Date post: | 08-Mar-2015 |
Category: |
Documents |
Upload: | greenviosn |
View: | 54 times |
Download: | 5 times |
WebFOCUS Client Repositoryand Security Authorization8.0 Beta
DN4500988.0611
Cactus, EDA, EDA/SQL, FIDEL, FOCUS, Information Builders, the Information Builders logo, iWay, iWay Software,Parlay, PC/FOCUS, RStat, TableTalk, Web390, and WebFOCUS are registered trademarks, and DataMigrator andMagnify are trademarks of Information Builders, Inc.
Adobe, the Adobe logo, Acrobat, Adobe Reader, Flash, Adobe Flash Builder, Flex, and PostScript are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Due to the nature of this material, this document refers to numerous hardware and software products by theirtrademarks. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by theirrespective companies. It is not this publisher’s intent to use any of these names generically. The reader is thereforecautioned to investigate all claimed trademark rights before using any of these names other than to refer to theproduct described.
Copyright © 2011, by Information Builders, Inc. and iWay Software. All rights reserved. Patent Pending. This manual,or parts thereof, may not be reproduced in any form without the written permission of Information Builders, Inc.
WebFOCUS
Contents
Preface................................................................................................................5Documentation Conventions..............................................................................................6
Related Publications..........................................................................................................7
Customer Support.............................................................................................................7
Information You Should Have.............................................................................................8
User Feedback..................................................................................................................9
Information Builders Consulting and Training.......................................................................9
1. Introducing WebFOCUS Client Repository and Authorization Security.........11Creating a Security Model................................................................................................12
2. Security Basics..............................................................................................17Groups...........................................................................................................................18
Users.............................................................................................................................19
Operation sets................................................................................................................20
Folders...........................................................................................................................23
Rules.............................................................................................................................26
Rules Overview........................................................................................................26
Creating Rules for Folder Resources.........................................................................26
Creating Rules for Groups........................................................................................29
Creating Rules for Operation Sets.............................................................................33
3. Creating Users With Predefined Groups........................................................35Default Groups, Operation Sets, and Rules.......................................................................36
Creating a Managed Folder for Users to Access.................................................................36
4. Sharing and Ownership..................................................................................41Sharing How, Who, or Permissions...................................................................................42
Ownership Permissions...................................................................................................43
5. Managing User Content ................................................................................45Managing Private User Content........................................................................................46
WebFOCUS Client Repository and Security Authorization 3
6. Effective Policy.............................................................................................47Order of Precedence........................................................................................................48
Viewing Your Own User Effective Policy.............................................................................49
Viewing Effective Policy for Other Users.............................................................................52
Viewing Folder or Item Properties.....................................................................................53
7. Operation Sets...............................................................................................57Default Operation Sets....................................................................................................58
Legacy Operation Sets.....................................................................................................67
8. Individual Operations.....................................................................................75Configuring Operations....................................................................................................76
9. Default System Rules....................................................................................87System Rules Information................................................................................................88
10. Use Case Scenarios.....................................................................................91Service Provider Architecture............................................................................................92
Creating HelpDesk Administrator (Reset Password Only)....................................................99
Sharing........................................................................................................................101
Ownership....................................................................................................................107
A. Glossary.......................................................................................................109Key Concepts...............................................................................................................110
Reader Comments...........................................................................................113
4 WebFOCUS
Contents
WebFOCUS
Preface
This documentation provides an introduction to the new WebFOCUS Client Repository andAuthorization Security model. It is intended for developers who are responsible for developingsecurity for WebFOCUS applications.
How This Manual Is Organized
This manual includes the following chapters:
ContentsChapter/Appendix
Describes the purpose and basic functionality ofWebFOCUS client security. It also includes importantquestions whose answers will help you structure anappropriate security model.
Introducing WebFOCUSClient Repository andAuthorization Security
1
This chapter introduces the basic concepts of thenew WebFOCUS Client Repository security model,including how to create groups, subgroups, users,OpSets, and folders.
Security Basics2
Explains how to create users with groups that havealready been created. It also expands on some ofthe basic concepts introduced earlier.
Creating Users WithPredefined Groups
3
Introduces the concepts of sharing and ownershipand describes the operations on which sharing relies
Sharing and Ownership4
Describes how to manage user content.Managing User Content5
Describes how to determine or manage the effectivepolicy for a user.
Effective Policy6
Lists and explains the default and legacy operationsets.
Operation Sets7
WebFOCUS Client Repository and Security Authorization 5
ContentsChapter/Appendix
Lists and describes the individual operations.Individual Operations8
Lists and describes the Default Rules and SystemRules.
Default System Rules9
Illustrates use cases to help understand andconfigure certain types of functionality within the newMR Repository and Security Authorization model.
Use Case Scenarios10
Glossary of key concepts in this manual.GlossaryA
Documentation ConventionsThe following table lists and describes the conventions that apply in this manual.
DescriptionConvention
Denotes syntax that you must enter exactly as shown.THIS TYPEFACE
or
this typeface
Represents a placeholder (or variable) in syntax for a value thatyou or the system must supply.
this typeface
Indicates a default setting.underscore
Represents a placeholder (or variable), a cross-reference, or animportant term. It may also indicate a button, menu item, ordialog box option you can click or select.
this typeface
Highlights a file name or command.this typeface
Indicates keys that you must press simultaneously.Key + Key
Indicates two or three choices; type one of them, not the braces.{ }
Indicates a group of optional parameters. None are required,but you may select one of them. Type only the parameter in thebrackets, not the brackets.
[ ]
6 WebFOCUS
Documentation Conventions
DescriptionConvention
Separates mutually exclusive choices in syntax. Type one ofthem, not the symbol.
|
Indicates that you can enter a parameter multiple times. Typeonly the parameter, not the ellipsis points (...).
...
Indicates that there are (or could be) intervening or additionalcommands.
.
.
.
Related PublicationsTo view a current listing of our publications and to place an order, visit our TechnicalDocumentation Library, http://documentation.informationbuilders.com. You can also contactthe Publications Order Department at (800) 969-4636.
Customer SupportDo you have any questions about this product?
Join the Focal Point community. Focal Point is our online developer center and more than amessage board. It is an interactive network of more than 3,000 developers from almostevery profession and industry, collaborating on solutions and sharing tips and techniques,http://forums.informationbuilders.com/eve/forums.
You can also access support services electronically, 24 hours a day, with InfoResponseOnline. InfoResponse Online is accessible through our World Wide Web site,http://www.informationbuilders.com. It connects you to the tracking system and known-problem database at the Information Builders support center. Registered users can open,update, and view the status of cases in the tracking system and read descriptions of reportedsoftware issues. New users can register immediately for this service. The technical supportsection of www.informationbuilders.com also provides usage techniques, diagnostic tips,and answers to frequently asked questions.
Call Information Builders Customer Support Service (CSS) at (800) 736-6130 or (212) 736-6130. Customer Support Consultants are available Monday through Friday between 8:00a.m. and 8:00 p.m. EST to address all your questions. Information Builders consultants canalso give you general guidance regarding product capabilities and documentation. Pleasebe ready to provide your six-digit site code number (xxxx.xx) when you call.
To learn about the full range of available support services, ask your Information Buildersrepresentative about InfoResponse Online, or call (800) 969-INFO.
WebFOCUS Client Repository and Security Authorization 7
Preface
Information You Should HaveTo help our consultants answer your questions effectively, be prepared to provide the followinginformation when you call:
Your six-digit site code (xxxx.xx).
Your WebFOCUS configuration:
The front-end you are using, including vendor and release.
The communications protocol (for example, TCP/IP or HLLAPI), including vendor andrelease.
The software release.
Your server version and release. You can find this information using the Version optionin the Web Console.
The stored procedure (preferably with line numbers) or SQL statements being used inserver access.
The Master File and Access File.
The exact nature of the problem:
Are the results or the format incorrect? Are the text or calculations missing ormisplaced?
The error message and return code, if applicable.
Is this related to any other problem?
Has the procedure or query ever worked in its present form? Has it been changed recently?How often does the problem occur?
What release of the operating system are you using? Has it, your security system,communications protocol, or front-end software changed?
Is this problem reproducible? If so, how?
Have you tried to reproduce your problem in the simplest form possible? For example, ifyou are having problems joining two data sources, have you tried executing a querycontaining just the code to access the data source?
Do you have a trace file?
How is the problem affecting your business? Is it halting development or production? Doyou just have questions about functionality or documentation?
8 WebFOCUS
Information You Should Have
User FeedbackIn an effort to produce effective documentation, the Documentation Services staff welcomesyour opinions regarding this manual. Please use the Reader Comments form at the end ofthis manual to communicate suggestions for improving this publication or to alert us tocorrections. You can also use the Documentation Feedback form on our Web site,http://documentation.informationbuilders.com/feedback.asp.
Thank you, in advance, for your comments.
Information Builders Consulting and TrainingInterested in training? Information Builders Education Department offers a wide variety oftraining courses for this and other Information Builders products.
For information on course descriptions, locations, and dates, or to register for classes, visitour World Wide Web site (http://www.informationbuilders.com) or call (800) 969-INFO tospeak to an Education Representative.
WebFOCUS Client Repository and Security Authorization 9
Preface
10 WebFOCUS
Information Builders Consulting and Training
WebFOCUS
Introducing WebFOCUS Client Repositoryand Authorization Security
1
Topics:
Creating a Security Model
To plan the security implementation inyour WebFOCUS application, it is criticalto consider several fundamentalquestions whose answers will help youstructure your security model:
What information will be stored in theWebFOCUS repository?
Who will need access to thisinformation?
What kind of access will each userneed?
WebFOCUS Client Repository and Security Authorization 11
Creating a Security ModelThe new WebFOCUS Client Repository and Authorization Security model expands andgeneralizes the access to Managed Reporting (MR) and Business Intelligence assets.Highlights of the model include:
Relational database storage for all content.
Improved integration with ReportCaster.
