TIBCO LiveView Web User Authorization Guide · LDAP database configuration. Enable authentication and authorization for your LDM project as described on the LiveView Server System

TIBCO LiveView Web™ User Authorization Guide

Copyright © 2018 TIBCO Software Inc. All rights reserved.

TIBCO LiveView Web

User Authorization Guide

Software Release 1.4.0



Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENTATION IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENTATION IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. This documentation contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this documentation may be reproduced in any form without the written authorization of TIBCO Software Inc. TIBCO, TIBCO StreamBase, TIBCO StreamBase Studio, TIBCO StreamBase Server, TIBCO StreamBase EventFlow, TIBCO Live Datamart, TIBCO LiveView Desktop, TIBCO LiveView Web, TIBCO LiveView Web Standard Edition, TIBCO LiveView Web Enterprise Edition, TIBCO Rendezvous, TIBCO Enterprise Message Service, TIBCO ActiveSpaces, and TIBCO FTL are trademarks or registered trademarks of TIBCO Software Inc. Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform Enterprise Edition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle Corporation in the U.S. and other countries. All other product and company names and marks mentioned in this documentation are the property of their respective owners and are mentioned for identification purposes only. THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM. THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS DOCUMENTATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENTATION. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENTATION AT ANY TIME. THE CONTENTS OF THIS DOCUMENTATION MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 2018 TIBCO Software Inc. ALL RIGHTS RESERVED.



Introduction 5

Usage Notes 5

Location and Usage of the lvweb-* tools 5

Live Datamart 10 Notice 6

LiveView Web Authorization System 7

Initial Setup Using Permissions 7

What is a Privileged User? 7

Example Scenario 7

Configuring using lvweb-* tools 8

Step 1: Admin Creates the LiveView Web Resources 8

Step 2: Getting the IDs of the Created Resources 8

Step 3: Grant Permissions for guest 8

Step 4: Grant Permissions for limited_user 8

Step 5: Grant Permissions for regular_user 9

Configuring using LiveView Web administrator 9

Step 1: Admin Creates the LiveView Web Resources 9

Step 2: Creating ‘guest’ as a read-only user 9

Step 3: Creating ‘limited_user’ as a user 9

Step 4: Creating ‘regular_user’ as a user 10

Using Permissions to Emulate 1.0.x Users 10

Additional Information 11

lvweb-copy 12

Synopsis 12

Description 12

Options 12

Usage Note 12

Examples 12

lvweb-db 14

Synopsis 14

Description 14

Options 14

Examples 14

lvweb-delete 16

Synopsis 16



Description 16

Options 16

Examples 16

lvweb-list 17

Synopsis 17

Description 17

Options 17

Examples 17

lvweb-permissions 18

Synopsis 18

Description 18

Options 18

Usage Notes 20

Examples 20

lvweb-reset 22

Synopsis 22

Description 22

Options 22

Examples 22

Shared Options 23

Permission List Syntax 24

Permissions File Format 24

Permissions File Example Lines 25

Resource Filter Specifications 26

Resource Filter Syntax 26

Resource Filter Examples 26



Introduction This guide describes how to use the lvweb-* tools and the administration UI included with TIBCO LiveView™ Web releases. These tools and the administration UI is used to manage the data created by LiveView Web in a TIBCO Live Datamart (LDM) project. Some of these tools are only needed when the LDM project is configured to use authorization. The sample shipped with LiveView Web has authorization enabled; most samples shipped with LDM itself have authorization disabled. In the no-authorization state, every LiveView Web user connects to an LDM server with the same effective permissions, which are the equivalent of superuser privileges. By enabling authentication and authorization, LiveView Web administrators can restrict or enable users by dashboard, page, card, or linkage with very fine-grained control.

Usage Notes Note: The LiveView Web tools described in this Guide work in conjunction with the authorization mechanism of LDM itself. You must configure authorization settings in two realms:

● In the LDM authorization realm, using settings made in the LDM project’s liveview.properties and liveview.auth.properties files, or in your site’s LDAP database configuration. Enable authentication and authorization for your LDM project as described on the LiveView Server System Configuration page of the LiveView Administration Guide.

● In the LiveView Web realm, using the tools described in this Guide.

