.


Preface

http://documentation.informationbuilders.com/feedback.asp

10 WebFOCUS

Information Builders Consulting and Training

WebFOCUS

Introducing WebFOCUS Client Repositoryand Authorization Security

1

Topics:

Creating a Security Model

To plan the security implementation inyour WebFOCUS application, it is criticalto consider several fundamentalquestions whose answers will help youstructure your security model:

What information will be stored in theWebFOCUS repository?

Who will need access to thisinformation?

What kind of access will each userneed?


Creating a Security ModelThe new WebFOCUS Client Repository and Authorization Security model expands andgeneralizes the access to Managed Reporting (MR) and Business Intelligence assets.Highlights of the model include:

Relational database storage for all content.

Improved integration with ReportCaster.

Component integration (single sign-on).

Blended user capabilities (which do not require the creation of new roles).

Improved integration with software service vendors using granular authorization and thedelegation of administrative functions.

The system uses the Universal Object Access (UOA) layer, an implementation of Role-BasedAccess Control (RBAC), to enforce security across all objects in the repository. The flexibilityof the UOA model enables an administrator to implement security at a granular level forevery object in the WebFOCUS repository, if needed. User actions can be permitted or notpermitted for individual combinations of users and objects. Access can be granted orspecifically denied on a group or individual level, and it can be inherited down from a rootfolder that contains several types of objects. The administrator can create a comprehensivesecurity model by using the following concepts provided by the UOA model:

12 WebFOCUS


Every object is a resource that can be controlled. Access to and management ofall objects is controlled by the UOA.

Different object types have different controlled operations. While all object typeshave a delete operation, other operations are restricted to particular object types. Reportrequest objects cannot be made members of a group and user objects cannot be run orscheduled.

Group membership determines two types of operations:

Which users can modify group or user definitions.

The actions a group or user can perform on objects.

Security rules control what users can do to objects in the repository:

Users belong to groups. As a best practice, for ease of administration, security rulesshould apply to these groups, although it is possible to create a security rule thatapplies to users.

User privileges are defined in operation sets. Operation sets are groupings of permittedor denied operations. An object is any group, user, operation set, item, or folder storedin the repository.

An object is any object or folder stored in the repository.

For example, the following statements can become rules:

Users in the group SalesMgmt can run reports in the folder SalesForecast. This canbe implemented as the rule:

SalesMgmt PERMIT RunReport on Folder SalesForecast

Users in the group SalesAdmin can assign user IDs to the group SalesMgmt. Thiscan be implemented as the rule:

SalesAdmin PERMIT AssignUsers on Group SalesMgmt

Security rules are inherited. Rules established on a folder apply to all its children andsubfolders. Rules established on a group apply to all its children and subgroups. If youwish to change this behavior for a specific object, you can clear an inherited rule or definea more specific rule for a subfolder or subgroup. This change then applies to thedescendants of the subfolder or subgroup.

Users can belong to multiple groups.


1. Introducing WebFOCUS Client Repository and Authorization Security

All the security rules that affect a specific user are merged to create the effectivesecurity policy for the user on each object. Since users can belong to multiple groups,the rules that affect all of the groups to which a user belongs are merged to determinewhat the single user is allowed to do. There is an order of precedence for user operations.If a user is within two different groups and is permitted an operation in one group butnot granted that operation in another (implicit deny), the user is allowed that operation.However, if a user is permitted an operation in one group but denied that operation(explicit deny) in another, the user is denied that operation.

All operations need to be explicitly permitted. Operations that are not permitted arenot available (effectively denied).

All objects in the WebFOCUS repository are either private entities or managed entities. Oncecreated, private objects have a standard and consistent set of permitted operations thatare granted to the owner of the object, which can be an individual user or a group. Managedobjects, also known as system-owned objects, are managed by the set of security rulesdefined by security administrators. The ability to create new private objects inside a managedfolder is also a controlled operation.

The ownership of a private object can be passed to another user or even to a group. Whenpassed to a group, all members of that group have the same standard set of permittedoperations, specified by the OpSet SystemPrivateResourcePermits. For example, groupownership may be useful when a development team is working on a project of interconnectedreports. Anyone on the team may need to update a report. You could add new security rulesfor each user and then change the rules when the project is complete, but it is simpler tokeep the report objects private and owned by the group while in development. Once theproject is completed and the reports are ready to be released to a wider audience, you canchange the status of the report objects to managed so that the security rules you havealready determined for your system will apply.

In most circumstances, a new object is created as a private object. The status of the createdobject can then be changed to managed. Changing ownership and changing status fromprivate to managed are themselves controlled operations.

14 WebFOCUS


By default, the owner of a private object can:

Run a report.

Run a deferred report.

Create a Private Item.

Create a Private Folder.

Open, delete, update, list, and view objects.

View and update the properties of an object.

The type of control that a user has on a private object can be modified for the entire site byupdating the SystemPrivateResourcePermits operation set. All other operations must beexplicitly granted to users through groups or roles. For example, by default, an owner ofprivate objects cannot change the server execution properties of a report procedure, unlessthe operation to update reporting server properties has been enabled for the user.

Generally, non-owners cannot modify private objects. The sole exception is for administrativeusers permitted the operation of opManagePrivateResources on a group and granted theopManagePrivateTool operation. This allows the administrative users to clean up the objectsof users who have left the organization. The explicit list of operations allowed on theseprivate objects is determined by the operation sets of:

SystemManagePrivateFolders

SystemManagePrivateOutput

SystemManagePrivateNonOutput

For more information, see Operation Sets on page 57.


1. Introducing WebFOCUS Client Repository and Authorization Security

16 WebFOCUS


WebFOCUS

Security Basics2Topics:

The new WebFOCUS Client RepositoryAuthorization model allowsadministrators of the system to creategranular controls for all users. This newarchitecture provides granularity,flexibility, and separation of duties, aswell as auditing capabilities. Theindividual building blocks of groups,users, operation sets, and folders areused to create rules. Rules are thenused as the basis of determining whata user is allowed or not allowed to dowithin the WebFOCUS Client Repositoryand Authorization model.

Groups

Users

Operation sets

Folders

Rules


Groups

How to:

Create a Group and Subgroup

In the UOA model, a group is a container of users or subgroups that have similar capabilitiesand access. To enable this access, a rule will need to be created for a particular group orsubgroup. As a best practice, rules should be created for groups and not users, as creatingrules for individual users complicates administration.

How to Create a Group and SubgroupProcedure:

1. Sign in with an administrative user ID that is permitted ALL on /.

By default, this user ID is admin with a password of admin.

2. Select Security Management from the Administration pane, or right-click Repository inthe Resources pane and select Security, then User Administration.

3. Select the New Group button.

4. Create a group named AmericaBankMainGroup, with the description of America BankMain Group.

5. Create a group named AmericaBankAnalyticalGroup, with the description of AmericaBank Analytical Group

18 WebFOCUS

Groups

Users

How to:

Create a User

In the UOA model, a user is identified by a unique ID and additional properties, such as adescription, e-mail address, password, and groups, that the user belongs to. By default, allusers are a member of the EVERYONE Group, which is the set of all named users on thesystem. In addition, an ID status such as active or inactive can be set for the individualusers. When a user is a member of multiple groups, the rules on those groups are reconciledto give the user their effective policy.

Note: The user ID is case-sensitive.

How to Create a UserProcedure:




3. Select the New User button.


2. Security Basics

4. Create the user and place that user in AmericaBankMain/AnalyticalUsers, as shown inthe following image.

Operation sets

How to:

Create an OpSet

Operation sets (OpSets), also known as operation sets (PSETs), are groups of permitted ordenied operations. Administrators can allow or deny the use of operations for Groups andUsers by applying operation sets. Operation sets are the building blocks, but nothing isapplied until a rule is created. For more information on individual operation sets andoperations, see Legacy Operation Sets on page 67 and Configuring Operations on page 76.