Component integration (single sign-on).
Blended user capabilities (which do not require the creation of new roles).
Improved integration with software service vendors using granular authorization and thedelegation of administrative functions.
The system uses the Universal Object Access (UOA) layer, an implementation of Role-BasedAccess Control (RBAC), to enforce security across all objects in the repository. The flexibilityof the UOA model enables an administrator to implement security at a granular level forevery object in the WebFOCUS repository, if needed. User actions can be permitted or notpermitted for individual combinations of users and objects. Access can be granted orspecifically denied on a group or individual level, and it can be inherited down from a rootfolder that contains several types of objects. The administrator can create a comprehensivesecurity model by using the following concepts provided by the UOA model:
12 WebFOCUS
Creating a Security Model
Every object is a resource that can be controlled. Access to and management ofall objects is controlled by the UOA.
Different object types have different controlled operations. While all object typeshave a delete operation, other operations are restricted to particular object types. Reportrequest objects cannot be made members of a group and user objects cannot be run orscheduled.
Group membership determines two types of operations:
Which users can modify group or user definitions.
The actions a group or user can perform on objects.
Security rules control what users can do to objects in the repository:
Users belong to groups. As a best practice, for ease of administration, security rulesshould apply to these groups, although it is possible to create a security rule thatapplies to users.
User privileges are defined in operation sets. Operation sets are groupings of permittedor denied operations. An object is any group, user, operation set, item, or folder storedin the repository.
An object is any object or folder stored in the repository.
For example, the following statements can become rules:
Users in the group SalesMgmt can run reports in the folder SalesForecast. This canbe implemented as the rule:
SalesMgmt PERMIT RunReport on Folder SalesForecast
Users in the group SalesAdmin can assign user IDs to the group SalesMgmt. Thiscan be implemented as the rule:
SalesAdmin PERMIT AssignUsers on Group SalesMgmt
Security rules are inherited. Rules established on a folder apply to all its children andsubfolders. Rules established on a group apply to all its children and subgroups. If youwish to change this behavior for a specific object, you can clear an inherited rule or definea more specific rule for a subfolder or subgroup. This change then applies to thedescendants of the subfolder or subgroup.
Users can belong to multiple groups.
WebFOCUS Client Repository and Security Authorization 13
1. Introducing WebFOCUS Client Repository and Authorization Security
All the security rules that affect a specific user are merged to create the effectivesecurity policy for the user on each object. Since users can belong to multiple groups,the rules that affect all of the groups to which a user belongs are merged to determinewhat the single user is allowed to do. There is an order of precedence for user operations.If a user is within two different groups and is permitted an operation in one group butnot granted that operation in another (implicit deny), the user is allowed that operation.However, if a user is permitted an operation in one group but denied that operation(explicit deny) in another, the user is denied that operation.
All operations need to be explicitly permitted. Operations that are not permitted arenot available (effectively denied).
All objects in the WebFOCUS repository are either private entities or managed entities. Oncecreated, private objects have a standard and consistent set of permitted operations thatare granted to the owner of the object, which can be an individual user or a group. Managedobjects, also known as system-owned objects, are managed by the set of security rulesdefined by security administrators. The ability to create new private objects inside a managedfolder is also a controlled operation.
The ownership of a private object can be passed to another user or even to a group. Whenpassed to a group, all members of that group have the same standard set of permittedoperations, specified by the OpSet SystemPrivateResourcePermits. For example, groupownership may be useful when a development team is working on a project of interconnectedreports. Anyone on the team may need to update a report. You could add new security rulesfor each user and then change the rules when the project is complete, but it is simpler tokeep the report objects private and owned by the group while in development. Once theproject is completed and the reports are ready to be released to a wider audience, you canchange the status of the report objects to managed so that the security rules you havealready determined for your system will apply.
In most circumstances, a new object is created as a private object. The status of the createdobject can then be changed to managed. Changing ownership and changing status fromprivate to managed are themselves controlled operations.
14 WebFOCUS
Creating a Security Model
By default, the owner of a private object can:
Run a report.
Run a deferred report.
Create a Private Item.
Create a Private Folder.
Open, delete, update, list, and view objects.
View and update the properties of an object.
The type of control that a user has on a private object can be modified for the entire site byupdating the SystemPrivateResourcePermits operation set. All other operations must beexplicitly granted to users through groups or roles. For example, by default, an owner ofprivate objects cannot change the server execution properties of a report procedure, unlessthe operation to update reporting server properties has been enabled for the user.
Generally, non-owners cannot modify private objects. The sole exception is for administrativeusers permitted the operation of opManagePrivateResources on a group and granted theopManagePrivateTool operation. This allows the administrative users to clean up the objectsof users who have left the organization. The explicit list of operations allowed on theseprivate objects is determined by the operation sets of:
SystemManagePrivateFolders
SystemManagePrivateOutput
SystemManagePrivateNonOutput
For more information, see Operation Sets on page 57.
WebFOCUS Client Repository and Security Authorization 15
1. Introducing WebFOCUS Client Repository and Authorization Security
16 WebFOCUS
Creating a Security Model
WebFOCUS
Security Basics2Topics:
The new WebFOCUS Client RepositoryAuthorization model allowsadministrators of the system to creategranular controls for all users. This newarchitecture provides granularity,flexibility, and separation of duties, aswell as auditing capabilities. Theindividual building blocks of groups,users, operation sets, and folders areused to create rules. Rules are thenused as the basis of determining whata user is allowed or not allowed to dowithin the WebFOCUS Client Repositoryand Authorization model.
Groups
Users
Operation sets
Folders
Rules
WebFOCUS Client Repository and Security Authorization 17
Groups
How to:
Create a Group and Subgroup
In the UOA model, a group is a container of users or subgroups that have similar capabilitiesand access. To enable this access, a rule will need to be created for a particular group orsubgroup. As a best practice, rules should be created for groups and not users, as creatingrules for individual users complicates administration.
How to Create a Group and SubgroupProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Select Security Management from the Administration pane, or right-click Repository inthe Resources pane and select Security, then User Administration.
3. Select the New Group button.
4. Create a group named AmericaBankMainGroup, with the description of America BankMain Group.
5. Create a group named AmericaBankAnalyticalGroup, with the description of AmericaBank Analytical Group
18 WebFOCUS
Groups
Users
How to:
Create a User
In the UOA model, a user is identified by a unique ID and additional properties, such as adescription, e-mail address, password, and groups, that the user belongs to. By default, allusers are a member of the EVERYONE Group, which is the set of all named users on thesystem. In addition, an ID status such as active or inactive can be set for the individualusers. When a user is a member of multiple groups, the rules on those groups are reconciledto give the user their effective policy.
Note: The user ID is case-sensitive.
How to Create a UserProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Select Security Management from the Administration pane, or right-click Repository inthe Resources pane and select Security, then User Administration.
3. Select the New User button.
WebFOCUS Client Repository and Security Authorization 19
2. Security Basics
4. Create the user and place that user in AmericaBankMain/AnalyticalUsers, as shown inthe following image.
Operation sets
How to:
Create an OpSet
Operation sets (OpSets), also known as operation sets (PSETs), are groups of permitted ordenied operations. Administrators can allow or deny the use of operations for Groups andUsers by applying operation sets. Operation sets are the building blocks, but nothing isapplied until a rule is created. For more information on individual operation sets andoperations, see Legacy Operation Sets on page 67 and Configuring Operations on page 76.
How to Create an OpSetProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Select Security Management from the Administration pane, or right-click Repository inthe Resources pane and select Security, then User Administration.
20 WebFOCUS
Operation sets
3. Select the Permission Sets tab.
4. Click New Permission Set .
WebFOCUS Client Repository and Security Authorization 21
2. Security Basics
5. Name the new operation set ListAndRun and enter the description List and Run operationset, as shown in the following image.
22 WebFOCUS
Operation sets
6. Move List, Run, RunDeferred, and View Folder/Item Properties from Available Operationsto Selected Operations by double-clicking each operation or by selecting each operation
and clicking on the Move button .
7. Click OK to save the new operation set.
Folders
How to:
Create a Folder
Make a Folder Managed
Folders contain all MR Repository content. In the UOA architecture, there is no limitation tofolder depth, as there was in the 77 release and below. Whenever a user creates a folder,it will always be created as a private folder. It can remain private, if that is desired, or it canbe changed to a system managed folder as long as the user has the proper permissions todo so (Make Managed - opMakeManaged). A managed item is not owned by an individualor group, but it is accessible to all users that have the proper rules in place to access it.
WebFOCUS Client Repository and Security Authorization 23
2. Security Basics
How to Create a FolderProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Right-click Repository and select New Folder, as shown in the following image.
The Create Folder dialog box appears, as shown in the following image.
3. Populate the fields with the following and then select OK:
Description: America Bank
Summary: America Bank's Folder
24 WebFOCUS
Folders
Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. If desired, the Name of this can bemodified at this point. The Description is non-unique but Name must be unique withinthe folder and cannot contain any special characters. The summary is an extensiveexplanation of the folder and is accessible through the Info button located under theMR tree.
4. Right-click on America Bank and select New, then Folder. Name the folder Sales.
How to Make a Folder ManagedProcedure:
1. Right-click on America Bank and select Security, then Owner, as shown in the followingimage.
WebFOCUS Client Repository and Security Authorization 25
2. Security Basics
2. Select the Managed radio button, then OK, as shown in the following image.
Note: When you change a main folder to Managed, all subfolders will also be changedto Managed as well.
Rules
In this section:
Rules Overview
Creating Rules for Folder Resources
Creating Rules for Groups
Creating Rules for Operation Sets
Rules OverviewRules are combined at each level, then down the resource tree, to determine the effectivepolicy on a resource. At each resource level, the effective policy can only be evaluated toNOT_SET, DENY, or PERMIT. This is then combined with rules at each lower level, to determinethe Effective Policy on a resource for a particular user.