Location and Usage of the lvweb-* tools The lvweb-* tools are installed in the bin folder of your LiveView Web installation, along with their implementing lvweb-tools.jar file. On Windows, use the Start > All Programs > TIBCO > LiveView Web 1.4 > Install Directory menu to open a Windows Explorer window directly to the LiveView Web installation directory. The tools require that the environment variable STREAMBASE_HOME is set, pointing to the top level of your StreamBase+LDM installation. On Windows, use a StreamBase Command Prompt, which automatically configures the environment for command-line use, including setting of STREAMBASE_HOME. On macOS, configure your login shell environment using sb-config –env command, as described as a post-installation step in the OS X installation page of the StreamBase Installation Guide. You can run the lvweb-* tools from anywhere in your local environment as long they are accessible. You can make them accessible by adding the path of the ‘bin’ folder in your installation folder to your OS specific path

On macOS: export PATH=$PATH:”/Users/lvuser/TIBCO LiveView Web 1.4/bin”

cd <project-dir>

$lvweb-list –p .



On Windows: set PATH=%PATH%;”C:\Users\lvuser\AppData\Local\TIBCO Software

Inc\LiveView Web 1.4\bin”

cd <project-dir>

lvweb-list –p . This Guide provides an overview discussion of the workflow and expected usage of the tools, then provides reference pages for each of the lvweb-* tools in alphabetical order.

Live Datamart 10 Notice TIBCO StreamBase® 10 is a next generation release of StreamBase in which the matching

release of TIBCO® Live Datamart has the same release number as StreamBase. Live

Datamart 10 releases have built-in support for using LiveView Web.

However, configuration settings for LDM 10 are in a different format that replaces the

liveview.properties and liveview.auth.properties files described in this

document. If you are using LDM 10, consult its documentation for a discussion of

configuring LDM properties for LVWeb use.



LiveView Web Authorization System This section describes the workflow to grant users permission to use and edit LiveView Web resources.

Initial Setup Using Permissions This section describes the initial setup that must be completed to allow users to log in and use LiveView Web in any authentication-enabled project.

In LiveView Web, the admin user (or another user with privileged permissions, as described next) can create dashboards for other users. This style of setup allows giving an initial set of dashboards to LiveView Web users and also allows greater control over the ways users can interact with various levels of LiveView Web resources.

What is a Privileged User? A privileged user has all permissions (current and future) on all resource types (current and future). Semantically, it can be represented as a user who has permissions configured as ANY:ANY. LiveView Web exposes a property called liveview.web.privileged.principals to enable configuration of a list of privileged users. The property takes a comma-separated list of user names to be given the ANY:ANY permission. By default, LiveView Web creates privileged permissions for the admin user, if that name is configured in the liveview.auth.properties file or LDAP database. For more information about how to set the liveview.web.privileged.principals property and best practices around users and permissions, please refer to https://community.tibco.com/wiki/authentication-and-authorization-liveview-web-how-share-resources

Example Scenario The following sections describe the steps to create a set of users for a LiveView Web system. The users need to exist in Live Datamart. Please refer to Live Datamart documentation for steps to add a user to your project. . These steps are to be run by a user established as a privileged superuser in LiveView Web.. We will use ‘admin’ with password as ‘admin’ as the privileged superuser in our example. The users to be created are the following:

• guest, who has read-only access to the dashboard created by admin. • limited_user, who can modify the dashboard created by admin but cannot add his

or her resources to it. • regular_user, who can modify the dashboard created by admin as well as create

his or her resources. These steps assume you are configuring a new Live Datamart project that has been configured for access from LiveView Web users by copying the LiveView Web lvweb.war file to the project’s lv-user-webapps folder.

https://community.tibco.com/wiki/authentication-and-authorization-liveview-web-how-share-resources




Configuring using lvweb-* tools

Step 1: Admin Creates the LiveView Web Resources Once the users have been added to the project , run the project as a LiveView project.

1. Connect to the server with LiveView Web, and log in as admin, password admin. Create a page named LVSessions, add two cards to the page and configure those cards as follows. One card shows the current set of LiveView sessions as a grid, and the second card shows the list of queries in each session. The second card is linked to the first card so that when you select an LVSessions table row, you will see the queries running in the selected session.

Step 2: Getting the IDs of the Created Resources 1. LiveView Web tools work with the IDs of the resources. Use the lvweb-list

command to determine the IDs of the dashboard, page, and two cards created so far.