How to Create an OpSetProcedure:




20 WebFOCUS

Operation sets

3. Select the Permission Sets tab.

4. Click New Permission Set .


2. Security Basics

5. Name the new operation set ListAndRun and enter the description List and Run operationset, as shown in the following image.

22 WebFOCUS

Operation sets

6. Move List, Run, RunDeferred, and View Folder/Item Properties from Available Operationsto Selected Operations by double-clicking each operation or by selecting each operation

and clicking on the Move button .

7. Click OK to save the new operation set.

Folders

How to:

Create a Folder

Make a Folder Managed

Folders contain all MR Repository content. In the UOA architecture, there is no limitation tofolder depth, as there was in the 77 release and below. Whenever a user creates a folder,it will always be created as a private folder. It can remain private, if that is desired, or it canbe changed to a system managed folder as long as the user has the proper permissions todo so (Make Managed - opMakeManaged). A managed item is not owned by an individualor group, but it is accessible to all users that have the proper rules in place to access it.


2. Security Basics

How to Create a FolderProcedure:



2. Right-click Repository and select New Folder, as shown in the following image.

The Create Folder dialog box appears, as shown in the following image.

3. Populate the fields with the following and then select OK:

Description: America Bank

Summary: America Bank's Folder

24 WebFOCUS

Folders

Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. If desired, the Name of this can bemodified at this point. The Description is non-unique but Name must be unique withinthe folder and cannot contain any special characters. The summary is an extensiveexplanation of the folder and is accessible through the Info button located under theMR tree.

4. Right-click on America Bank and select New, then Folder. Name the folder Sales.

How to Make a Folder ManagedProcedure:

1. Right-click on America Bank and select Security, then Owner, as shown in the followingimage.


2. Security Basics

2. Select the Managed radio button, then OK, as shown in the following image.

Note: When you change a main folder to Managed, all subfolders will also be changedto Managed as well.

Rules

In this section:

Rules Overview

Creating Rules for Folder Resources

Creating Rules for Groups

Creating Rules for Operation Sets

Rules OverviewRules are combined at each level, then down the resource tree, to determine the effectivepolicy on a resource. At each resource level, the effective policy can only be evaluated toNOT_SET, DENY, or PERMIT. This is then combined with rules at each lower level, to determinethe Effective Policy on a resource for a particular user.

Creating Rules for Folder Resources

How to:

Create a Rule Allowing the America Bank Main Group ListAndRead on the America BankFolder

You must define the following components to create a rule:

26 WebFOCUS

Rules

Who is the Group (usually) or the User (rarely).

Verb is NOT_SET, PERMIT, OVERPERMIT, or CLEARINHERITANCE.

What is the OpSet.

Where is the resource. In the case of a folder resource, it is the folder, or an item. Aresource could also be a group, OpSet, or user.

When creating any rule on a folder resource, the resource is always selected first. Then anynumber of operation sets can be applied to any number of groups or users as an exception.

In the following example, we will create a rule giving the America Bank Main group theListandRead operation set on the America Bank folder.

How to Create a Rule Allowing the America Bank Main Group ListAndRead on theAmerica Bank Folder

Procedure:



2. Right-click the America Bank folder in the Resources pane and select Security, thenAccess Rules.

The Security Rules dialog box appears.


2. Security Basics

3. In the Groups field, select AmericaBankMainGroup, as shown in the following image.

Note: If you do not see any Groups listed, uncheck Only show Groups with Rules.

28 WebFOCUS

Rules

4. Select the ListAndRead OpSet and set the Verb to PERMIT, as shown in the followingimage .

5. Click Apply if you wish to make further changes after this, or click OK to apply the changesand exit the dialog box.

Creating Rules for Groups

How to:

Create a Rule Allowing the America Bank Analytical Subgroup ShareWith CapabilityWith the America Bank Main Group

The following procedure uses the previous examples in this chapter.

How to Create a Rule Allowing the America Bank Analytical Subgroup ShareWithCapability With the America Bank Main Group

Procedure:




2. Security Basics

2. Right-click the Repository folder in the Resources pane and select Security, then UserAdministration.

The Security Center appears, as shown in the following image.

30 WebFOCUS

Rules

3. Right-click AmericaBankMainGroup in the Groups field and select Security, then AccessRules, as shown in the following image.

The Security Rules dialog box appears.

4. In the Groups field, select AmericaBankAnalyticalGroup.

Note: If you do not see any Groups listed, uncheck Only show Groups with Rules.


2. Security Basics

5. In the Rules for Group field set ShareWith to PERMIT, as shown in the following image.

6. Click OK, then click Close.

32 WebFOCUS

Rules

Creating Rules for Operation Sets

How to:

Create a Rule That Disables Deletion of the ListandRun OpSet

How to Create a Rule That Disables Deletion of the ListandRun OpSetProcedure:



2. Select Security Center in the Administrative pane, or right-click inside the Resourcespane and select Security, then Access Rules.

3. In Security Center, select the Permission Sets tab.

4. Right-click ListAndRun and select Security, then Access Rules.

5. Select the operation set of ProtectSystemResources on the left side of the window, andthe EVERYONE group on the right side, and apply the Permssion Set by either draggingand dropping or using the arrow button to apply.


2. Security Basics

34 WebFOCUS

Rules

WebFOCUS

Creating Users With Predefined Groups3Topics:

WebFOCUS includes default groups,operation sets, and rules to make iteasier for you to administer yourimplementation.

Default Groups, Operation Sets, andRules

Creating a Managed Folder for Usersto Access


Default Groups, Operation Sets, and RulesThe WebFOCUS Client Repository has been preloaded with a set of default groups, operationsets, and rules applying to them. Among these are the WF_Legacy group and its subgroupscorresponding to the legacy 7.6 and prior user roles. Note that these groups are not anexact match of what was in 7.7 and below, since these user types have access to the latesttools. If needed, you can clone these operation sets, and make them an exact match andgive them access to the legacy tools as well. These predefined groups, and the operationsets that are used with them, include LibraryOnlyUsers, RunOnlyUsers, AnalyticalUsers,PowerUsers, Developers, ContentManagers, and MRAdministrators.

Default rules have been set from the root of the repository (Repository level) for these groups.A first time administrator only needs to create the users and place them in one of thepredefined groups, under the WF_Legacy main group. A first time administrator does notneed to create rules at this time. The users that are created in the WF_Legacy subgroupswill have all the available permissions for the entire repository because of the default rules.If that is not the desired behavior, the default rules can be deleted or modified so that theseusers only have access to specific folders.

Creating a Managed Folder for Users to Access

How to:

Create a Managed Folder Accessible to Predefined Users

Create a User Using One of the Predefined Legacy WebFOCUS Groups

The following procedures show how to create a folder and place a user in theWF_Legacy/AnalyticalUsers Group. This user will have AnalyticalUser access to the folder.

First, the administrator should create a managed folder under the root of the repository. Amanaged folder is a folder that is accessible to all authorized users. It is not private to anyone individual or group, but can be considered system wide.

How to Create a Managed Folder Accessible to Predefined UsersProcedure:



36 WebFOCUS

Default Groups, Operation Sets, and Rules

2. Right-click Repository and select New Folder, as shown in the following image.

The Create Folder dialog box appears, as shown in the following image.



Summary: America Bank's Folder


3. Creating Users With Predefined Groups

Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. Description is non-unique but Name mustbe unique within the folder and cannot contain any special characters. The summary isan extensive explanation of the folder and is accessible through the Info button locatedunder the MR tree.


5. Right-click on America Bank and select Security, then Owners, as shown in the followingimage.

38 WebFOCUS


6. Select the Managed radio button, then OK, as shown in the following image.

How to Create a User Using One of the Predefined Legacy WebFOCUS GroupsProcedure:




The Security Center displays, as shown in the following image.

You can use the Security Center to create users and assign them to groups.