Creating Rules for Folder Resources
How to:
Create a Rule Allowing the America Bank Main Group ListAndRead on the America BankFolder
You must define the following components to create a rule:
26 WebFOCUS
Rules
Who is the Group (usually) or the User (rarely).
Verb is NOT_SET, PERMIT, OVERPERMIT, or CLEARINHERITANCE.
What is the OpSet.
Where is the resource. In the case of a folder resource, it is the folder, or an item. Aresource could also be a group, OpSet, or user.
When creating any rule on a folder resource, the resource is always selected first. Then anynumber of operation sets can be applied to any number of groups or users as an exception.
In the following example, we will create a rule giving the America Bank Main group theListandRead operation set on the America Bank folder.
How to Create a Rule Allowing the America Bank Main Group ListAndRead on theAmerica Bank Folder
Procedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Right-click the America Bank folder in the Resources pane and select Security, thenAccess Rules.
The Security Rules dialog box appears.
WebFOCUS Client Repository and Security Authorization 27
2. Security Basics
3. In the Groups field, select AmericaBankMainGroup, as shown in the following image.
Note: If you do not see any Groups listed, uncheck Only show Groups with Rules.
28 WebFOCUS
Rules
4. Select the ListAndRead OpSet and set the Verb to PERMIT, as shown in the followingimage .
5. Click Apply if you wish to make further changes after this, or click OK to apply the changesand exit the dialog box.
Creating Rules for Groups
How to:
Create a Rule Allowing the America Bank Analytical Subgroup ShareWith CapabilityWith the America Bank Main Group
The following procedure uses the previous examples in this chapter.
How to Create a Rule Allowing the America Bank Analytical Subgroup ShareWithCapability With the America Bank Main Group
Procedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
WebFOCUS Client Repository and Security Authorization 29
2. Security Basics
2. Right-click the Repository folder in the Resources pane and select Security, then UserAdministration.
The Security Center appears, as shown in the following image.
30 WebFOCUS
Rules
3. Right-click AmericaBankMainGroup in the Groups field and select Security, then AccessRules, as shown in the following image.
The Security Rules dialog box appears.
4. In the Groups field, select AmericaBankAnalyticalGroup.
Note: If you do not see any Groups listed, uncheck Only show Groups with Rules.
WebFOCUS Client Repository and Security Authorization 31
2. Security Basics
5. In the Rules for Group field set ShareWith to PERMIT, as shown in the following image.
6. Click OK, then click Close.
32 WebFOCUS
Rules
Creating Rules for Operation Sets
How to:
Create a Rule That Disables Deletion of the ListandRun OpSet
How to Create a Rule That Disables Deletion of the ListandRun OpSetProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Select Security Center in the Administrative pane, or right-click inside the Resourcespane and select Security, then Access Rules.
3. In Security Center, select the Permission Sets tab.
4. Right-click ListAndRun and select Security, then Access Rules.
5. Select the operation set of ProtectSystemResources on the left side of the window, andthe EVERYONE group on the right side, and apply the Permssion Set by either draggingand dropping or using the arrow button to apply.
WebFOCUS Client Repository and Security Authorization 33
2. Security Basics
34 WebFOCUS
Rules
WebFOCUS
Creating Users With Predefined Groups3Topics:
WebFOCUS includes default groups,operation sets, and rules to make iteasier for you to administer yourimplementation.
Default Groups, Operation Sets, andRules
Creating a Managed Folder for Usersto Access
WebFOCUS Client Repository and Security Authorization 35
Default Groups, Operation Sets, and RulesThe WebFOCUS Client Repository has been preloaded with a set of default groups, operationsets, and rules applying to them. Among these are the WF_Legacy group and its subgroupscorresponding to the legacy 7.6 and prior user roles. Note that these groups are not anexact match of what was in 7.7 and below, since these user types have access to the latesttools. If needed, you can clone these operation sets, and make them an exact match andgive them access to the legacy tools as well. These predefined groups, and the operationsets that are used with them, include LibraryOnlyUsers, RunOnlyUsers, AnalyticalUsers,PowerUsers, Developers, ContentManagers, and MRAdministrators.
Default rules have been set from the root of the repository (Repository level) for these groups.A first time administrator only needs to create the users and place them in one of thepredefined groups, under the WF_Legacy main group. A first time administrator does notneed to create rules at this time. The users that are created in the WF_Legacy subgroupswill have all the available permissions for the entire repository because of the default rules.If that is not the desired behavior, the default rules can be deleted or modified so that theseusers only have access to specific folders.
Creating a Managed Folder for Users to Access
How to:
Create a Managed Folder Accessible to Predefined Users
Create a User Using One of the Predefined Legacy WebFOCUS Groups
The following procedures show how to create a folder and place a user in theWF_Legacy/AnalyticalUsers Group. This user will have AnalyticalUser access to the folder.
First, the administrator should create a managed folder under the root of the repository. Amanaged folder is a folder that is accessible to all authorized users. It is not private to anyone individual or group, but can be considered system wide.
How to Create a Managed Folder Accessible to Predefined UsersProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
36 WebFOCUS
Default Groups, Operation Sets, and Rules
2. Right-click Repository and select New Folder, as shown in the following image.
The Create Folder dialog box appears, as shown in the following image.
3. Populate the fields with the following and then select OK:
Description: America Bank
Summary: America Bank's Folder
WebFOCUS Client Repository and Security Authorization 37
3. Creating Users With Predefined Groups
Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. Description is non-unique but Name mustbe unique within the folder and cannot contain any special characters. The summary isan extensive explanation of the folder and is accessible through the Info button locatedunder the MR tree.
4. Right-click on America Bank and select New, then Folder. Name the folder Sales.
5. Right-click on America Bank and select Security, then Owners, as shown in the followingimage.
38 WebFOCUS
Creating a Managed Folder for Users to Access
6. Select the Managed radio button, then OK, as shown in the following image.
How to Create a User Using One of the Predefined Legacy WebFOCUS GroupsProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Select Security Management from the Administration pane, or right-click Repository inthe Resources pane and select Security, then User Administration.
The Security Center displays, as shown in the following image.
You can use the Security Center to create users and assign them to groups.
WebFOCUS Client Repository and Security Authorization 39
3. Creating Users With Predefined Groups
3. Select the New User button.
The New User dialog box appears, as shown in the following image.
4. Populate the fields with the following and then select OK:
ID: abanalytic1
Description: America Bank Analytical User 1
E-mail Address: [email protected]
Password: abanalytic1
Create in group: WF_Legacy/AnalyticalUsers
Status: Active
5. Log in as abanalytic1. You can now create content.
40 WebFOCUS
Creating a Managed Folder for Users to Access
WebFOCUS
Sharing and Ownership4Topics:
When a user wants to share an item,they can share that item with a particulargroup or user. The ability to share anitem or a folder relies on four operations:Share Folder/Item (OpShareItem), Sharewith Group or User (opShareWith), List(opList), and List Users (opListUsers).
Sharing How, Who, or Permissions
Ownership Permissions
WebFOCUS Client Repository and Security Authorization 41
Sharing How, Who, or PermissionsThe ability to share a private item or a folder relies on four operations. Share Item or Folder(OpShareItem) applies to the folder or item resource. This operation indicates that this userhas the ability to share a folder or item. Who that user can share the item with is specifiedwith the operations of Share with Group or User (opShareWith), List (opList), and List Users(opListUsers). These operations apply to the group resources. When you want to share anitem with another group or user, the following needs to be considered:
The item to be shared must be within My Folder.
If the item the user wants to share is within a private folder, the private folder needs tobe shared.
The private item within that folder needs to be shared.
The user or group that the item is being shared with needs the List (opList) operation onmanaged folders leading to this users private folder, so they can navigate to this usersshared item.
Since the item is shared, there is a special operation set of SystemShareResourcePermitsthat is applied to the shared item, for all users that it is being shared with. That operationset contains the following operations:
View Folder/Item Properties
Schedule
Run
Run Deferred
Open
List
42 WebFOCUS
Sharing How, Who, or Permissions
Share How, Who, or PermissionsExample:
The following image shows an example of a private folder abpower1folder for the user ofabpower1 that is under a managed folder of Sales. The abpower1folder itself is shared andthe ProfitReport item is shared.
The following image shows the view when logged in as the wfpower1 user, who this itemwas shared with. Since this user had List (opList) capability from the repository level, theywere able to see two main subfolders of America Bank and Bombay Bank. They were ableto see and navigate to the Sales Folder which contains the private folder abpower1folder.This also shows that the original owner of the folder and item are abpower1.
For more information on Sharing Permissions, see Sharing on page 101.
Ownership PermissionsThe ability to change the ownership of a private folder/item, relies on six operations. MakeManaged (opMakeManaged) and Make Private (opMakePrivate) apply to the folder/itemresource. These operations indicate that a user has the ability to change the ownership ofa folder/item or to make the folder/item a managed entity. Who the user can change theownership to is specified with the operations of Set Group as Owner (opSetGroupOwner),Set User as Owner (opSetUserOwner), List (opList) and List Users (opListUser).
For more information on Ownership, see Ownership on page 107.
WebFOCUS Client Repository and Security Authorization 43
4. Sharing and Ownership
44 WebFOCUS
Ownership Permissions
WebFOCUS
Managing User Content5Topics:
To help administer the new MRRepository and Authorization model, anadministrator may delegateresponsibilities to other users to allowthem to manage the private contentwhich they do not own.
Managing Private User Content
WebFOCUS Client Repository and Security Authorization 45
Managing Private User ContentA default administrative user has ALL over the entire repository. However, this user candelegate responsibilities to users who do not necessarily have ALL with the operationsopManagePrivateResources and opManagePrivateTool. OpManagePrivateResources allowsusers the ability to manage private resources they do not own, and opManagePrivateToolgrants the use of the tool which manages these private resources. With this delegation,three system operation sets are applied to user content.