2. Run the command: lvweb-list -U http://admin:admin@localhost:10080 -r dashboard/*/**/*

3. This command returns a number of lines like the following. Only the first few words of each line are shown here to save space: Connected to TIBCO LiveView(tm) Web [1.4.0#10] using

http://localhost:10080

Dashboard [id=b5ec6366-1f3e-4334-8a81-ae8c11a717c41, name=, …

Page [id=1123249a-e494-46ef-8334-f63a2c14f7f01, name=LVSessions…

Card [id=6c13679c-7225-488d-889f-67f4d6b580651, name=LVSessions

…

Card [id=463a72ba-8238-4886-a795-b0538459d6f72,

name=LVSessionQueries …

Linkage [id=d168c3c2-da52-4006-b672-120fc3c374291,

name=”LVSes…

Step 3: Grant Permissions for guest 1. Run the following command to grant read-only permission to all children and

grandchildren of dashboard with ID b5ec6366-1f3e-4334-8a81-ae8c11a717c41.

lvweb-permissions -U http://admin:admin@localhost:10080 –g read –r

dashboard/b5ec6366-1f3e-4334-8a81-ae8c11a717c41/**/*

–u guest

2. The command returns output that includes a line like the following.

Created 5 and updated 0 permissions for guest.

Step 4: Grant Permissions for limited_user 1. Run the following commands to grant read and personalize permission to page 1

and its cards and linkages.

lvweb-permissions -U http://admin:admin@localhost:10080 –g



read,personalize –r dashboard/b5ec6366-1f3e-4334-8a81-

ae8c11a717c41/**/* –u limited_user

Step 5: Grant Permissions for regular_user 1. Run the following commands to grant CREATE permission for dashboards,

pages, cards, and linkages, and to grant read and personalize permission to dashboard b5ec6366-1f3e-4334-8a81-ae8c11a717c41 and its pages, cards and linkages:

lvweb-permissions -U http://admin:admin@localhost:10080 –g create –r

dashboard/-1 –u regular_user


page/-1 –u regular_user


card/-1 –u regular_user


linkage/-1 –u regular_user

lvweb-permissions -U http://admin:admin@localhost:10080 –g

read,personalize –r dashboard/b5ec6366-1f3e-4334-8a81-

ae8c11a717c41/* –u regular_user

Configuring using LiveView Web administrator

Step 1: Admin Creates the LiveView Web Resources Once the users have been added to the project , run the project as a LiveView project.

1. Connect to the server with LiveView Web, and log in as admin, password admin. Create a page named LVSessions, add two cards to the page and configure those cards as follows. One card shows the current set of LiveView sessions as a grid, and the second card shows the list of queries in each session. The second card is linked to the first card so that when you select an LVSessions table row, you will see the queries running in the selected session.

Step 2: Creating ‘guest’ as a read-only user 1. Connect to the server with LiveView Web Administrator

(http://localhost:10080/lvweb/admin) and login as admin, password admin. 2. Click on ‘Create a read-only user’

a. Enter ‘guest’ in the User input field b. Click the ‘Browse’ button next to ‘Baseline dashboard’ c. Select the ‘admin’s dashboard’ in the ‘Dashboard Resource browser’ and click

‘Close’ d. Click on the ‘Execute’ button e. You should see log messages in the log window below the ‘Execute’ button f. Green progress bar indicates that the task completed successfully

Step 3: Creating ‘limited_user’ as a user 1. Click on ‘Tasks’ in the navigation breadcrumbs below the header 2. Click on ‘Create a user’

http://localhost:10080/lvweb/admin



a. Enter ‘limited_user’ in the User input field. b. Click the ‘Browse’ button next to ‘Baseline dashboard’ c. Select the ‘admin’s dashboard’ in the ‘Dashboard Resource browser’ and click

‘Close’ d. Click on ‘Read’ and ‘Personalize’ check boxes under ‘Permissions’ e. Click on the ‘Execute’ button f. You should see log messages in the log window below the ‘Execute’ button g. Green progress bar indicates that the task completed successfully

Step 4: Creating ‘regular_user’ as a user 1. Click on ‘Tasks’ in the navigation breadcrumbs below the header 2. Click on ‘Create a user’

a. Enter ‘limited_user’ in the User input field. b. Click the ‘Browse’ button next to ‘Baseline dashboard’ c. Select the ‘admin’s dashboard’ in the ‘Dashboard Resource browser’ and click