3. Creating Users With Predefined Groups

3. Select the New User button.

The New User dialog box appears, as shown in the following image.


ID: abanalytic1

Description: America Bank Analytical User 1

E-mail Address: [email protected]

Password: abanalytic1

Create in group: WF_Legacy/AnalyticalUsers

Status: Active

5. Log in as abanalytic1. You can now create content.

40 WebFOCUS


WebFOCUS

Sharing and Ownership4Topics:

When a user wants to share an item,they can share that item with a particulargroup or user. The ability to share anitem or a folder relies on four operations:Share Folder/Item (OpShareItem), Sharewith Group or User (opShareWith), List(opList), and List Users (opListUsers).

Sharing How, Who, or Permissions

Ownership Permissions


Sharing How, Who, or PermissionsThe ability to share a private item or a folder relies on four operations. Share Item or Folder(OpShareItem) applies to the folder or item resource. This operation indicates that this userhas the ability to share a folder or item. Who that user can share the item with is specifiedwith the operations of Share with Group or User (opShareWith), List (opList), and List Users(opListUsers). These operations apply to the group resources. When you want to share anitem with another group or user, the following needs to be considered:

The item to be shared must be within My Folder.

If the item the user wants to share is within a private folder, the private folder needs tobe shared.

The private item within that folder needs to be shared.

The user or group that the item is being shared with needs the List (opList) operation onmanaged folders leading to this users private folder, so they can navigate to this usersshared item.

Since the item is shared, there is a special operation set of SystemShareResourcePermitsthat is applied to the shared item, for all users that it is being shared with. That operationset contains the following operations:

View Folder/Item Properties

Schedule

Run

Run Deferred

Open

List

42 WebFOCUS

Sharing How, Who, or Permissions

Share How, Who, or PermissionsExample:

The following image shows an example of a private folder abpower1folder for the user ofabpower1 that is under a managed folder of Sales. The abpower1folder itself is shared andthe ProfitReport item is shared.

The following image shows the view when logged in as the wfpower1 user, who this itemwas shared with. Since this user had List (opList) capability from the repository level, theywere able to see two main subfolders of America Bank and Bombay Bank. They were ableto see and navigate to the Sales Folder which contains the private folder abpower1folder.This also shows that the original owner of the folder and item are abpower1.

For more information on Sharing Permissions, see Sharing on page 101.

Ownership PermissionsThe ability to change the ownership of a private folder/item, relies on six operations. MakeManaged (opMakeManaged) and Make Private (opMakePrivate) apply to the folder/itemresource. These operations indicate that a user has the ability to change the ownership ofa folder/item or to make the folder/item a managed entity. Who the user can change theownership to is specified with the operations of Set Group as Owner (opSetGroupOwner),Set User as Owner (opSetUserOwner), List (opList) and List Users (opListUser).

For more information on Ownership, see Ownership on page 107.


4. Sharing and Ownership

44 WebFOCUS

Ownership Permissions

WebFOCUS

Managing User Content5Topics:

To help administer the new MRRepository and Authorization model, anadministrator may delegateresponsibilities to other users to allowthem to manage the private contentwhich they do not own.

Managing Private User Content


Managing Private User ContentA default administrative user has ALL over the entire repository. However, this user candelegate responsibilities to users who do not necessarily have ALL with the operationsopManagePrivateResources and opManagePrivateTool. OpManagePrivateResources allowsusers the ability to manage private resources they do not own, and opManagePrivateToolgrants the use of the tool which manages these private resources. With this delegation,three system operation sets are applied to user content.

SystemManagePrivateFolders - Administrative rights over private folders owned by otherusers

SystemManagePrivateOutput - Administrative rights over private non-output files ownedby other users

SystemManagePrivateNonOutput - Administrative rights over private output owned byother users

There are three different operation sets so that a user with administrative capability overanother user may still be restricted from viewing the user output.

46 WebFOCUS

Managing Private User Content

WebFOCUS

Effective Policy6Topics:

The effective policy for a user is thederivation of all applicable rules appliedto the user. The Effective Policy dialogbox indicates why a user has or does nothave a certain capability. Users with theManage Rules on a Resource operation(opManageRulesOn) and the ViewEffective Policy on a Resource operation(opViewRulesOn) may also view theeffective policies for other usersbelonging to that resource.

Order of Precedence

Viewing Your Own User Effective Policy

Viewing Effective Policy for Other Users

Viewing Folder or Item Properties


Order of PrecedenceThe following order of precedence is used to determine the effective policy on a resourceat a particular level:

1. OverPermit

2. Deny

3. Permit

4. Not Set

On any particular level, these will be evaluated to DENY, PERMIT or NOT_SET.

This means that an OverPermit will win over a Deny. A Deny will win over a Permit. A Permitwill win over a Not Set (Implied Deny). ClearInheritance clears all inherited rules on anoperation on the level where ClearInheritance is placed, resetting the operation to a Not Setstate for that level and its children.

No group takes precedence over another group and user rules do not take precedence overgroup rules. A policy is calculated at each level of a resource and combines with the policiesof each child level to determine the effective policy for each user.

If an operation is Not Set, then it is Implicitly Denied.

If an operation is Permitted, it is allowed.

If an operation is Explicitly Denied, then it is not allowed. This takes precedence over aPermit. For example, if a user belongs to multiple GROUPs and is permitted an operationin one Group but denied the same operation in another Group, the user is denied theoperation.

ClearInheritence removes all inherited rules on a resource.

Going down a resource tree, an effective policy at an particular resource level can only beDENY, PERMIT and UNSET, with precedence in that order. This is important to note whenfiguring out Inherited abilities.

48 WebFOCUS

Order of Precedence

Viewing Your Own User Effective PolicyThe View Effective Policy on a Resource operation (opViewRulesOn) is necessary for usersto view their own effective policies. With this permission, you will be able to right-click areport and select Security, then Effective Policy.

Without this operation, these options do not display.

If you have opViewRulesOn and also opViewProperties or opUpdateProperties, you will alsobe able to view your effective policy from the Properties dialog box, which is shown in thefollowing image.


6. Effective Policy

If you are not already at the Properties dialog box, right-click on a resource and selectProperties. On the Properties dialog box, select Security and then Effective Policy. The EffectivePolicy dialog box appears.

50 WebFOCUS

Viewing Your Own User Effective Policy

Each individual operation is listed by the Operations pane, which is shown in the followingimage.

Select an operation to review its effective policy in the Calculated Policy pane, as shown inthe following illustration.


6. Effective Policy

The Calculated Policy pane shows the following elements:

Path Element. The location where a rule potentially may be applied.

Effective Policy. The combination of rules on that path element and any inherited rules.

Who. The groups or users to which the rule is applied. (Only displays the groups this user

belongs to.) Groups are denoted by the Group icon .

PSET. The operation set applied.

Verb. The verb that applies to the listed path element.

In the previous images, the operation of Run (opRun) has been selected in the Operationspane. The Calculated Policy pane indicates which rules apply at different folder levels.

No rules have been applied at / or at WFC, which means that the operation is implicitlydenied at those levels, per the global settings.

No rules have been applied at America_Bank, Sales, or Profit_Report.fex, which meansthat the operation is permitted at those levels, per the global settings.

A rule has been applied at the Repository level. The operations set used in that rule isWF_PowerUser, which specifies that Run (opRun) is PERMIT.

A rule has been applied at the abpower1 folder level. The operations set used in thatRule is SYSTEM, which specifies that Run(opRun) is OVERPERMIT.

Note: Not every operation applies to a particular resource type. For example, Run (opRun)applies to a folder or item resource, but Create a new Group (opCreateGroup) does not.

Viewing Effective Policy for Other UsersTo view the effective policy of other users, you must have the following operations:

52 WebFOCUS

Viewing Effective Policy for Other Users

Manage Rules on a Resource, which allows you to make use of the Rules and AccessRules context menus.

View Effective Policy on a Resource, which allows you to make use of the Rules andEffective Policy menus.