SystemManagePrivateFolders - Administrative rights over private folders owned by otherusers
SystemManagePrivateOutput - Administrative rights over private non-output files ownedby other users
SystemManagePrivateNonOutput - Administrative rights over private output owned byother users
There are three different operation sets so that a user with administrative capability overanother user may still be restricted from viewing the user output.
46 WebFOCUS
Managing Private User Content
WebFOCUS
Effective Policy6Topics:
The effective policy for a user is thederivation of all applicable rules appliedto the user. The Effective Policy dialogbox indicates why a user has or does nothave a certain capability. Users with theManage Rules on a Resource operation(opManageRulesOn) and the ViewEffective Policy on a Resource operation(opViewRulesOn) may also view theeffective policies for other usersbelonging to that resource.
Order of Precedence
Viewing Your Own User Effective Policy
Viewing Effective Policy for Other Users
Viewing Folder or Item Properties
WebFOCUS Client Repository and Security Authorization 47
Order of PrecedenceThe following order of precedence is used to determine the effective policy on a resourceat a particular level:
1. OverPermit
2. Deny
3. Permit
4. Not Set
On any particular level, these will be evaluated to DENY, PERMIT or NOT_SET.
This means that an OverPermit will win over a Deny. A Deny will win over a Permit. A Permitwill win over a Not Set (Implied Deny). ClearInheritance clears all inherited rules on anoperation on the level where ClearInheritance is placed, resetting the operation to a Not Setstate for that level and its children.
No group takes precedence over another group and user rules do not take precedence overgroup rules. A policy is calculated at each level of a resource and combines with the policiesof each child level to determine the effective policy for each user.
If an operation is Not Set, then it is Implicitly Denied.
If an operation is Permitted, it is allowed.
If an operation is Explicitly Denied, then it is not allowed. This takes precedence over aPermit. For example, if a user belongs to multiple GROUPs and is permitted an operationin one Group but denied the same operation in another Group, the user is denied theoperation.
ClearInheritence removes all inherited rules on a resource.
Going down a resource tree, an effective policy at an particular resource level can only beDENY, PERMIT and UNSET, with precedence in that order. This is important to note whenfiguring out Inherited abilities.
48 WebFOCUS
Order of Precedence
Viewing Your Own User Effective PolicyThe View Effective Policy on a Resource operation (opViewRulesOn) is necessary for usersto view their own effective policies. With this permission, you will be able to right-click areport and select Security, then Effective Policy.
Without this operation, these options do not display.
If you have opViewRulesOn and also opViewProperties or opUpdateProperties, you will alsobe able to view your effective policy from the Properties dialog box, which is shown in thefollowing image.
WebFOCUS Client Repository and Security Authorization 49
6. Effective Policy
If you are not already at the Properties dialog box, right-click on a resource and selectProperties. On the Properties dialog box, select Security and then Effective Policy. The EffectivePolicy dialog box appears.
50 WebFOCUS
Viewing Your Own User Effective Policy
Each individual operation is listed by the Operations pane, which is shown in the followingimage.
Select an operation to review its effective policy in the Calculated Policy pane, as shown inthe following illustration.
WebFOCUS Client Repository and Security Authorization 51
6. Effective Policy
The Calculated Policy pane shows the following elements:
Path Element. The location where a rule potentially may be applied.
Effective Policy. The combination of rules on that path element and any inherited rules.
Who. The groups or users to which the rule is applied. (Only displays the groups this user
belongs to.) Groups are denoted by the Group icon .
PSET. The operation set applied.
Verb. The verb that applies to the listed path element.
In the previous images, the operation of Run (opRun) has been selected in the Operationspane. The Calculated Policy pane indicates which rules apply at different folder levels.
No rules have been applied at / or at WFC, which means that the operation is implicitlydenied at those levels, per the global settings.
No rules have been applied at America_Bank, Sales, or Profit_Report.fex, which meansthat the operation is permitted at those levels, per the global settings.
A rule has been applied at the Repository level. The operations set used in that rule isWF_PowerUser, which specifies that Run (opRun) is PERMIT.
A rule has been applied at the abpower1 folder level. The operations set used in thatRule is SYSTEM, which specifies that Run(opRun) is OVERPERMIT.
Note: Not every operation applies to a particular resource type. For example, Run (opRun)applies to a folder or item resource, but Create a new Group (opCreateGroup) does not.
Viewing Effective Policy for Other UsersTo view the effective policy of other users, you must have the following operations:
52 WebFOCUS
Viewing Effective Policy for Other Users
Manage Rules on a Resource, which allows you to make use of the Rules and AccessRules context menus.
View Effective Policy on a Resource, which allows you to make use of the Rules andEffective Policy menus.
The combination of these two operations allows you to create rules and display the effectivepolicy for yourself and other users. To display the users on the Effective Policy dialog boc,you must also have Operation List (opList) or List Users (opListUsers) on the group or groupsto which the other users belong.
The Effective Policy dialog box, with the operation Run (opRun) selected for user ab1, isshown below.
The dialog indicates the following:
No rules apply for ab1 on /, WFC, and Repository.
A rule applies for ab1 at the America_Bank folder level. Its OpSet is ListAndRead.ListAndRead does not use the operation of Run (opRun) since the Rule is NOT_SET.
A rule applies at the Sales folder level. Its OpSet is WF_Developer, in which the operationof Run (opRun) is PERMIT for the user of ab1.
Therefore, the effective policy for ab1 is that this user has the Run (opRun) capability onitems within the Sales folder.
Viewing Folder or Item Properties
The Properties context menu displays the attribute information of a folder or an item withinthe resource tree.
The following operations allow you to view and make use of the Properties context menu:
opViewProps (View Folder or Item Properties) displays the context menu
WebFOCUS Client Repository and Security Authorization 53
6. Effective Policy
opUpdProps (Update Folder or Item Properties) updates properties
opRepSrvProps (View and Update Reporting Server Properties), if given, displays theReporting Server Properties
To view the Effective Policy from the Security button on the Properties dialog box, you needthe additional operation of opViewRulesOn (View Effective Policy on a Resource) oropManageRulesOn (Manage Rules on a Resource).
The following image shows the properties for an item (a report) on the resource tree.
Information Included in the Properties Dialog Box for an ElementReference:
DescriptionDialog Box Item
Displays the full repository path of thecontaining folder.
Folder
Displays the creation date and time.Created On
54 WebFOCUS
Viewing Folder or Item Properties
DescriptionDialog Box Item
Displays the user ID that created this folder.Created By
Displays the date and time this item waslast changed.
Last Modified On
Displays the date and time this item wasaccessed through Properties, Run,RunDeferred, or using any of the tools toedit.
Last Accessed On
Displays the user that last accessed thisitem.
Last Accessed By
Size in bytes of the contents of the item.Size
Immediate or Deferred.Run
Managed or Private.Status
WebFOCUS Client Repository and Security Authorization 55
6. Effective Policy
56 WebFOCUS
Viewing Folder or Item Properties
WebFOCUS
Operation Sets7Topics:
An operation set (OpSet) is a collectionof individual operations and theirassociated settings. An operation setusually contains operations applicableto a specific type of resource. Forexample, if the resource is a GROUPresource, then the operation set containsoperations, such as Create a New Group(opCreateGroup).
Default Operation Sets
Legacy Operation Sets
WebFOCUS Client Repository and Security Authorization 57
Default Operation SetsThe following table lists the default operation provided with WebFOCUS. Unless otherwisenoted, the listed operations are set to PERMIT.
OperationsFunctionName
All operationsAllows all operations.ALL
Create BusinessIntelligence Portal
View Business IntelligencePortal
List
Delete
Validate BusinessIntelligence Portal
Save Positions
Add Personal Content
Manage Rules
Rename
Edit Navigation
Edit Banners
Edit Menu Bars
Edit Theme
Update Properties
Insert Page
Edit Page Layout
Edit Content
Allows all operations inBusiness IntelligencePortal.
BIPFullControl
58 WebFOCUS
Default Operation Sets
OperationsFunctionName
Add Personal Content
List
Save Positions
View Business IntelligencePortal
Save positions and addcontent in BusinessIntelligence Portal.
BIPPersonalize
List
View Business IntelligencePortal
View BusinessIntelligence Portal.
BIPViewOnly
Create a Private FolderCreates private folders.CreatePrivateFolder
ListList files and folders.List
List
Open
View Report/FolderProperties
Grants access to files.ListAndRead
List
Run
Run Deferred
View Report/FolderProperties
Lists and executes files.ListAndRun
WebFOCUS Client Repository and Security Authorization 59
7. Operation Sets
OperationsFunctionName
Assign Rules for a Group
Assign Rules for a User
Assign Users from aGroup
Assign Users to a Group
Create a new Group
Delete a Group
List
List Users
Manage Rules on aResource
Set Group as an Owner
Set User as an Owner
Update Group Definition
View Group
View Effective Policy on aResource
Manages Groups.ManageGroups
Create a new operationset
Delete operation set
List
Update operation set
Use operation set in Rules
View operation set
Manages operation sets.ManageOperationSets
60 WebFOCUS
Default Operation Sets
OperationsFunctionName
List
List Users
Set User as Owner
Set Group as Owner
Manage ownership of filesor folders.
ManageOwner
The following operations areset to OVERPERMIT:
List
Delete
Update Properties
Update Reporting ServerProperties
View File or FolderProperties
System-grantedoperations on privateresources that belong toother users via Groups.
ManagePrivateResources
Manage Rules on aResource
View Effective Policy on aResource
Manages rules onresources.
ManageRules
Create a New User
Delete a User
List Users
Set User Password
Update User Definition
Manages Users.ManageUsers
WebFOCUS Client Repository and Security Authorization 61
7. Operation Sets
OperationsFunctionName
Assign Users to Group
Create a New Group
Delete a Group
Delete Operation Set
Update Operation Set
Protects systemresources.
ProtectSystemResources
Displays ReportCaster toolsDisplays ReportCastertools on toolbar and tabs.
