New MR Repository & Security Universal Object Access

Brian A SuterVP WebFOCUS Product

DevelopmentApril 20, 2023

Copyright 2009, Information Builders. Slide 1

76x Security Structure - Review

Copyright 2009, Information Builders. Slide 2

WebFOCUS Managed Reporting SecurityRelease 76x and Earlier WebFOCUS Managed Reporting SecurityRelease 76x and Earlier

Internal (default) repository stored as HTM files on Application Server (basedir)

Authentication – Internal or External Authorization - Internal or External (RDBMS, Active Directory, LDAP)

using Realm Driver

BrowserMachine

Application Server/Web Server

WebFOCUSServer

WF

Servlet

& M

R (In

ternal)

Rep

osito

ry

DB2OracleSybaseInformixTeradata…

MR (External) Authorization (SQL RDBMS, Active Directory, LDAP)

Java Client

External Authentication

WebFOCUS 76x Managed Reporting Security User Authorization WebFOCUS 76x Managed Reporting Security User Authorization

Groups

Users Domains Reports

Role(*) Launch Pages

Documents

Role is assigned directly to user.

A user has only ONE role.

77x Repository and Security

Copyright 2009, Information Builders. Slide 5

77 Repository

File System model: Domains are top level folders N-depth folder/file tree No special purpose folders

Implemented in RDMS tables Derby shipped and installed Any RDBMS supported Audit, backup, clustering

Special rules eliminated

Copyright 2009, Information Builders. Slide 6

Groups & Users

Groups Groups can have sub-groups, sub-sub-groups, etc. Users are assigned to Groups (or sub-groups) Users can belong to multiple groups All users are in the EVERYONE group

User Authorizations Group membership usually authorization Matches standard LDAP/AD models User “flags” eliminated

User Management

Copyright 2009, Information Builders. Slide 7

Security Rules

All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations – the WHAT On some Folder (a resource) – the WHERE

Examples: Group RepDev has Developer on folder /Sales Group EVERYONE has RunReports on folder /Sales

WHO – WHAT – WHERE

Copyright 2009, Information Builders. Slide 8

Security Rules (continued)

Permissions are inherited down the tree RepDev inherits Developer permissions on folder

/Sales/Forcasts

Single User can have specific rules on every object Folder or file Recommend only as the exception!

Copyright 2009, Information Builders. Slide 9

Different roles on different folders

Copyright 2009, Information Builders. Slide 10

Permissions Sets - WHAT

Named list of permissions on very granular operationsWF ships with a set of defined permission sets

Customers can create their own Reusable for multiple rules

Usually declare what a subject can DO (permit) Can declare what can not be done (deny)

Abilities are never implied if an individual operation is not permitted or denied – it is

an effective deny

WHO – WHAT - WHERE

Copyright 2009, Information Builders. Slide 11

Creating and controlling Rules

“Access Rules” context menu choice Specifies the WHERE of the rules to be created

Users need to be permitted to change rules on a resource

Group to sub-group inheritance A rule for a group is inherited by sub-groups

WHO - WHAT – WHERE

Copyright 2009, Information Builders. Slide 12

Example of setting Access Rules

Copyright 2009, Information Builders. Slide 13

Permission Sets – List of Operations

Everything is an operation: Create file, Create folder, Run report, Run differed,

Schedule a report, Manage schedules, Create access lists, Create distribution lists, Update properties, Update Execution properties, Read file, Write file, Delete, Change Ownership, Share, ...

Launch InfoAssist, Launch Editor, Launch security central, Launch RC admin, Launch developer Studio tools, ...

Create groups, Assign users to groups, Make rules for the Group (group as subject), Share with Group,...

Create User, Update user status/password, ... Create PSET, Update PSET, Delete PSET, ...

Copyright 2009, Information Builders. Slide 14

Private Files & Folders (aka MyReports)

Private files can exist anywhere you allow them Private folders recommended

Private files can be owned by users or by Groups “In development”

Private files can be shared With specific groups/users

Two special Permission-Sets: Owners have PrivateFilePermissions on PrivateFiles Sharees have SharedFilePermissions on SharedFiles

WHO – WHAT - WHERE

Copyright 2009, Information Builders. Slide 15

Example of setting Shares

Copyright 2009, Information Builders. Slide 16

User and Group Administration

Users are permitted operations to act on groups Create sub-groups Assign users to groups Assign users from groups Manage users in groups

Names, passwordsUser management

GlobalUserAdmin has ManageUsers on /EVERYONE

Copyright 2009, Information Builders. Slide 17

Everything is a Resource – a WHERE

/WFC /Repository

Sales Domain, etc. /UserInfo – preference files, deferred receipts

/SSYS /GROUPS /USERS /PSETS

/WEB - APPROOT application directories In the works

/VIEWS/viewname/tabname

Copyright 2009, Information Builders. Slide 18

Thank you!

Copyright 2009, Information Builders. Slide 19