‘Close’ d. Click on ‘Read’ and ‘Personalize’ checkboxes under ‘Permissions’ e. Click on the ‘Execute’ button f. You should see log messages in the log window below the ‘Execute’ button g. Green progress bar indicates that the task completed successfully

3. Click on ‘Tasks’ in the navigation breadcrumbs below the header 4. Click on ‘Grant create permissions’

a. Select ‘regular_user’ in the user drop down b. Click on ‘Dashboards’, ‘Pages’, ‘Cards’ and ‘Links’ checkboxes under ‘Can

create’ c. Click on the ‘Execute’ button d. You should see log messages in the log window below the ‘Execute’ button e. Green progress bar indicates that the task completed successfully

Using Permissions to Emulate 1.0.x Users In LiveView Web 1.0.x, users were added to the system by adding entries to the liveview.auth.properties file. Once the users logged in, they would be given their own personal dashboard. To achieve similar behavior (starting with LVWeb 1.1.x), the same liveview.auth.properties file needs to be modified to include create permissions for all dashboard resources. For example, in the sample shipped with LiveView Web, the liveview.auth.properties has create permissions for the LVUser role: role.LVUser = connect, table:list, table:manage, table:*:ItemsSales,

table:query,

alert:list, alert:set:ItemsSales, alert:delete,

alertaction:publish:ItemsSales,

alertaction:email:ItemsSales, alertaction:sendtuple:ItemsSales,

tuple:info:ItemsSales.DataIn, tuple:send:ItemsSales.DataIn,



workspace:get:Auth Sample, dashboard:create, page:create, card:create,

linkage:create

The following table explains some of the permissions added:

Permission Explanation

dashboard:create Allows creating dashboards

page:create Allows creating pages

card:create Allows creating cards

linkage:create Allows creating linkages

Note: LiveView Web does not support migration of 1.0.x resources to 1.3.x format.

Additional Information For additional example and information, please refer to https://community.tibco.com/wiki/authentication-and-authorization-liveview-web-how-share-resources





lvweb-copy

Synopsis lvweb-copy [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]]–s srcuser –d destuser -r filter

Description Copies either a set of resources or the permissions and resources created by and personalized by the source user to the destination user. When copying user, the tool copies the resources by value (not by reference) so all the copied resources are owned by the destination user. When copying resources, the tool creates exact copies of the requested resources.

Options -s | --sourceUser srcuser Specifies the srcuser whose permission settings are to be copied. The srcuser must already exist in the project’s liveview.auth.properties file or in the configured LDAP database. Notice that the long name version of this option has an uppercase U, which must be typed as shown. -d | --destinationUser destuser Specifies the destuser whose permission settings are to be granted. Notice that the long name version of this option has an uppercase U, which must be typed as shown. If the destuser does not already exist in the project’s primary authorization realm (the project’s liveview.auth.properties file or in the configured LDAP database), the destuser is added to LiveView Web’s H2 permissions store, but destuser cannot log in and use LiveView Web resources until also added to the configured primary authorization realm. -r | --resource resource-filter Accepts a resource-filter, which follows the syntax described in Resource Filter Specifications. This option cannot be used in conjunction with the srcuser and destuser options.. For -U, –p and –t, see the Shared Options section below.

Usage Note ● Do not specify “admin” as the srcuser to copy from, even if your LDM authorization

scheme does not specify a user named “admin.” This username is a special case name reserved by default as the LDM superuser name. For this reason, copying permissions from this username is blocked.

Examples lvweb-copy –p /path/to/project –s earlyuser –d newuser

Copies the permission settings for all resources personalized by and created by earlyuser



to newuser. lvweb-copy -p <project_directory> -t file -r dashboard/1/**/*

Copies dashboard with id as 1 and all the pages, cards, linkages lvweb-copy –U http://admin:admin@localhost:10080 –s earlyuser –d

newuser

Copies the permission settings for all resources personalized by and created by earlyuser to newuser on a server running on http://localhost:10080

http://localhost:10080/



lvweb-db

Synopsis lvweb-db [-U LiveView Web URL|-p path-to-project] [-e | -i] [-o]

[–d path-to-backup-dir] [-f path-to-zip-file]

Description Supports import and export operations that allow you to backup and restore the contents of an H2 database that contains all LiveView Web authentication settings and resources. The storage format for the backed-up data is a zip file.