ReportCaster Tools
Launch Security CenterDisplays the SecurityCenter.
SecurityCenter
List
List Users
Share with Group or User
Shares items.ShareWith
62 WebFOCUS
Default Operation Sets
OperationsFunctionName
The following operations areset to OVERPERMIT:
Change Owner
Delete
List
Manage Rules
Open
Rename
Share with Group or User
Update Report/FolderProperties
Update Reporting ServerProperties
View Report/FolderProperties
View Rules
System-grantedoperations over privatefolders owned by otherusers, when user hasopManagePrivateFolders.
SystemManagePrivateFolders
WebFOCUS Client Repository and Security Authorization 63
7. Operation Sets
OperationsFunctionName
The following operations areset to OVERPERMIT:
Copy
Delete
Edit
List
Open
Rename
Update Report/FolderProperties
Update Reporting ServerProperties
View Report/FolderProperties
System-grantedoperations over privatenon-output files owned byother users, when userhasopManagePrivateNonOutput.
SystemManagePrivateNonOutput
64 WebFOCUS
Default Operation Sets
OperationsFunctionName
The following operations areset to OVERPERMIT:
Delete
List
List Users
Manage Rules
Set Owner
Share with Group or User
Update Report/FolderProperties
Update Reporting ServerProperties
View Report/FolderProperties
View Rules
System-grantedoperations over privateoutput owned by otherusers, when user hasopManagePrivateResources.
SystemManagePrivateResources
WebFOCUS Client Repository and Security Authorization 65
7. Operation Sets
OperationsFunctionName
The following operations areset to OVERPERMIT:
Create Private RepositoryFile
Delete
List
Open
Run
Run Deferred
Update Report/FolderProperties
View Report/FolderProperties
Write/Replace Report/File
The following operation isdenied:
Create Private Folder
System-grantedoperations to owners ofprivate resources.
SystemPrivateResourcePermits
66 WebFOCUS
Default Operation Sets
OperationsFunctionName
List
Open
Run
Run Deferred
Schedule
View a static document
View Report/FolderProperties
Create Private Folder
Create Private RepositoryFile
Delete
Make Managed
Share Item or Folder
Update Ownership
Update Report/FolderProperties
Write/Replace Report/File
System-grantedoperations for sharedprivate resources.
SystemShareResourcePermits
List
Use operation set in Rules
View operation set
Uses Operation Setswhen making accessrules.
UseOperationSetsInRules
Legacy Operation SetsThe following operation sets replicate the different user roles and privileges provided withearlier releases of Managed Reporting. This allows administrators to easily map these usertypes and their privileges to the current UOA model.
WebFOCUS Client Repository and Security Authorization 67
7. Operation Sets
OperationsFunctionName
Create Private Folder
Create Private Repository File
Launch Advanced GraphAssistant
Launch InfoAssist
List
Open
Run
Run Deferred
Update Reporting ServerProperties
View a static document
View Report/FolderProperties
Write/Replace Report/File
Defines the privileges for aLegacy Managed ReportingAnalytical user. TheAnalytical user can doeverything a Run Only usercan do. In addition, the usercan create private Foldersand Private content, usingthe Assistant tools. Theuser can also save deferredoutput from the DeferredStatus interface.
WF_AnalyticalUser
68 WebFOCUS
Legacy Operation Sets
OperationsFunctionName
Create Private Folder
Create Private Repository File
Launch Advanced GraphAssistant
Launch Editor
Launch InfoAssist
List
Make Managed
Make Private
Open
Run
Run Deferred
Share Item or Folder
Update Ownership
Update Reporting ServerProperties
View a static document
View Report/FolderProperties
Write/Replace Report/File
Defines the privileges for aManaged Reporting ContentManager. The ContentManager is based on theDeveloper and adds theData Server, Advanced, andShare My Report privileges.
WF_ContentManager
WebFOCUS Client Repository and Security Authorization 69
7. Operation Sets
OperationsFunctionName
Create Private Folder
Create Private Repository File
Launch Advanced GraphAssistant
Launch InfoAssist
List
Make Managed
Make Private
Open
Run
Run Deferred
Update Ownership
Update Reporting ServerProperties
View a static document
View Report/FolderProperties
Write/Replace Report/File
Defines the privileges for aManaged ReportingDeveloper. The Developerrole can do everything anAnalytical User can do. Inaddition, they can createcontent, and make itmanaged (Legacy StandardReport). They also have theability to create ReportingObjects.
WF_Developer
70 WebFOCUS
Legacy Operation Sets
OperationsFunctionName
List
Report Library
Defines the privileges for aManaged Reporting LibraryOnly User. The Library OnlyUser role provides the abilityto create Dashboard userswho can only accesscontent stored in the ReportLibrary. This content can beviewed in the Report Libraryand in a Dashboard pagewhen displayed as a list,launch, output block, orwatch list. Library OnlyUsers cannot run reports,view the Repository Tree,view the Role Tree, accessother WebFOCUSenvironments, and havelimited access toDashboard components.
WF_LibraryOnlyUser
WebFOCUS Client Repository and Security Authorization 71
7. Operation Sets
OperationsFunctionName
Create Private Folder
Create Private Repository File
Launch Advanced GraphAssistant
Launch Editor
Launch InfoAssist
List
Open
Run
Run Deferred
Share Item or Folder
Update Reporting ServerProperties
View a static document
View Report/FolderProperties
Write/Replace Report/File
Defines the privileges for aManaged Reporting PowerUser. The Power User isbased on the AnalyticalUser. It adds to theAnalytical User by allowingthe ability to create reportsusing the Editor and allowsSharing of Private Content.
WF_PowerUser
Launch Advanced GraphAssistant
Launch InfoAssist
List
Run
Run deferred
View Report/FolderProperties
Defines the privileges for aManaged Reporting RunOnly User. A Run Only Usercan run Standard Reports,has access to reportsshared by other users, canutilize the Assistant tools tocreate a report, but cannotsave it.
WF_RunOnlyUser
72 WebFOCUS
Legacy Operation Sets
OperationsFunctionName
List
Run
Run deferred
View Report/FolderProperties
Defines the privileges for aManaged Reporting User.Users can run StandardReports (in immediate anddeferred mode) and accessshared Private Reports byother users.
WF_User
WebFOCUS Client Repository and Security Authorization 73
7. Operation Sets
74 WebFOCUS
Legacy Operation Sets
WebFOCUS
Individual Operations8Topics:
The following chapter describes each ofthe individual atomic operations that areavailable within the new MR Repositoryand Security Authorization model.
Configuring Operations
WebFOCUS Client Repository and Security Authorization 75
Configuring Operations
Reference:
Tool Launch Management Operations
ReportCaster Tool Launch Management Operations
General Object Management
Folder and Item Management
Group Management
Developer Studio Launch Tool Management
User Management
Operation Set Management
Tool Launch Management OperationsReference:
Controls access to report development tools.
Operation IDDescriptionOperation
opHTMLRAUser can launch HTML ReportAssist.
Launch Report Assist
opInfoAssistUser can launch InfoAssist.Launch InfoAssist
opHTMLGAUser can launch HTML Graph Assist.Launch Graph Assist
opPowerPainterUser can launch Power Painter.Launch Power Painter
opEditorUser can open report in text editor.Launch Editor
opViewBuilderUser can launch the BusinessIntelligence View Builder.
Launch View Builder
opReportingObjectUser can launch the Report ObjectTool.
Launch Report ObjectTool
opManageSecurityUser can Launch Security Center(global).
Launch Security Center
opURLUser can open URL tool.Launch URL Tool
76 WebFOCUS
Configuring Operations
Operation IDDescriptionOperation
opAGAUser can launch Advanced GraphAssistant.
Launch Advanced GraphAssistant
opManagePrivateToolUser can manage the PrivateResources of another user (global).
Launch Manage PrivateResources Tool
ReportCaster Tool Launch Management OperationsReference:
Controls access to the ReportCaster scheduling tools.
Operation IDDescriptionOperation
opScheduleUser can Launch ReportCasterScheduler
Schedule
opSchedAccessListUser can Launch Access List Tool.Launch Access ListTool
opSchedDistributionListUser can Launch Distribution ListTool.
Launch DistributionList Tool
rcadminRun the ReportCasterAdministration Console.
ReportCasterAdministration
robotDisplay Tools item on banner(global).
ReportCaster
libraryDisplay Library within Tools Itemon banner or tab (global).
Report Library
General Object ManagementReference:
Controls basic operations on objects.
Operation IDDescriptionOperation
opListUser can see contents of aresource.
List
opDeleteUser can delete an object.Delete
WebFOCUS Client Repository and Security Authorization 77
8. Individual Operations
Operation IDDescriptionOperation
opManageRulesOnUser can create and remove ruleson a resource.
Manage Rules on aResource
opViewRulesOnUser can view the rules of aresource.
View Effective Policy ona Resource
opShareWithUser can share with this group oruser.
Share with Group orUser
opExportUser can export a resource.Export
opMetadataUser can create metadata on theReporting Server.
Create metadata
opFavoritesUser can access FavoritesAccess Favorites
opMobileFavoritesUser can access Mobile Favorites.Acess Mobile Favorites
opRepositorySearchUser can launch Repository Searchtool.
Launch RepositorySearch
Folder and Item ManagementReference:
The following operations control the execution and viewing of report objects.
Operation IDDescriptionOperation
opRunUser can run a report procedure.Run
opOpenUser can view the contents of anitem within a tool. Also requiresthe operation for the tool used tocreate the item.
Open
opWriteUser can update contents of anitem.
Write/Replace Item
opCreateFLUser can create a private folder.Create Private Folder
opCreateItemUser can create a new privateitem.
Create Private RepositoryItem
78 WebFOCUS
Configuring Operations
Operation IDDescriptionOperation
opCopyUser can copy a folder or item.Copy a Folder or Item
opRenameUser can change the name of afolder or item.