The combination of these two operations allows you to create rules and display the effectivepolicy for yourself and other users. To display the users on the Effective Policy dialog boc,you must also have Operation List (opList) or List Users (opListUsers) on the group or groupsto which the other users belong.

The Effective Policy dialog box, with the operation Run (opRun) selected for user ab1, isshown below.

The dialog indicates the following:

No rules apply for ab1 on /, WFC, and Repository.

A rule applies for ab1 at the America_Bank folder level. Its OpSet is ListAndRead.ListAndRead does not use the operation of Run (opRun) since the Rule is NOT_SET.

A rule applies at the Sales folder level. Its OpSet is WF_Developer, in which the operationof Run (opRun) is PERMIT for the user of ab1.

Therefore, the effective policy for ab1 is that this user has the Run (opRun) capability onitems within the Sales folder.


The Properties context menu displays the attribute information of a folder or an item withinthe resource tree.

The following operations allow you to view and make use of the Properties context menu:

opViewProps (View Folder or Item Properties) displays the context menu


6. Effective Policy

opUpdProps (Update Folder or Item Properties) updates properties

opRepSrvProps (View and Update Reporting Server Properties), if given, displays theReporting Server Properties

To view the Effective Policy from the Security button on the Properties dialog box, you needthe additional operation of opViewRulesOn (View Effective Policy on a Resource) oropManageRulesOn (Manage Rules on a Resource).

The following image shows the properties for an item (a report) on the resource tree.

Information Included in the Properties Dialog Box for an ElementReference:

DescriptionDialog Box Item

Displays the full repository path of thecontaining folder.

Folder

Displays the creation date and time.Created On

54 WebFOCUS


DescriptionDialog Box Item

Displays the user ID that created this folder.Created By

Displays the date and time this item waslast changed.

Last Modified On

Displays the date and time this item wasaccessed through Properties, Run,RunDeferred, or using any of the tools toedit.

Last Accessed On

Displays the user that last accessed thisitem.

Last Accessed By

Size in bytes of the contents of the item.Size

Immediate or Deferred.Run

Managed or Private.Status


6. Effective Policy

56 WebFOCUS


WebFOCUS

Operation Sets7Topics:

An operation set (OpSet) is a collectionof individual operations and theirassociated settings. An operation setusually contains operations applicableto a specific type of resource. Forexample, if the resource is a GROUPresource, then the operation set containsoperations, such as Create a New Group(opCreateGroup).

Default Operation Sets

Legacy Operation Sets


Default Operation SetsThe following table lists the default operation provided with WebFOCUS. Unless otherwisenoted, the listed operations are set to PERMIT.

OperationsFunctionName

All operationsAllows all operations.ALL

Create BusinessIntelligence Portal

View Business IntelligencePortal

List

Delete

Validate BusinessIntelligence Portal

Save Positions

Add Personal Content

Manage Rules

Rename

Edit Navigation

Edit Banners

Edit Menu Bars

Edit Theme

Update Properties

Insert Page

Edit Page Layout

Edit Content

Allows all operations inBusiness IntelligencePortal.

BIPFullControl

58 WebFOCUS




List

Save Positions


Save positions and addcontent in BusinessIntelligence Portal.

BIPPersonalize

List


View BusinessIntelligence Portal.

BIPViewOnly

Create a Private FolderCreates private folders.CreatePrivateFolder

ListList files and folders.List

List

Open

View Report/FolderProperties

Grants access to files.ListAndRead

List

Run

Run Deferred


Lists and executes files.ListAndRun


7. Operation Sets


Assign Rules for a Group

Assign Rules for a User

Assign Users from aGroup

Assign Users to a Group

Create a new Group

Delete a Group

List

List Users

Manage Rules on aResource

Set Group as an Owner

Set User as an Owner

Update Group Definition

View Group

View Effective Policy on aResource

Manages Groups.ManageGroups

Create a new operationset

Delete operation set

List

Update operation set

Use operation set in Rules

View operation set

Manages operation sets.ManageOperationSets

60 WebFOCUS



List

List Users

Set User as Owner

Set Group as Owner

Manage ownership of filesor folders.

ManageOwner

The following operations areset to OVERPERMIT:

List

Delete

Update Properties

Update Reporting ServerProperties

View File or FolderProperties

System-grantedoperations on privateresources that belong toother users via Groups.

ManagePrivateResources


View Effective Policy on aResource

Manages rules onresources.

ManageRules

Create a New User

Delete a User

List Users

Set User Password

Update User Definition

Manages Users.ManageUsers


7. Operation Sets


Assign Users to Group

Create a New Group

Delete a Group

Delete Operation Set

Update Operation Set

Protects systemresources.

ProtectSystemResources

Displays ReportCaster toolsDisplays ReportCastertools on toolbar and tabs.

ReportCaster Tools

Launch Security CenterDisplays the SecurityCenter.

SecurityCenter

List

List Users

Share with Group or User

Shares items.ShareWith

62 WebFOCUS




Change Owner

Delete

List

Manage Rules

Open

Rename


Update Report/FolderProperties



View Rules

System-grantedoperations over privatefolders owned by otherusers, when user hasopManagePrivateFolders.

SystemManagePrivateFolders


7. Operation Sets



Copy

Delete

Edit

List

Open

Rename




System-grantedoperations over privatenon-output files owned byother users, when userhasopManagePrivateNonOutput.

SystemManagePrivateNonOutput

64 WebFOCUS




Delete

List

List Users

Manage Rules

Set Owner





View Rules

System-grantedoperations over privateoutput owned by otherusers, when user hasopManagePrivateResources.

SystemManagePrivateResources


7. Operation Sets



Create Private RepositoryFile

Delete

List

Open

Run

Run Deferred



Write/Replace Report/File

The following operation isdenied:

Create Private Folder

System-grantedoperations to owners ofprivate resources.

SystemPrivateResourcePermits

66 WebFOCUS



List

Open

Run

Run Deferred

Schedule

View a static document



Create Private RepositoryFile

Delete

Make Managed

Share Item or Folder

Update Ownership



System-grantedoperations for sharedprivate resources.

SystemShareResourcePermits

List


View operation set

Uses Operation Setswhen making accessrules.

UseOperationSetsInRules

Legacy Operation SetsThe following operation sets replicate the different user roles and privileges provided withearlier releases of Managed Reporting. This allows administrators to easily map these usertypes and their privileges to the current UOA model.


7. Operation Sets



Create Private Repository File

Launch Advanced GraphAssistant

Launch InfoAssist

List

Open

Run

Run Deferred





Defines the privileges for aLegacy Managed ReportingAnalytical user. TheAnalytical user can doeverything a Run Only usercan do. In addition, the usercan create private Foldersand Private content, usingthe Assistant tools. Theuser can also save deferredoutput from the DeferredStatus interface.

WF_AnalyticalUser

68 WebFOCUS






Launch Editor

Launch InfoAssist

List

Make Managed

Make Private

Open

Run

Run Deferred


Update Ownership





Defines the privileges for aManaged Reporting ContentManager. The ContentManager is based on theDeveloper and adds theData Server, Advanced, andShare My Report privileges.

WF_ContentManager


7. Operation Sets





Launch InfoAssist

List

Make Managed

Make Private

Open

Run

Run Deferred

Update Ownership





Defines the privileges for aManaged ReportingDeveloper. The Developerrole can do everything anAnalytical User can do. Inaddition, they can createcontent, and make itmanaged (Legacy StandardReport). They also have theability to create ReportingObjects.

WF_Developer

70 WebFOCUS



List

Report Library

Defines the privileges for aManaged Reporting LibraryOnly User. The Library OnlyUser role provides the abilityto create Dashboard userswho can only accesscontent stored in the ReportLibrary. This content can beviewed in the Report Libraryand in a Dashboard pagewhen displayed as a list,launch, output block, orwatch list. Library OnlyUsers cannot run reports,view the Repository Tree,view the Role Tree, accessother WebFOCUSenvironments, and havelimited access toDashboard components.