Options -d | --directory path-to-backup-dir Specifies the path to a directory that contains a default-named zip file to be imported into the H2 database, or that is to contain a zip file exported from the H2 database. If not specified, the current directory is used. Specify either –d or –f. If both are used, the -f option takes precedence. -f | --file filename.zip Specifies the path to a zip file to export into or to import from. If –f or --file is used, you must specify the filename.zip argument. The filename.zip argument should be a filename with zip extension. If –f is omitted, the command uses lvw-db.zip. -e | --export Exports authentication settings and resources from the specified project’s H2 database to the default file name or to the file specified with –f. Writes the output file to the current directory, or to the path specified with –d. -i | --import Imports authentication settings and resources from the default zip file name, or from a file named with –f, into the specified project’s H2 database. Prompts for permission to override the H2 database unless –o is also specified. -o | --override Used only with –i import operations to pre-answer the prompt for permission to override the H2 database’s current settings. For -U and –p, see the Shared Options section below.

Examples lvweb-db –p /path/to/project -e

Exports all H2 data in the specified project to a file named lvw-db.zip in the current directory. lvweb-db –p /path/to/project –e –d C:\Bkp



Exports all H2 data in the specified project to a file named lvw-db.zip in C:\Bkp. lvweb-db –p /path/to/project –e –f C:\Bkp\lvweb_160901.zip

Exports all H2 data in the specified project to a file named lvweb_160901.zip in C:\Bkp. lvweb-db –p /path/to/project -i

Imports all backed-up data from a file named lvw-db.zip in the current directory to the specified project’s H2 database. Prompts for permission to overwrite. lvweb-db –p /path/to/project –i –d C:\Bkp

Imports all backed-up data from a file named lvw-db.zip in C:\Bkp to the specified project’s H2 database. Prompts for permission to overwrite. lvweb-db –p /path/to/project –i –f C:\Bkp\lvweb_160901.zip

Imports all backed-up data from a file named lvweb_160901.zip in C:\Bkp to the specified project’s H2 database. Prompts for permission to overwrite. lvweb-db –p /path/to/project –i -o

Imports all backed-up data from a file named lvw-db.zip in the current directory to the specified project’s H2 database, overwriting the existing H2 database. lvweb-db –U http://admin:admin@localhost:10080 -e

Exports all H2 data from a server running on http://localhost:10080 to a file named lvw-db.zip in the current directory.




lvweb-delete

Synopsis lvweb-delete [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]] –u username

Description Deletes the specified username completely from LiveView Web storage. All of username’s created and personalized resources are deleted, and all permission settings associated with username are deleted. There is no recovery option for this command, so please back up your data with the lvweb-db command before running this command.

Options -u | --user username Specifies the username that is to be deleted. For -U, –p and –t, see the Shared Options section below.

Examples lvweb-delete –p /path/to/project –u newuser

Deletes all permissions and resources created by or personalized by newuser from the specified project. lvweb-delete –U http://admin:admin@localhost:10080 –u newuser

Deletes all permissions and resources created by or personalized by newuser from the server running on http://localhost:10080.




lvweb-list

Synopsis lvweb-list [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]][–r resource-filter][-c]

Description Returns a list of the specified resources in the specified project, showing the ID number of each resource. You can use resource IDs when specifying permission settings with the lvweb-permissions command.

Options -r | --resource resource-filter Accepts a resource-filter, which follows the syntax described in Resource Filter Specifications. The default resource-filter is *, which specifies all resource types, if you do not include a –r option. -c | --showchildren Add the –c option to show the children of each specified resource type, indented under each resource instance. Dashboards show all of each dashboard’s pages, while pages show all of each page’s cards and linkages. For -U, –p and –t, see the Shared Options section below.