Rename a Folde or Item
opViewPropsUser can view folder or itemproperties.
View Folder or ItemProperties
opUpdPropsUser can update folder or itemproperties.
Update Folder or ItemProperties
opRunDefUser can run a deferred reportrequest.
Run Deferred
opSaveDefUser can save deferred reportoutput.
Save Deferred Output
opRepSrvPropsUser can update server executionproperties: Server, ApplicationPath.
Update Reporting ServerProperties
opUpdateOwnershipUser can change ownership of aprivate object to another subject(group/user).
Update Ownership
opMakeManagedUser can change a private folderor item into a managed folder orItem.
MakeManaged
opMakePrivateUser can change a managed folderor item into a private folder oritem.
MakePrivate
opShareItemUser can share a folder or itemwith other groups or users.
Share Folder/Item
opToggleTreeToggle view Full/Repository view(global).
Toggle Repository View
parmrptEnable the Save Parametersbutton.
Allow Saved ParameterReports
WebFOCUS Client Repository and Security Authorization 79
8. Individual Operations
Operation IDDescriptionOperation
opUploadDataFileUser can upload a data file to thereporting server.
Upload a Data File
opUploadDocumentUser can upload a document tothe Repository.
Upload a Document
opUploadImageUser can upload an image to theRepository
Upload an Image
opCreateMyFolderUser can create a My ReportsFolder
Create My Reports folder
opOlapUser can run a procedure withOLAP capabilities
Run with OLAP
opCutUser can cut a folder or itemCut Folder or Item
opPasteUser can paste a folder or itemPaste a Folder or Item
Group ManagementReference:
The following group of operations controls the tasks that can be performed on a group folder.
Operation IDDescriptionOperation
opViewGroupUser can see contents of thegroup definition.
View Group
opCreateGroupUser can create a new folder asa subgroup or as a parent folder.
Create a newGroup
opDeleteGroupUser can delete the group folder.Delete a Group
opSetGroupOwnerUser can set this group as anowner of private resources.
Set Group asOwner
opAssignUsersToUser can assign users to thisgroup.
Assign Users toGroup
opUpdateGroupUser can update a groupdefinition.
Update GroupDefinition
80 WebFOCUS
Configuring Operations
Operation IDDescriptionOperation
opUseGroupInRulesUser can create or remove a rulewith Group as the subject.
Assign Rulesfor a Group
opManagePrivateResourcesUser can manage the privateitems or another user.
Manage PrivateResources ofUsers
opAssignUsersFromUser can assign Users from thisGroup.
Assign Usersfrom Group
opShareWithUser can share with this Group orUser.
Share withGroup or User
opUseInRulesUser can create or remove Rulewith Group as Subject (Who).
Assign Rulesfor a Group
Developer Studio Launch Tool ManagementReference:
The following group of operations controls access to Developer Studio report developmenttools.
Operation IDDescriptionOperation
opImpactAnalysisUser can open the Impact Analysistool.
Launch DeveloperStudio Impact Analysis
opReportPainterUser can open the Report Painter tool.Launch DeveloperStudio Report Painter
opDSEditorUser can open the Editor tool.Launch DeveloperStudio Editor
opGraphAssistantUser can open the Graph Assistanttool.
Launch DeveloperStudio Graph Assistant
opHTMLComposeLayoutUser can open the HTML ComposeLayout tool.
Launch HTML ComposeLayout
opProcedureViewerUser can open the Procedure Viewer.Launch DeveloperStudio ProcedureViewer
WebFOCUS Client Repository and Security Authorization 81
8. Individual Operations
Operation IDDescriptionOperation
opSQLReportWizardUser can open the SQL Report Wizard.Launch DeveloperStudio SQL ReportWizard
opAlertWizardUser can open the Alert Wizard.Launch DeveloperStudio Alert Wizard
opSourceControlUser can open the Source Control tool.Launch DeveloperStudio Source Control
opDocComposeLayoutUser can launch the DocumentCompose Layout tool.
Launch DeveloperStudio DocumentCompose Layout
opWFAdminConsoleUser can launch WebFOCUSAdministration Console
Launch WebFOCUSAdministration Console
opESRIAdminConsoleUser can update ESRI AdministrationConsole
Launch ESRIAdministration Console
User ManagementReference:
The following group of operations controls the tasks that can be performed on a user.
Operation IDDescriptionOperation
opViewUserUser can view users properties.View User
opCreateUserUser can create a new user.Create a New User
opSetPasswordUser can create passwords for users.Set User Password
opListUserUser can view a list of users in thedatabase.
List Users
opDeleteUserUser can delete a user from a group.Delete a User
opUpdateUserUser can modify the user definition.Update UserDefinition
opSetUserOwnerUser can set this user as an owner ofprivate resources.
Set User as anOwner
82 WebFOCUS
Configuring Operations
Operation IDDescriptionOperation
opUseUserInRulesUser can create or remove rule with useras subject (Who).
Assign Rules for aUser
Operation Set ManagementReference:
The following operations are related to what values can be allowed when creating operationstatements in operation sets. This is typically used when the security administrator wantsto delegate the management of some operation sets to other users, but does not want thoseusers to have the ability to reverse global rules by un-denying or over-permitting an operation.
Operation IDDescriptionOperation
opDeletePermSetUser can delete an operationset.
Delete operation set
opViewPermSetUser can see the operationswithin an operation set.
View operation set
opUseOVERPERMITAllows the editor of an operationset to use the OVERPERMITverb.
Use OVERPERMIT verb onan operation
opUsePERMITAllows the editor of a operationset to use the PERMIT verb.
Use PERMIT verb on anoperation
opUpdatePermSetUser can modify the name or theoperations defined in anoperation set.
Update Permission Set
opUsePermSetInRulesThe operation set is availablewhen creating rules.
Use operation set in Rules
opUseDENYAllows the editor of a operationset to deny an operation.
Use DENY verb on anoperation
opCreatePermSetUser can create a new operationset.
Create a new operation set
opUseCLEARAllows the editor of a operationset to use the OVERPERMIT verband remove the DENY verb.
Use CLEAR inheritanceverb on an operation.
WebFOCUS Client Repository and Security Authorization 83
8. Individual Operations
Operation IDDescriptionOperation
opUseUNPERMITAllows user to set the UNPERMITverb within an operation set
Use UNPERMIT verb on anoperation
Allows user to set the UNDENYverb within an operation set andreverse the DENY verb.
Use UNDENY verb on anoperation
ReportCaster ManagementReference:
The following group of operations allows a user to manage ReportCaster.
Operation IDDescriptionOperation
opScheduleItemUser can launch ReportCasterScheduler on an Item.
Schedule an item
opSetBlackoutDatesUser can set Blackout Dates.Set Blackout Dates
opRCGlobalUpdateUser can perform ReportCasterupdates.
RepoertCaster GlobalUpdates
opLibraryManagementUser can perform LibraryManagement.
Library Management
opRCServerManagementUser can manage Distribution servers.ReportCaster ServerManagement
opRCConfigurationUser can configure ReportCaster.ReportCasterConfiguration
opRCJobStatusUser can view jobs status ondistribution server.
ReportCaster JobStatus
Portal ManagementReference:
The following group of operations allows a user to manage the Business Intelligence Portal.
Operation IDDescriptionOperation
OpCreatePortalUser can create a portal.Create Portal
84 WebFOCUS
Configuring Operations
Operation IDDescriptionOperation
OpViewPortalUser can view the portal.View Portal
OpSavePositionsUser can save positions ofportal panels.
Save Positions
opAddPersonalContentUser can add personalcontent to a portal.
Add Personal Content
opEditNavigationUser can edit a portalnavigation.
Edit Navigation
opEditBannersUser can edit a portalbanners.
Edit Banners
opEditMenuBarUser can edit a portal menubar.
Edit Menu Bar
opEditThemeUser can edit a portaltheme.
Edit Theme
opValidatePortalUser can validate a portalto make sure the contentcan be seen by its intendedaudience.
Validate Portal
opInsertPageUser can insert new pagesinto a portal.
Insert Page
opEditPage LayoutUser can edit the layout ofa page.
Edit Page Layout
opEditContentUser can add and removecontent from a portal.
Edit Content
WebFOCUS Client Repository and Security Authorization 85
8. Individual Operations
86 WebFOCUS
Configuring Operations
WebFOCUS
Default System Rules9Topics:
As shipped, UOA has a set of DefaultRules (optional) and System Rules(required). The Default Rules are enabledfor ease of use and administration, butcan be modified or deleted as desired.System Rules are needed for the correctoperation of UOA, and should not beremoved.
System Rules Information
WebFOCUS Client Repository and Security Authorization 87
System Rules Information
Reference:
Default Rules
System Rules
For ease of use, the UOA repository has been loaded with a number of default rules. Anumber of these rules are system rules that protect and define system resources, andshould not be deleted. However, the first set of rules is defined by default but fully optional.
Default RulesReference:
These rules become effective only when users are defined within them.
ResourceOpSet NameVerbGroup Name
GROUPSManageGroupsPERMITUserAdmins
/WFC/RepositorySecurityCenterPERMITUserAdmins
USERSManageUsersPERMITUserAdmins
/WFC/RepositoryWF_ContentManagerPERMITContentManagers
/WFC/RepositoryWF_AnalyticalUserPERMITAnalyticalUsers
/WFC/RepositoryWF_PowerUserPERMITPowerUsers
/WFC/RepositoryWF_UserPERMITUsers
System RulesReference:
All of the following rules should be kept to protect system resources.