WF_LibraryOnlyUser


7. Operation Sets





Launch Editor

Launch InfoAssist

List

Open

Run

Run Deferred






Defines the privileges for aManaged Reporting PowerUser. The Power User isbased on the AnalyticalUser. It adds to theAnalytical User by allowingthe ability to create reportsusing the Editor and allowsSharing of Private Content.

WF_PowerUser


Launch InfoAssist

List

Run

Run deferred


Defines the privileges for aManaged Reporting RunOnly User. A Run Only Usercan run Standard Reports,has access to reportsshared by other users, canutilize the Assistant tools tocreate a report, but cannotsave it.

WF_RunOnlyUser

72 WebFOCUS



List

Run

Run deferred


Defines the privileges for aManaged Reporting User.Users can run StandardReports (in immediate anddeferred mode) and accessshared Private Reports byother users.

WF_User


7. Operation Sets

74 WebFOCUS


WebFOCUS

Individual Operations8Topics:

The following chapter describes each ofthe individual atomic operations that areavailable within the new MR Repositoryand Security Authorization model.

Configuring Operations



Reference:

Tool Launch Management Operations

ReportCaster Tool Launch Management Operations

General Object Management

Folder and Item Management

Group Management

Developer Studio Launch Tool Management

User Management

Operation Set Management

Tool Launch Management OperationsReference:

Controls access to report development tools.

Operation IDDescriptionOperation

opHTMLRAUser can launch HTML ReportAssist.

Launch Report Assist

opInfoAssistUser can launch InfoAssist.Launch InfoAssist

opHTMLGAUser can launch HTML Graph Assist.Launch Graph Assist

opPowerPainterUser can launch Power Painter.Launch Power Painter

opEditorUser can open report in text editor.Launch Editor

opViewBuilderUser can launch the BusinessIntelligence View Builder.

Launch View Builder

opReportingObjectUser can launch the Report ObjectTool.

Launch Report ObjectTool

opManageSecurityUser can Launch Security Center(global).

Launch Security Center

opURLUser can open URL tool.Launch URL Tool

76 WebFOCUS



opAGAUser can launch Advanced GraphAssistant.


opManagePrivateToolUser can manage the PrivateResources of another user (global).

Launch Manage PrivateResources Tool

ReportCaster Tool Launch Management OperationsReference:

Controls access to the ReportCaster scheduling tools.


opScheduleUser can Launch ReportCasterScheduler

Schedule

opSchedAccessListUser can Launch Access List Tool.Launch Access ListTool

opSchedDistributionListUser can Launch Distribution ListTool.

Launch DistributionList Tool

rcadminRun the ReportCasterAdministration Console.

ReportCasterAdministration

robotDisplay Tools item on banner(global).

ReportCaster

libraryDisplay Library within Tools Itemon banner or tab (global).

Report Library

General Object ManagementReference:

Controls basic operations on objects.


opListUser can see contents of aresource.

List

opDeleteUser can delete an object.Delete


8. Individual Operations


opManageRulesOnUser can create and remove ruleson a resource.


opViewRulesOnUser can view the rules of aresource.

View Effective Policy ona Resource

opShareWithUser can share with this group oruser.

Share with Group orUser

opExportUser can export a resource.Export

opMetadataUser can create metadata on theReporting Server.

Create metadata

opFavoritesUser can access FavoritesAccess Favorites

opMobileFavoritesUser can access Mobile Favorites.Acess Mobile Favorites

opRepositorySearchUser can launch Repository Searchtool.

Launch RepositorySearch

Folder and Item ManagementReference:

The following operations control the execution and viewing of report objects.


opRunUser can run a report procedure.Run

opOpenUser can view the contents of anitem within a tool. Also requiresthe operation for the tool used tocreate the item.

Open

opWriteUser can update contents of anitem.

Write/Replace Item

opCreateFLUser can create a private folder.Create Private Folder

opCreateItemUser can create a new privateitem.

Create Private RepositoryItem

78 WebFOCUS



opCopyUser can copy a folder or item.Copy a Folder or Item

opRenameUser can change the name of afolder or item.

Rename a Folde or Item

opViewPropsUser can view folder or itemproperties.

View Folder or ItemProperties

opUpdPropsUser can update folder or itemproperties.

Update Folder or ItemProperties

opRunDefUser can run a deferred reportrequest.

Run Deferred

opSaveDefUser can save deferred reportoutput.

Save Deferred Output

opRepSrvPropsUser can update server executionproperties: Server, ApplicationPath.


opUpdateOwnershipUser can change ownership of aprivate object to another subject(group/user).

Update Ownership

opMakeManagedUser can change a private folderor item into a managed folder orItem.

MakeManaged

opMakePrivateUser can change a managed folderor item into a private folder oritem.

MakePrivate

opShareItemUser can share a folder or itemwith other groups or users.

Share Folder/Item

opToggleTreeToggle view Full/Repository view(global).

Toggle Repository View

parmrptEnable the Save Parametersbutton.

Allow Saved ParameterReports




opUploadDataFileUser can upload a data file to thereporting server.

Upload a Data File

opUploadDocumentUser can upload a document tothe Repository.

Upload a Document

opUploadImageUser can upload an image to theRepository

Upload an Image

opCreateMyFolderUser can create a My ReportsFolder

Create My Reports folder

opOlapUser can run a procedure withOLAP capabilities

Run with OLAP

opCutUser can cut a folder or itemCut Folder or Item

opPasteUser can paste a folder or itemPaste a Folder or Item

Group ManagementReference:

The following group of operations controls the tasks that can be performed on a group folder.


opViewGroupUser can see contents of thegroup definition.

View Group

opCreateGroupUser can create a new folder asa subgroup or as a parent folder.

Create a newGroup

opDeleteGroupUser can delete the group folder.Delete a Group

opSetGroupOwnerUser can set this group as anowner of private resources.

Set Group asOwner

opAssignUsersToUser can assign users to thisgroup.

Assign Users toGroup

opUpdateGroupUser can update a groupdefinition.

Update GroupDefinition

80 WebFOCUS



opUseGroupInRulesUser can create or remove a rulewith Group as the subject.

Assign Rulesfor a Group

opManagePrivateResourcesUser can manage the privateitems or another user.

Manage PrivateResources ofUsers

opAssignUsersFromUser can assign Users from thisGroup.

Assign Usersfrom Group

opShareWithUser can share with this Group orUser.

Share withGroup or User

opUseInRulesUser can create or remove Rulewith Group as Subject (Who).

Assign Rulesfor a Group

Developer Studio Launch Tool ManagementReference:

The following group of operations controls access to Developer Studio report developmenttools.


opImpactAnalysisUser can open the Impact Analysistool.

Launch DeveloperStudio Impact Analysis

opReportPainterUser can open the Report Painter tool.Launch DeveloperStudio Report Painter

opDSEditorUser can open the Editor tool.Launch DeveloperStudio Editor

opGraphAssistantUser can open the Graph Assistanttool.

Launch DeveloperStudio Graph Assistant

opHTMLComposeLayoutUser can open the HTML ComposeLayout tool.

Launch HTML ComposeLayout

opProcedureViewerUser can open the Procedure Viewer.Launch DeveloperStudio ProcedureViewer




opSQLReportWizardUser can open the SQL Report Wizard.Launch DeveloperStudio SQL ReportWizard

opAlertWizardUser can open the Alert Wizard.Launch DeveloperStudio Alert Wizard

opSourceControlUser can open the Source Control tool.Launch DeveloperStudio Source Control

opDocComposeLayoutUser can launch the DocumentCompose Layout tool.