Examples lvweb-list –p /path/to/project –r dashboard/* -c

Returns a list of all dashboards in the specified project, with each page of each dashboard indented under its parent dashboard. Each card and linkage of each page is further indented under its parent page. lvweb-list –p /path/to/project –r *

lvweb-list –p /path/to/project

Either command returns a list of all resources in the specified project. lvweb-list –p /path/to/project –r dashboard/*

Returns a list of all dashboards in the specified project. lvweb-list –p /path/to/project –r page/Price.* Returns a list of all pages in the specified project whose name starts with “Price”. lvweb-list –U http://admin:admin@localhost:10080 –r dashboard/*

-c

Returns a list of all dashboards available on a server running on http://localhost:10080, with each page of each dashboard indented under its parent dashboard. Each card and linkage of each page is further indented under its parent page.




lvweb-permissions

Synopsis lvweb-permissions [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]] –u username -g permission-list

[-r resource-filter][-d]

lvweb-permissions [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]] –u username -k permission-list

[-r resource-filter][-d]


[–t [h2|file]] –u username [-e -f filename]


[–t [h2|file]] –u username [-i -f filename]

[-d] [-o]

Description Using the –g option allows you to specify a list of permission settings to be applied to a resource filter specification for the specified username. At grant time, you can also optionally update all dashboards owned or updatable by username to contain references to all pages accessible by username. Using the –k option allows you to revoke a list of permission settings for a resource filter specification from the specified username. At revoke time, you can also optionally update all dashboards owned or updatable by username to contain references to all pages accessible by username. Using the –e option allows you to export current permission settings for username to a permissions file. Using the –i option allows you to import permission settings for username from a permissions file, optionally overwriting existing settings. At import time, you can also optionally update all dashboards owned or updatable by username to contain references to all pages accessible by username. The syntax for all permission-list arguments is described in Permission List Syntax. The syntax for all resource-filter arguments is described in Resource Filter Specifications. There is no recovery option for this command, so please back up your data with the lvweb-db command before running this command. In case of incorrectly granted or imported permissions, you can use the lvweb-delete command to remove all permissions for username, then re-import them, or re-grant them with another lvweb-permissions command.

Options -u | --user username Specifies the username whose permissions are to be modified. This parameter is always required.



If the username does not already exist in the project’s primary authorization realm (the project’s liveview.auth.properties file or in the configured LDAP database), the username is added to LiveView Web’s H2 permissions store, but username cannot log in and use LiveView Web resources until also added to the configured primary authorization realm. -g | --grant permission-list Grants username the permissions specified in permission-list to the resources specified with the –r option. The syntax of the permission-list argument is described in Permissions List Syntax below. -k | --revoke permission-list Revokes from username the permissions specified in permission-list to the resources specified with the –r option. The syntax of the permission-list argument is described in Permissions List Syntax below. -r | --resource resource-filter Accepts a resource-filter, which follows the syntax described in Resource Filter Specifications. The default resource-filter is *, which specifies all resource types, if you do not include a –r option. -e | --export Specifies an export operation for the specified username, extracting all current permission settings into the file specified with –f. -f | --file Specifies the path to a file to contain permission settings exported with –e, or the path to a file that contains permission settings to be applied to username with –i. This option is required when using either –e or –i. See Permissions File Format for details. -i | --import Specifies an import operation that reads the permission settings from the file specified with –f and applies them to username. When using –i, you can also specify the -o and -d options. -o | --override Used only with –i in LiveView Web 1.1.2 and later releases. Specifies overriding all existing permissions for an import operation. (The default mode for imports is to merge settings from the imported permissions file with any existing settings for username.) -d | --updatedashboards Use only with –i. Specifies updating all dashboards owned or updatable by username to contain references to all pages accessible by username. This option is ignored if importing a dashboard. -m | --mergeimport Deprecated option. Used only with –i and only in LiveView Web 1.1.1, this option specified



merging the settings imported from the permissions file with any existing settings for username for all resources. In LiveView Web 1.1.2 and later releases, the sense of merging is inverted. Thus, merging is the default mode for –i import operations, and you can specify –o to override all existing permissions during import. For -U, –p and –t, see the Shared Options section below.

Usage Notes ● The –d option allows you to create a new dashboard for which the user has all

permissions. The newly created dashboard will contain all the pages accessible to the user.

● Generally, avoid giving update permissions for a dashboard. If the dashboard is

shared between multiple users, confusing configurations can arise, such as when UserA and UserB both can update dashboard 1. UserA adds a new page with ID 1, but only UserA can access page 1. Nevertheless, page 1 gets added to dashboard 1. Now when UserB accesses dashboard 1, he or she will get an unauthorized error when trying to modify page 1.