ResourceOpSet NameVerbGroup Name
ProtectSystemResourcesProtectSystemResourcesDENYEVERYONE
ListAndRunProtectSystemResourcesDENYEVERYONE
WF_RunOnlyUserProtectSystemResourcesDENYEVERYONE
88 WebFOCUS
System Rules Information
ResourceOpSet NameVerbGroup Name
ShareWithProtectSystemResourcesDENYEVERYONE
WF_ContentManagerProtectSystemResourcesDENYEVERYONE
WF_MRAdministratorProtectSystemResourcesDENYEVERYONE
ManageUsersProtectSystemResourcesDENYEVERYONE
ManageOperationSetsProtectSystemResourcesDENYEVERYONE
UserInfoProtectSystemResourcesPERMITEVERYONE
PortalsProtectSystemResourcesPERMITEVERYONE
EDAProtectSystemResourcesPERMITEVERYONE
ManageOwnerProtectSystemResourcesDENYEVERYONE
UserInfoProtectSystemResourcesPERMITEVERYONE
WF_DeveloperProtectSystemResourcesDENYEVERYONE
SystemPrivateResourcePermitsProtectSystemResourcesDENYEVERYONE
WF_AnalyticalUserProtectSystemResourcesDENYEVERYONE
CreatePrivateFolderProtectSystemResourcesDENYEVERYONE
UseOperationSetsInRulesProtectSystemResourcesDENYEVERYONE
ManagePrivateResourcesProtectSystemResourcesDENYEVERYONE
PSETSProtectSystemResourcesPERMITEVERYONE
UsePSETsInRulesProtectSystemResourcesDENYEVERYONE
WF_PowerUserProtectSystemResourcesDENYEVERYONE
SystemManagePrivateFoldersProtectSystemResourcesDENYEVERYONE
BIPPersonalizeProtectSystemResourcesDENYEVERYONE
BIPViewOnlyProtectSystemResourcesDENYEVERYONE
WebFOCUS Client Repository and Security Authorization 89
9. Default System Rules
ResourceOpSet NameVerbGroup Name
SystemShareResourcePermitsProtectSystemResourcesDENYEVERYONE
ALLProtectSystemResourcesDENYEVERYONE
SystemManagePrivateOutputProtectSystemResourcesDENYEVERYONE
WF_LibraryOnlyUserProtectSystemResourcesDENYEVERYONE
BIPFullControlProtectSystemResourcesDENYEVERYONE
WF_UserProtectSystemResourcesDENYEVERYONE
ManageGroupsProtectSystemResourcesDENYEVERYONE
EVERYONEProtectSystemResourcesDENYEVERYONE
SystemManagePrivateNonOutputProtectSystemResourcesDENYEVERYONE
ListAndReadProtectSystemResourcesDENYEVERYONE
ManageRulesProtectSystemResourcesDENYEVERYONE
ListProtectSystemResourcesDENYEVERYONE
RepositoryWF_DeveloperPERMITDevelopers
ROOTALLPERMITadmins
RepositoryWF_RunOnlyUserPERMITRunOnlyUsers
RepositoryWF_LibraryOnlyUserPERMITLibraryOnlyUsers
90 WebFOCUS
System Rules Information
WebFOCUS
Use Case Scenarios10Topics:
The following chapter illustrates usecases to help understand and configurecertain types of functionality within thenew MR Repository and SecurityAuthorization model. These examplesshow how old functionality isimplemented, as well as examples ofcreating new types of users, which wasnot possible before.
Service Provider Architecture
Creating HelpDesk Administrator(Reset Password Only)
Sharing
Ownership
WebFOCUS Client Repository and Security Authorization 91
Service Provider Architecture
How to:
Create Folders, Users, Groups, and Subgroups
Display the Security Center
Assign Rules to the User Administrator Subgroups
The following describes a Service Oriented Architecture, in which a provider would maintaina WebFOCUS infrastructure for their separate customers. Those customers share the sameWebFOCUS install but do not and should not know about the user IDs or content of othercustomers.
Each of these customers has their own repository and main user group. There should alsobe subfolders and subgroups for each customer. This specific case was to create a useradministrator for each of the separate customers. These user administrators can:
Create users, and assign them to their own group and subgroups.
Delete users only from their group and subgroups.
Create subgroups only within their main group.
Only see users within their group and subgroups.
Create rules for their group, or subgroups.
If desired, no access to repository content.
Note: These are specific requirements for this example. You could change this type of userID so that it did have access to repository content.
How to Create Folders, Users, Groups, and SubgroupsProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
92 WebFOCUS
Service Provider Architecture
2. Right-click Repository and select New Folder. The Create Folder dialog box appears.
3. Populate the fields with the following and then select OK:
Description: America Bank
Summary: America Bank Repository
Note: The Name field will automatically be filled in, derived from the description withonly alpha and underscore characters allowed. Whereas Description is non-unique, Namemust be unique within the folder and cannot contain any special characters.
4. Create another folder following steps 1 and 2. Set the name to Bombay Bank and selectOK.
5. Right-click on America Bank and select New, then Folder. Name the folder Sales.
6. Right-click on Bombay Bank and select New, then Folder. Name the folder Sales.
WebFOCUS Client Repository and Security Authorization 93
10. Use Case Scenarios
7. Right-click on America Bank and select Security, then Owner, as shown in the followingimage.
8. Select the Managed radio button, then OK.
9. Repeat steps 7 and 8 for the Bombay Bank folder.
You will have two folders with subfolders.
94 WebFOCUS
Service Provider Architecture
10. Create a Main Group for each bank.
11. Create a User Administrator subgroup within each of these main groups.
WebFOCUS Client Repository and Security Authorization 95
10. Use Case Scenarios
12. Create user administrators for each of the customers and assign them to their respectiveuser admin groups.
How to Display the Security CenterProcedure:
To be able to access the Security Center, you need to have the operation of Launch SecurityCenter (opManageSecurity). Global operations like this are placed on /WFC/Repository.Since this is a global setting, it is not inherited.
1. From the repository tree root of the Repository, right-click Repository, then select AccessRules.
2. Select the America Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.Select the Bombay Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.
96 WebFOCUS
Service Provider Architecture
Note: If the group you are adding the operation set to is not visible, you will need todeselect the Only show Groups with Rules option.
How to Assign Rules to the User Administrator SubgroupsProcedure:
You need to give each user administrator subgroup a rule to allow them to administer theirmain group and subgroups. These operations are held in the operation sets of ManageGroups,ManageUsers.
1. Right-click the Repository User Administration, or Security Management link. Then,right-click the America Bank group.
2. Select Security, then Access Rules.
WebFOCUS Client Repository and Security Authorization 97
10. Use Case Scenarios
3. Select the America Bank User Admins Group, then PERMIT the operation sets ofManageUsers and ManageGroups.
4. Repeat steps 1 through 3 for Bombay Bank.
Note: A default rule has been created for all users to allow them to use ALL operationsets in a rule. If that is not desired behavior, you could delete this default rule, andcreate a rule for each OpSet resource that you would allow the User Administrator togive to allowable groups.
98 WebFOCUS
Service Provider Architecture
After completing the steps above you can check to make sure your new user adminlogins work correctly and they are only allowed to:
Create users, and assign them to their own group and subgroups.
Delete users only from their group and subgroups.
Create subgroups only within their main group.
Only see users within their group and subgroups.
Create rules for their group or subgroups.
Have no access to repository content.
Creating HelpDesk Administrator (Reset Password Only)
How to:
Change Passwords for Users Belonging to Specific Groups
Display Security on the Banner for BID
The following describes a Help Desk Administrator group. These users will only be able tochange passwords of users within the group that they are administering.
This specific case was to create helpdesk administrators for each of the separate customerscreated above.
Note: It is important that both procedures below are followed.
How to Change Passwords for Users Belonging to Specific GroupsProcedure:
These are specific requirements for this example. You could change this type of user tohave other types of access as well.
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Create two main folders for the different customers.
3. Create a HelpDeskAdmin Group for each bank.
4. Right-click Repository Security, then User Administration or use the Security Managementlink.
5. Select the AmericaBankMain group, and create a AmericaBankHelpDeskAdmin subgroup.
6. Repeat step 5 for Bombay Bank Main Group.
WebFOCUS Client Repository and Security Authorization 99
10. Use Case Scenarios
7. Select the Permission Sets tab and create an operation set named SetPassword, thathas the following permissions:
List (opList)
List Users (opListUsers)
Set User Password (opSetPassword)
8. Select America Bank Main Group, as this is the resource to be controlled, and selectSecurity, then Access Rules.
9. Select the AmericaBankHelpDeskAdmins Group, and PERMIT the previously createdoperation set of SetPassword.
10. Assign the HelpDeskAdmin operation sets to the America Bank Help Desk Admins Group.
11. Repeat steps 8 to 12 for the Bombay Bank Group.
How to Display Security on the Banner for BIDProcedure:
To display Security on the banner for BID, you need to have the operation of ManageUser/Groups/PSets (opManageSecurity). Global operations are placed on the root of therepository tree, or /WFC/Repository. (Since this is a global setting, it is not inherited.)
1. From the repository tree root of the Repository, right-click Repository, then select AccessRules.
2. Select the America Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.Select the Bombay Bank User Admins Group, then PERMIT the OpSet of SecurityCenter.
100 WebFOCUS
Creating HelpDesk Administrator (Reset Password Only)
Sharing
How to:
Create Folders and Make Them Managed
Create a Group and Subgroups
Create and Place Users
Create a Rule to Allow List
Create Rules to Allow Sharing of a Folder or Item
Create Rules to Allow Sharing to a Group
Test Sharing Ability
This specific use case is to show how users created within a group can share their itemswith users in the same group. If desired, this can be modified to share with a Group thatthe user is not in.
Note: To be able to share an item, the folder that it is located in must be shared. Whomeveryou are sharing with will need to be able to navigate to your shared directory.
How to Create Folders and Make Them ManagedProcedure:
The following procedure can be used for both sharing and ownership.
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Create a folder for America Bank.
3. Create a subfolder for Finance.
4. Create a subfolder for Sales.
5. Within the Finance folder, create a report procedure with InfoAssist called Account (thiswill be used to illustrate a managed item).
6. Make the Main America Bank Folder managed. All subfolders and items will now beManaged as well.
WebFOCUS Client Repository and Security Authorization 101
10. Use Case Scenarios
Your tree should appear as follows.