Launch DeveloperStudio DocumentCompose Layout

opWFAdminConsoleUser can launch WebFOCUSAdministration Console

Launch WebFOCUSAdministration Console

opESRIAdminConsoleUser can update ESRI AdministrationConsole

Launch ESRIAdministration Console

User ManagementReference:

The following group of operations controls the tasks that can be performed on a user.


opViewUserUser can view users properties.View User

opCreateUserUser can create a new user.Create a New User

opSetPasswordUser can create passwords for users.Set User Password

opListUserUser can view a list of users in thedatabase.

List Users

opDeleteUserUser can delete a user from a group.Delete a User

opUpdateUserUser can modify the user definition.Update UserDefinition

opSetUserOwnerUser can set this user as an owner ofprivate resources.

Set User as anOwner

82 WebFOCUS



opUseUserInRulesUser can create or remove rule with useras subject (Who).

Assign Rules for aUser

Operation Set ManagementReference:

The following operations are related to what values can be allowed when creating operationstatements in operation sets. This is typically used when the security administrator wantsto delegate the management of some operation sets to other users, but does not want thoseusers to have the ability to reverse global rules by un-denying or over-permitting an operation.


opDeletePermSetUser can delete an operationset.

Delete operation set

opViewPermSetUser can see the operationswithin an operation set.

View operation set

opUseOVERPERMITAllows the editor of an operationset to use the OVERPERMITverb.

Use OVERPERMIT verb onan operation

opUsePERMITAllows the editor of a operationset to use the PERMIT verb.

Use PERMIT verb on anoperation

opUpdatePermSetUser can modify the name or theoperations defined in anoperation set.

Update Permission Set

opUsePermSetInRulesThe operation set is availablewhen creating rules.


opUseDENYAllows the editor of a operationset to deny an operation.

Use DENY verb on anoperation

opCreatePermSetUser can create a new operationset.

Create a new operation set

opUseCLEARAllows the editor of a operationset to use the OVERPERMIT verband remove the DENY verb.

Use CLEAR inheritanceverb on an operation.




opUseUNPERMITAllows user to set the UNPERMITverb within an operation set

Use UNPERMIT verb on anoperation

Allows user to set the UNDENYverb within an operation set andreverse the DENY verb.

Use UNDENY verb on anoperation

ReportCaster ManagementReference:

The following group of operations allows a user to manage ReportCaster.


opScheduleItemUser can launch ReportCasterScheduler on an Item.

Schedule an item

opSetBlackoutDatesUser can set Blackout Dates.Set Blackout Dates

opRCGlobalUpdateUser can perform ReportCasterupdates.

RepoertCaster GlobalUpdates

opLibraryManagementUser can perform LibraryManagement.

Library Management

opRCServerManagementUser can manage Distribution servers.ReportCaster ServerManagement

opRCConfigurationUser can configure ReportCaster.ReportCasterConfiguration

opRCJobStatusUser can view jobs status ondistribution server.

ReportCaster JobStatus

Portal ManagementReference:

The following group of operations allows a user to manage the Business Intelligence Portal.


OpCreatePortalUser can create a portal.Create Portal

84 WebFOCUS



OpViewPortalUser can view the portal.View Portal

OpSavePositionsUser can save positions ofportal panels.

Save Positions

opAddPersonalContentUser can add personalcontent to a portal.


opEditNavigationUser can edit a portalnavigation.

Edit Navigation

opEditBannersUser can edit a portalbanners.

Edit Banners

opEditMenuBarUser can edit a portal menubar.

Edit Menu Bar

opEditThemeUser can edit a portaltheme.

Edit Theme

opValidatePortalUser can validate a portalto make sure the contentcan be seen by its intendedaudience.

Validate Portal

opInsertPageUser can insert new pagesinto a portal.

Insert Page

opEditPage LayoutUser can edit the layout ofa page.

Edit Page Layout

opEditContentUser can add and removecontent from a portal.

Edit Content



86 WebFOCUS


WebFOCUS

Default System Rules9Topics:

As shipped, UOA has a set of DefaultRules (optional) and System Rules(required). The Default Rules are enabledfor ease of use and administration, butcan be modified or deleted as desired.System Rules are needed for the correctoperation of UOA, and should not beremoved.

System Rules Information



Reference:

Default Rules

System Rules

For ease of use, the UOA repository has been loaded with a number of default rules. Anumber of these rules are system rules that protect and define system resources, andshould not be deleted. However, the first set of rules is defined by default but fully optional.

Default RulesReference:

These rules become effective only when users are defined within them.

ResourceOpSet NameVerbGroup Name

GROUPSManageGroupsPERMITUserAdmins

/WFC/RepositorySecurityCenterPERMITUserAdmins

USERSManageUsersPERMITUserAdmins

/WFC/RepositoryWF_ContentManagerPERMITContentManagers

/WFC/RepositoryWF_AnalyticalUserPERMITAnalyticalUsers

/WFC/RepositoryWF_PowerUserPERMITPowerUsers

/WFC/RepositoryWF_UserPERMITUsers

System RulesReference:

All of the following rules should be kept to protect system resources.


ProtectSystemResourcesProtectSystemResourcesDENYEVERYONE

ListAndRunProtectSystemResourcesDENYEVERYONE

WF_RunOnlyUserProtectSystemResourcesDENYEVERYONE

88 WebFOCUS



ShareWithProtectSystemResourcesDENYEVERYONE

WF_ContentManagerProtectSystemResourcesDENYEVERYONE

WF_MRAdministratorProtectSystemResourcesDENYEVERYONE

ManageUsersProtectSystemResourcesDENYEVERYONE

ManageOperationSetsProtectSystemResourcesDENYEVERYONE

UserInfoProtectSystemResourcesPERMITEVERYONE

PortalsProtectSystemResourcesPERMITEVERYONE

EDAProtectSystemResourcesPERMITEVERYONE

ManageOwnerProtectSystemResourcesDENYEVERYONE

UserInfoProtectSystemResourcesPERMITEVERYONE

WF_DeveloperProtectSystemResourcesDENYEVERYONE

SystemPrivateResourcePermitsProtectSystemResourcesDENYEVERYONE

WF_AnalyticalUserProtectSystemResourcesDENYEVERYONE

CreatePrivateFolderProtectSystemResourcesDENYEVERYONE

UseOperationSetsInRulesProtectSystemResourcesDENYEVERYONE

ManagePrivateResourcesProtectSystemResourcesDENYEVERYONE

PSETSProtectSystemResourcesPERMITEVERYONE

UsePSETsInRulesProtectSystemResourcesDENYEVERYONE

WF_PowerUserProtectSystemResourcesDENYEVERYONE

SystemManagePrivateFoldersProtectSystemResourcesDENYEVERYONE

BIPPersonalizeProtectSystemResourcesDENYEVERYONE

BIPViewOnlyProtectSystemResourcesDENYEVERYONE


9. Default System Rules


SystemShareResourcePermitsProtectSystemResourcesDENYEVERYONE

ALLProtectSystemResourcesDENYEVERYONE

SystemManagePrivateOutputProtectSystemResourcesDENYEVERYONE

WF_LibraryOnlyUserProtectSystemResourcesDENYEVERYONE

BIPFullControlProtectSystemResourcesDENYEVERYONE

WF_UserProtectSystemResourcesDENYEVERYONE

ManageGroupsProtectSystemResourcesDENYEVERYONE

EVERYONEProtectSystemResourcesDENYEVERYONE

SystemManagePrivateNonOutputProtectSystemResourcesDENYEVERYONE

ListAndReadProtectSystemResourcesDENYEVERYONE

ManageRulesProtectSystemResourcesDENYEVERYONE

ListProtectSystemResourcesDENYEVERYONE

RepositoryWF_DeveloperPERMITDevelopers

ROOTALLPERMITadmins

RepositoryWF_RunOnlyUserPERMITRunOnlyUsers

RepositoryWF_LibraryOnlyUserPERMITLibraryOnlyUsers

90 WebFOCUS


WebFOCUS

Use Case Scenarios10Topics:

The following chapter illustrates usecases to help understand and configurecertain types of functionality within thenew MR Repository and SecurityAuthorization model. These examplesshow how old functionality isimplemented, as well as examples ofcreating new types of users, which wasnot possible before.