● You can import an existing dashboard with read permission to restrict the user to

only the pages currently present in the dashboard, or you can import an existing dashboard with read and personalize permissions to allow the user to personalize the dashboard.

● The import tool imports permissions in the order read from the permissions file. If a

resource is configured more than once in a permissions file, the last processed permission wins. For example, if you import a page and all its cards with read permission, and a later line in the file specifies one of the cards to have personalize permissions, then that card will have only personalize and not read permissions.

● Specify resource-level permissions after all resources with child and grandchild

syntax have been specified. For example, let's say you have a page with ID 1 that contains cards with ID=2 and ID=3. Your goal is to make the page and card 2 read-only, but to grant card 3 read and personalize permissions. You can use a permissions import file like the following:

# Import page 1 and all its cards with read access page/1/* = read

# Update card 3 to add personalize permission card/3 = read,personalize

Examples lvweb-permissions –p /path/to/project –g read,personalize

-r dashboard/1/**/* –u user1

Grant user1 read and personalize permission for all resources in the dashboard with ID 1.



lvweb-permissions –p /path/to/project –k personalize

-r page/3/*–u user1

Revoke personalize permission from user1 for the page with ID 3 and its cards and linkages.

lvweb-permissions -p /path/to/project -e -f user1.permissions

-u user1

Export all the permissions of user1 into a file named user1.permissions from the specified project. lvweb-permissions -p /path/to/project -i -f user1.permissions

-u user1 -d

Import all the permissions defined in a file named user1.permissions for user1 and optionally create a dashboard with the accessible pages in it for the specified project. lvweb-permissions -p /path/to/project -i -f user1.permissions

-u user1 -d -o

Import all the permissions defined in a file named user1.permissions for user1, overriding existing permissions, if any, with permissions from the file, and optionally create a dashboard with the accessible pages in it for the specified project. lvweb-permissions –U http://admin:admin@localhost:10080

–g read,personalize -r dashboard/1/**/* –u user1

Grant user1 read and personalize permission for all resources in the dashboard with ID 1 on the server running on http://localhost:10080.




lvweb-reset

Synopsis lvweb-reset [-U LiveView Web URL|-p path-to-project]

[–t [h2|file]]–u username [-a]

Description Resets all resources personalized by username back to their state before any such personalization. By adding the optional –a argument, you can also remove all resources created by username. There is no recovery option for this command, so please back up your data with the lvweb-db command before running this command.

Options -u | --user username Specifies the username whose permissions are to be reset. -a | --all In addition to resetting all personalized resources, delete all resources created by username. For -U, –p and –t, see the Shared Options section below.

Examples lvweb-reset –p /path/to/project –u newuser

Resets all resources personalized by newuser back to their initial state in the specified project. lvweb-reset –p /path/to/project –u newuser –a

Resets all resources personalized by newuser as above, and also deletes all resources created by newuser. lvweb-reset –U http://admin:admin@localhost:10080 –u newuser

Resets all resources personalized by newuser back to their initial state on the server running on http://localhost:10080.




Shared Options The following options have the same meanings for all of the lvweb-* commands. -h | --help Shows usage text for this command. --version Returns the current LiveView Web version number. -U | --Url LiveView Web URL Specifies the URL of the server which needs to be accessed. The URL should be of the format <http/https>://[<authinfo>@]<hostname>:<port>. The auth info is needed if you have authentication enabled on the server. It is recommended to use a user who has privilege access on the server. E.g. If you are running the LiveView Web with default configuration on Live Datamart with default ports then your URL will be http://admin:admin@localhost:10080. This option is recommended when your project is currently running in Live Datamart. -p | --projectDir path-to-project Specifies the relative path from the location of this lvweb-* command, or the full, absolute path, to the Live Datamart project folder that contains the project that LiveView Web is to query. If the path to the project includes a space, use quotes around the path. Notice that the long version of this option has an uppercase D, which must be typed as shown. This option can be only used if your project is not currently running in Live Datamart. -t | --pstoreType “h2” | “file” Specifies whether the project specified with –p stores its LiveView Web persistence data in an H2 database in the project folder, or in a deprecated file format. Notice that the long name version of this option has an uppercase T, which must be typed as shown. The default and strongly recommended persistence type is h2. Do not use the –t file option since it has been deprecated and will be removed in a future release.