How to Create a Group and SubgroupsProcedure:
The following procedure can be used for both sharing and ownership.
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Using Security Center, create an AmericaBankMain Group.
3. Create an AmericaBankDeveloper subgroup.
4. Create a subgroup under AmericaBankMain/AmericaBankDeveloper of Finance.
5. Create a subgroup under AmericaBankMain/AmericaBankDeveloper of Sales.
How to Create and Place UsersProcedure:
The following procedure can be used for both sharing and ownership.
1. While using the Security Center, create users for the Finance and Sales Groups.
102 WebFOCUS
Sharing
2. Place the users in the following groups:
abdeveloperfinance1 - Finance Group
abdeveloperfinance2 - Finance Group
abdevelopersales1 - Sales Group
abdevelopersales2 - Sales Group
How to Create a Rule to Allow ListProcedure:
This procedure allows all users within the AmericaBankMain Group and subgroups the Listcapability of the main America Bank Folder on the Repository tree. It is needed for any userwithin one of the groups or subgroups to navigate to the subfolders for which they are grantedoperations.
The following procedure can be used for both sharing and ownership.
1. Right-click the America Bank folder and select Security, then Access Rules.
2. In the Groups & Users section, select AmericaBankMain.
3. In the Available operation sets section, PERMIT the List OpSet.
WebFOCUS Client Repository and Security Authorization 103
10. Use Case Scenarios
4. Select the Add operation sets to Selected Group or User button to apply the OpSet.
How to Create Rules to Allow Sharing of a Folder or ItemProcedure:
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. From the Repository Tree, use the context menu and right-click the America Bank/Financefolder, Rules then select Access Rules.
3. Select the AmericaBankMain/AmericaBankAnalyticalUsers/Finance Group. Then PERMITthe WF_Developer and Share_Content OpSet. If the Share_Content operation set doesnot exist, you can create it with the operation of Share Folder/Item.
How to Create Rules to Allow Sharing to a GroupProcedure:
The following procedure will allow anyone within the Finance Group to share with any otheruser in this Group.
104 WebFOCUS
Sharing
1. Within the Security Center, right-click Finance group, select Security, then Access Rulesto create a rule for AmericaBankMain/AmericaBankDeveloper/Finance Group that willallow anyone within this group to share with any other user in this group.
2. In the Groups & Users section, select theAmericaBankMain/AmericaBankDeveloper/Finance Group.
3. In the Available operation sets section, PERMIT the ShareWith OpSet.
Note: This OpSet contains the operations of: List (opList), ListUsers (opListUser), andShare with Group or User (opShareWith).
4. Select the Add operation sets to Selected Group or User button to apply the OpSet.
The rule created allows the AmericaBankMain/AmericaBankDeveloper/Finance groupShareWith capabilities on AmericaBankMain/AmericaBankDeveloper/Finance group.
Note: If sharing to a different group is desired. Then in step 1 above, you would pick adifferent group such as AmericaBankMain/AmericaBankDeveloper/Sales. This wouldallow anyone in the Finance group, that is allowed to share an item, to share it with theSales group.
WebFOCUS Client Repository and Security Authorization 105
10. Use Case Scenarios
How to Test Sharing AbilityProcedure:
1. Log in as abdeveloperfinance1.
2. Create a private folder under America Bank/Finance.
3. Create a private procedure, named myfinance1.
4. Right-click the private folder, then select Share, and share it with theAmericaBankMain/AmericaBankDeveloper/Finance group.
5. Right-click the procedure, then select Share, and share it with theAmericaBankMain/AmericaBankDeveloper/Finance group.
The user ID of abdeveloperfinance1 will appear as follows.
6. Log in as abdeveloperfinance2.
The screen will appear as follows.
106 WebFOCUS
Sharing
Ownership
How to:
Change Ownership of a Folder/Item
Create a Rule to Allow Changing Ownership to a Group or User
Test Ownership Changes
This specific use case shows how a group can manage ownership of an item. Managingownership implies the following type of abilities: changing the owner to either a group oruser, or making a private folder/item managed, making a managed folder/item private. Eachof these abilities is mutually exclusive. Just because a user has the ability to make afolder/item managed, does not mean they have the ability to change it back to a privatefolder/item. You can also restrict a user to only sharing with a group, sets of groups, orindividual users.
The ability to change the ownership of a private folder/item, or change a private folder/itemto managed or back again to private, relies on the following seven operations, which can begrouped as follows:
Folder/Item Level Operations
Make Managed (opMakeManaged) changes a privately owned folder/item to managed.
Make Private (opMakePrivate) changes a managed folder/item to privately owned.
Update Ownership (opUpdateOwnership) changes the ownership of a folder/item.
Note: Permitting any one of these operations can affect the display of the Owner contextmenu.
If you are permitted the Make Private (opMakePrivate) operation on a folder/item resourceand/or the Update Ownership (opUpdateOwnership) ability on a folder/item resource. Youhave the ability to change the ownership, but you still do not have the ability to change it toany specific group or user. For that ability, you need the following operations permitted.
Group/User Level Operations
Set Group as Owner (opSetGroupOwner) allows changing the owner to specified group.
Set User as Owner (opSetUserOwner) allows changing the owner to a specified user.
List (opList) lists groups in this context.
List Users (opListUser) lists users within groups.
WebFOCUS Client Repository and Security Authorization 107
10. Use Case Scenarios
How to Change Ownership of a Folder/ItemProcedure:
These steps rely upon the prior steps in Sharing on page 101 being accomplished.
Create Folders and Make Them Managed
Create a Group and Subgroups
Create and Place Users Create a Rule to Allow List
1. Sign in with an administrative user ID that is permitted ALL on /.
By default, this user ID is admin with a password of admin.
2. Using the Security Center, modify the previously created operation set ofWF_AnalyticalUsersShare, and PERMIT the three operations of Make Managed(opMakeManaged), Make Private (opMakePrivate), and Update Ownership(opUpdateOwnership).
Note: We previously created a Rule with this operation set in Sharing on page 101.
How to Create a Rule to Allow Changing Ownership to a Group or UserProcedure:
1. Using Security Center create a Rule that allows all users in theAmericaBankMain/AmericaBankDeveloper/Finance group ManageOwner capability onthe same group.
2. Right-click the group of AmericaBankMain/AmericaBankDeveloper/Finance Group thenselect Access Rules.
3. Using the operation set of ManageOwner, apply it to the Group ofAmericaBankMain/AmericaBankDeveloperAmericaBankDeveloper/Finance.
Note: ManageOwner OpSet means that anyone within the Finance Group has the abiliyto change ownership and contains the operations of : Set Group as Owner(opSetGroupOwner), Set User as Owner (opSetUserOwner), List (opList), and List Users.
How to Test Ownership ChangesProcedure:
1. Log in to Dashboard as user abdeveloperfinance1.
2. Select the Folder myfinance that was created in Sharing on page 101.
3. Note the context menu of Owner and the list of users abdeveloperfinance1 andabdeveloperfinance2. As well as the group ofAmericaBankMain/AmericaBankDeveloper/Finance.
108 WebFOCUS
Ownership
WebFOCUS
GlossaryATopics:
This is a glossary of key concepts in thismanual.
Key Concepts
WebFOCUS Client Repository and Security Authorization 109
Key ConceptsUser
A named user within the Managed Reporting repository.
Group
A container to hold similar users. Without a rule created for the group, the group is notgiven any abilities. A group or user is always the subject of a rule.
OpSet
Grouping of permitted or denied operations. Also referred to as an operation set.
Operation
An atomic ability of a user to be permitted or denied the ability to do something. Forexample, the operation of opRun can be permitted or denied.
Item
Any type of repository content, such as a Folder, Focexec, Static Output, Schedule,Access List, and Distribution List.
Folder
A container for items.
Resource
Any object, such as an item, group, user, or OpSet. Any object that can be used to createa rule.
Rule
Combines a group OpSet or user OpSet and a resource to create the ability to dosomething. Comprises three parts:
Who is the group (usually) or the user (rarely).
What is the OpSet.
Where is some resource, such as an item, group, or OpSet.
Private
An item or folder in which the owner is either a user or a group. All private items have asystem OpSet of SystemPrivateResourcePermits associated with it.
Managed
System owned item, not private.
110 WebFOCUS
Key Concepts
Shared
You can share a folder and its contents (items) with other users and groups. The shareditems have an OpSet associated with it of SharedResourcePermits.
Permit
Grants the ability to perform a particular operation.
Deny
Denies the ability to perform a particular operation.
OverPermit
Allows a particular operation like a Permit, but overrides a Deny.
ClearInheritance
Clears inherited rules from above a resource.
Effective Policy
The aggregation of all permitted and denied operations to give the user their resultingaccess.
UOA
Universal Object Access.
WebFOCUS Client Repository and Security Authorization 111
A. Glossary
112 WebFOCUS
Key Concepts
WebFOCUS
Reader Comments
In an ongoing effort to produce effective documentation, the Documentation Services staffat Information Builders welcomes any opinion you can offer regarding this manual.
Please use this form to relay suggestions for improving this publication or to alert us tocorrections. Identify specific pages where applicable. You can contact us through the followingmethods:
Documentation Services - Customer SupportMail:Information Builders, Inc.Two Penn PlazaNew York, NY 10121-2898
(212) 967-0460Fax:
http://www.informationbuilders.com/bookstore/derf.htmlWeb form:
Name:
Company:
Address:
Telephone: Date:
Email:
Comments:
Information Builders, Two Penn Plaza, New York, NY 10121-2898 (212) 736-4433WebFOCUS Client Repository and Security Authorization DN4500988.06118.0 Beta
Creating Reports With WebFOCUS Language
Version 7 Release 6
Information Builders
Two Penn Plaza
New York, NY 10121-2898
Printed on recycled paper in the U.S.A.
WebFOCUS Client Repository and Security Authorization8.0 Beta