Service Provider Architecture

Creating HelpDesk Administrator(Reset Password Only)

Sharing

Ownership



How to:

Create Folders, Users, Groups, and Subgroups

Display the Security Center

Assign Rules to the User Administrator Subgroups

The following describes a Service Oriented Architecture, in which a provider would maintaina WebFOCUS infrastructure for their separate customers. Those customers share the sameWebFOCUS install but do not and should not know about the user IDs or content of othercustomers.

Each of these customers has their own repository and main user group. There should alsobe subfolders and subgroups for each customer. This specific case was to create a useradministrator for each of the separate customers. These user administrators can:

Create users, and assign them to their own group and subgroups.

Delete users only from their group and subgroups.

Create subgroups only within their main group.

Only see users within their group and subgroups.

Create rules for their group, or subgroups.

If desired, no access to repository content.

Note: These are specific requirements for this example. You could change this type of userID so that it did have access to repository content.

How to Create Folders, Users, Groups, and SubgroupsProcedure:



92 WebFOCUS


2. Right-click Repository and select New Folder. The Create Folder dialog box appears.



Summary: America Bank Repository

Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. Whereas Description is non-unique, Namemust be unique within the folder and cannot contain any special characters.

4. Create another folder following steps 1 and 2. Set the name to Bombay Bank and selectOK.


6. Right-click on Bombay Bank and select New, then Folder. Name the folder Sales.


10. Use Case Scenarios

7. Right-click on America Bank and select Security, then Owner, as shown in the followingimage.

8. Select the Managed radio button, then OK.

9. Repeat steps 7 and 8 for the Bombay Bank folder.

You will have two folders with subfolders.

94 WebFOCUS


10. Create a Main Group for each bank.

11. Create a User Administrator subgroup within each of these main groups.



12. Create user administrators for each of the customers and assign them to their respectiveuser admin groups.

How to Display the Security CenterProcedure:

To be able to access the Security Center, you need to have the operation of Launch SecurityCenter (opManageSecurity). Global operations like this are placed on /WFC/Repository.Since this is a global setting, it is not inherited.

1. From the repository tree root of the Repository, right-click Repository, then select AccessRules.

2. Select the America Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.Select the Bombay Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.

96 WebFOCUS


Note: If the group you are adding the operation set to is not visible, you will need todeselect the Only show Groups with Rules option.

How to Assign Rules to the User Administrator SubgroupsProcedure:

You need to give each user administrator subgroup a rule to allow them to administer theirmain group and subgroups. These operations are held in the operation sets of ManageGroups,ManageUsers.

1. Right-click the Repository User Administration, or Security Management link. Then,right-click the America Bank group.

2. Select Security, then Access Rules.



3. Select the America Bank User Admins Group, then PERMIT the operation sets ofManageUsers and ManageGroups.

4. Repeat steps 1 through 3 for Bombay Bank.

Note: A default rule has been created for all users to allow them to use ALL operationsets in a rule. If that is not desired behavior, you could delete this default rule, andcreate a rule for each OpSet resource that you would allow the User Administrator togive to allowable groups.

98 WebFOCUS


After completing the steps above you can check to make sure your new user adminlogins work correctly and they are only allowed to:

Create users, and assign them to their own group and subgroups.

Delete users only from their group and subgroups.

Create subgroups only within their main group.

Only see users within their group and subgroups.

Create rules for their group or subgroups.

Have no access to repository content.

Creating HelpDesk Administrator (Reset Password Only)

How to:

Change Passwords for Users Belonging to Specific Groups

Display Security on the Banner for BID

The following describes a Help Desk Administrator group. These users will only be able tochange passwords of users within the group that they are administering.

This specific case was to create helpdesk administrators for each of the separate customerscreated above.

Note: It is important that both procedures below are followed.

How to Change Passwords for Users Belonging to Specific GroupsProcedure:

These are specific requirements for this example. You could change this type of user tohave other types of access as well.



2. Create two main folders for the different customers.

3. Create a HelpDeskAdmin Group for each bank.

4. Right-click Repository Security, then User Administration or use the Security Managementlink.

5. Select the AmericaBankMain group, and create a AmericaBankHelpDeskAdmin subgroup.

6. Repeat step 5 for Bombay Bank Main Group.



7. Select the Permission Sets tab and create an operation set named SetPassword, thathas the following permissions:

List (opList)

List Users (opListUsers)

Set User Password (opSetPassword)

8. Select America Bank Main Group, as this is the resource to be controlled, and selectSecurity, then Access Rules.

9. Select the AmericaBankHelpDeskAdmins Group, and PERMIT the previously createdoperation set of SetPassword.

10. Assign the HelpDeskAdmin operation sets to the America Bank Help Desk Admins Group.

11. Repeat steps 8 to 12 for the Bombay Bank Group.

How to Display Security on the Banner for BIDProcedure:

To display Security on the banner for BID, you need to have the operation of ManageUser/Groups/PSets (opManageSecurity). Global operations are placed on the root of therepository tree, or /WFC/Repository. (Since this is a global setting, it is not inherited.)

1. From the repository tree root of the Repository, right-click Repository, then select AccessRules.

2. Select the America Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.Select the Bombay Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.

100 WebFOCUS

Creating HelpDesk Administrator (Reset Password Only)

Sharing

How to:

Create Folders and Make Them Managed

Create a Group and Subgroups

Create and Place Users

Create a Rule to Allow List

Create Rules to Allow Sharing of a Folder or Item

Create Rules to Allow Sharing to a Group

Test Sharing Ability

This specific use case is to show how users created within a group can share their itemswith users in the same group. If desired, this can be modified to share with a Group thatthe user is not in.

Note: To be able to share an item, the folder that it is located in must be shared. Whomeveryou are sharing with will need to be able to navigate to your shared directory.

How to Create Folders and Make Them ManagedProcedure:

The following procedure can be used for both sharing and ownership.



2. Create a folder for America Bank.

3. Create a subfolder for Finance.

4. Create a subfolder for Sales.

5. Within the Finance folder, create a report procedure with InfoAssist called Account (thiswill be used to illustrate a managed item).

6. Make the Main America Bank Folder managed. All subfolders and items will now beManaged as well.



Your tree should appear as follows.

How to Create a Group and SubgroupsProcedure:




2. Using Security Center, create an AmericaBankMain Group.

3. Create an AmericaBankDeveloper subgroup.

4. Create a subgroup under AmericaBankMain/AmericaBankDeveloper of Finance.

5. Create a subgroup under AmericaBankMain/AmericaBankDeveloper of Sales.

How to Create and Place UsersProcedure:


1. While using the Security Center, create users for the Finance and Sales Groups.

102 WebFOCUS

Sharing

2. Place the users in the following groups:

abdeveloperfinance1 - Finance Group

abdeveloperfinance2 - Finance Group

abdevelopersales1 - Sales Group

abdevelopersales2 - Sales Group

How to Create a Rule to Allow ListProcedure:

This procedure allows all users within the AmericaBankMain Group and subgroups the Listcapability of the main America Bank Folder on the Repository tree. It is needed for any userwithin one of the groups or subgroups to navigate to the subfolders for which they are grantedoperations.


1. Right-click the America Bank folder and select Security, then Access Rules.

2. In the Groups & Users section, select AmericaBankMain.

3. In the Available operation sets section, PERMIT the List OpSet.



4. Select the Add operation sets to Selected Group or User button to apply the OpSet.

How to Create Rules to Allow Sharing of a Folder or ItemProcedure:



2. From the Repository Tree, use the context menu and right-click the America Bank/Financefolder, Rules then select Access Rules.

3. Select the AmericaBankMain/AmericaBankAnalyticalUsers/Finance Group. Then PERMITthe WF_Developer and Share_Content OpSet. If the Share_Content operation set doesnot exist, you can create it with the operation of Share Folder/Item.

How to Create Rules to Allow Sharing to a GroupProcedure:

The following procedure will allow anyone within the Finance Group to share with any otheruser in this Group.

104 WebFOCUS

Sharing

1. Within the Security Center, right-click Finance group, select Security, then Access Rulesto create a rule for AmericaBankMain/AmericaBankDeveloper/Finance Group that willallow anyone within this group to share with any other user in this group.

2. In the Groups & Users section, select theAmericaBankMain/AmericaBankDeveloper/Finance Group.

3. In the Available operation sets section, PERMIT the ShareWith OpSet.

Note: This OpSet contains the operations of: List (opList), ListUsers (opListUser), andShare with Group or User (opShareWith).

4. Select the Add operation sets to Selected Group or User button to apply the OpSet.

The rule created allows the AmericaBankMain/AmericaBankDeveloper/Finance groupShareWith capabilities on AmericaBankMain/AmericaBankDeveloper/Finance group.

Note: If sharing to a different group is desired. Then in step 1 above, you would pick adifferent group such as AmericaBankMain/AmericaBankDeveloper/Sales. This wouldallow anyone in the Finance group, that is allowed to share an item, to share it with theSales group.



How to Test Sharing AbilityProcedure:

1. Log in as abdeveloperfinance1.

2. Create a private folder under America Bank/Finance.

3. Create a private procedure, named myfinance1.

4. Right-click the private folder, then select Share, and share it with theAmericaBankMain/AmericaBankDeveloper/Finance group.

5. Right-click the procedure, then select Share, and share it with theAmericaBankMain/AmericaBankDeveloper/Finance group.

The user ID of abdeveloperfinance1 will appear as follows.

6. Log in as abdeveloperfinance2.

The screen will appear as follows.

106 WebFOCUS

Sharing

Ownership

How to:

Change Ownership of a Folder/Item

Create a Rule to Allow Changing Ownership to a Group or User

Test Ownership Changes

This specific use case shows how a group can manage ownership of an item. Managingownership implies the following type of abilities: changing the owner to either a group oruser, or making a private folder/item managed, making a managed folder/item private. Eachof these abilities is mutually exclusive. Just because a user has the ability to make afolder/item managed, does not mean they have the ability to change it back to a privatefolder/item. You can also restrict a user to only sharing with a group, sets of groups, orindividual users.

The ability to change the ownership of a private folder/item, or change a private folder/itemto managed or back again to private, relies on the following seven operations, which can begrouped as follows:

Folder/Item Level Operations

Make Managed (opMakeManaged) changes a privately owned folder/item to managed.

Make Private (opMakePrivate) changes a managed folder/item to privately owned.

Update Ownership (opUpdateOwnership) changes the ownership of a folder/item.

Note: Permitting any one of these operations can affect the display of the Owner contextmenu.

If you are permitted the Make Private (opMakePrivate) operation on a folder/item resourceand/or the Update Ownership (opUpdateOwnership) ability on a folder/item resource. Youhave the ability to change the ownership, but you still do not have the ability to change it toany specific group or user. For that ability, you need the following operations permitted.

Group/User Level Operations

Set Group as Owner (opSetGroupOwner) allows changing the owner to specified group.

Set User as Owner (opSetUserOwner) allows changing the owner to a specified user.

List (opList) lists groups in this context.

List Users (opListUser) lists users within groups.



How to Change Ownership of a Folder/ItemProcedure:

These steps rely upon the prior steps in Sharing on page 101 being accomplished.

Create Folders and Make Them Managed

Create a Group and Subgroups

Create and Place Users Create a Rule to Allow List



2. Using the Security Center, modify the previously created operation set ofWF_AnalyticalUsersShare, and PERMIT the three operations of Make Managed(opMakeManaged), Make Private (opMakePrivate), and Update Ownership(opUpdateOwnership).

Note: We previously created a Rule with this operation set in Sharing on page 101.

How to Create a Rule to Allow Changing Ownership to a Group or UserProcedure:

1. Using Security Center create a Rule that allows all users in theAmericaBankMain/AmericaBankDeveloper/Finance group ManageOwner capability onthe same group.

2. Right-click the group of AmericaBankMain/AmericaBankDeveloper/Finance Group thenselect Access Rules.

3. Using the operation set of ManageOwner, apply it to the Group ofAmericaBankMain/AmericaBankDeveloperAmericaBankDeveloper/Finance.

Note: ManageOwner OpSet means that anyone within the Finance Group has the abiliyto change ownership and contains the operations of : Set Group as Owner(opSetGroupOwner), Set User as Owner (opSetUserOwner), List (opList), and List Users.

How to Test Ownership ChangesProcedure:

1. Log in to Dashboard as user abdeveloperfinance1.

2. Select the Folder myfinance that was created in Sharing on page 101.

3. Note the context menu of Owner and the list of users abdeveloperfinance1 andabdeveloperfinance2. As well as the group ofAmericaBankMain/AmericaBankDeveloper/Finance.

108 WebFOCUS

Ownership

WebFOCUS

GlossaryATopics:

This is a glossary of key concepts in thismanual.

Key Concepts


Key ConceptsUser

A named user within the Managed Reporting repository.

Group

A container to hold similar users. Without a rule created for the group, the group is notgiven any abilities. A group or user is always the subject of a rule.

OpSet

Grouping of permitted or denied operations. Also referred to as an operation set.

Operation

An atomic ability of a user to be permitted or denied the ability to do something. Forexample, the operation of opRun can be permitted or denied.

Item

Any type of repository content, such as a Folder, Focexec, Static Output, Schedule,Access List, and Distribution List.

Folder

A container for items.

Resource

Any object, such as an item, group, user, or OpSet. Any object that can be used to createa rule.

Rule

Combines a group OpSet or user OpSet and a resource to create the ability to dosomething. Comprises three parts:

Who is the group (usually) or the user (rarely).

What is the OpSet.

Where is some resource, such as an item, group, or OpSet.

Private

An item or folder in which the owner is either a user or a group. All private items have asystem OpSet of SystemPrivateResourcePermits associated with it.

Managed

System owned item, not private.

110 WebFOCUS

Key Concepts

Shared

You can share a folder and its contents (items) with other users and groups. The shareditems have an OpSet associated with it of SharedResourcePermits.

Permit

Grants the ability to perform a particular operation.

Deny

Denies the ability to perform a particular operation.

OverPermit

Allows a particular operation like a Permit, but overrides a Deny.

ClearInheritance

Clears inherited rules from above a resource.

Effective Policy

The aggregation of all permitted and denied operations to give the user their resultingaccess.

UOA

Universal Object Access.


A. Glossary

112 WebFOCUS

Key Concepts

WebFOCUS

Reader Comments

In an ongoing effort to produce effective documentation, the Documentation Services staffat Information Builders welcomes any opinion you can offer regarding this manual.

Please use this form to relay suggestions for improving this publication or to alert us tocorrections. Identify specific pages where applicable. You can contact us through the followingmethods:

Documentation Services - Customer SupportMail:Information Builders, Inc.Two Penn PlazaNew York, NY 10121-2898

(212) 967-0460Fax:

[email protected]:

http://www.informationbuilders.com/bookstore/derf.htmlWeb form:

Name:

Company:

Address:

Telephone: Date:

Email:

Comments:

Information Builders, Two Penn Plaza, New York, NY 10121-2898 (212) 736-4433WebFOCUS Client Repository and Security Authorization DN4500988.06118.0 Beta

mailto:[email protected]

http://www.informationbuilders.com/bookstore/derf.html

Creating Reports With WebFOCUS Language

Version 7 Release 6

Information Builders

Two Penn Plaza

New York, NY 10121-2898

Printed on recycled paper in the U.S.A.

WebFOCUS Client Repository and Security Authorization8.0 Beta

wf 80 beta manual

Documents