about:blank



Permission List Syntax The syntax of a permission-list argument in lvweb-* commands and in a permissions file is a comma-separated list of permissions keywords, with no spaces between keywords.. The following lines show examples of valid permission-list arguments:

read,personalize read,update,delete read,personalize,delete create any

The permission keywords you can grant to any LiveView Web resource are based on the resource type:

Resource Supported Permissions Keywords dashboard [CREATE, READ, UPDATE, DELETE, PERSONALIZE] or ANY page [CREATE, READ, UPDATE, DELETE, PERSONALIZE] or ANY card [CREATE, READ, UPDATE, DELETE, PERSONALIZE, EXPORT_DATA]

or ANY linkage [CREATE, READ, UPDATE, DELETE, PERSONALIZE] or ANY

Permission keywords (case insensitive in use) have the following meanings:

● CREATE grants the ability to create this resource type. This has no meaning for existing resources with IDs, and is therefore best used with the -1 ResourceID.

● READ, UPDATE, and DELETE have the obvious meanings for the specified resource type. Be careful when granting UPDATE rights for the same resource to two or more users, because their changes to the resource can conflict.

● PERSONALIZE grants update rights to a private copy of the resource. Use PERSONALIZE instead of UPDATE for most resources.

● EXPORT_DATA only applies to the CARD resource type, and enables a drop-down menu item that allows a snapshot of the card’s current data to be exported. Exported data is saved to the local machine’s Downloads directory as CSV files for tabular data and PNG files for charts. File names are generated from the card name.

● ANY grants a combination of all allowed permissions for the specified resource type. ANY includes UPDATE instead of PERSONALIZE; thus do not grant ANY rights lightly. It is designed for administrator user names.

Permissions File Format Permissions files generated by the –e export option, or imported with the –i option, follow the syntax of Java properties files: resource-filter=permission-list

Where:



● The syntax for a resource-filter is described in Resource Filter Specifications. ● The syntax for a permission-list is described in Permission List Syntax. ● Lines beginning with # are comment lines.

Permissions File Example Lines # Import dashboard ID 1 with read permission: dashboard/1=read # Import dashboard ID 2 and the pages it contains with read and # personalize permissions: dashboard/2/*=read,personalize # Import dashboard ID 3 and the pages it contains along with all the # cards and linkages in each page, all with read and personalize permissions: dashboard/3/**/*=read,personalize # Import page ID 1 with read permission: page/1=read # Import page ID 2 and its cards and the linkages it references with # read permission: page/2/*=read # Allow creation of dashboards: dashboard/-1=create # Allow creation of pages: page/-1=create # Allow creation of cards: card/-1=create # Allow creation of linkages: linkage/-1=create



Resource Filter Specifications This section explains the syntax of the resource-filter argument for the –r option used in the lvweb-list and lvweb-permissions commands, and also used in permissions files. Resources are the following LiveView Web objects:

dashboard, page, card, linkage These objects have the following parent-child relationships:

Resource Type Children Grandchildren dashboard page card, linkage page card, linkage --

Resource Filter Syntax The syntax for a resource-filter argument is: resourceType/resourceID/showChildren

Where: resourceType can be a single asterisk (*) or one of dashboard, page, card, or linkage. resourceID is optional. If used, it can be:

● A single asterisk to indicate all resourceIDs. ● A string indicating the ID of a resource as maintained in a LiveView Web project’s

database, and as shown with the lvweb-list command. ● -1, used with CREATE permission to indicate a resourceType that does not yet exist. ● A Java regular expression using the syntax of java.util.regex.Pattern that resolves to a

string that matches the name of one or more resources in the current project. showChildren is optional and can be a single asterisk (*) to indicate immediate children only, or can be **/* to indicate all children and grandchildren.

Resource Filter Examples Filter Expression Meaning * All dashboard, page, card, and linkage resources. */* All dashboard, page, card, and linkage resources. */*/* All dashboard, page, card, and linkage resources with

immediate children. */*/**/* All dashboard, page, card, and linkage resources with

immediate children and grandchildren. dashboard/* All dashboards. dashboard/b5ec6366-1f3e-4334-8a81-

ae8c11a717c41

The dashboard with ID b5ec6366-1f3e-4334-8a81-ae8c11a717c41.

https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html



dashboard/b5ec6366-1f3e-4334-8a81-

ae8c11a717c41/*

The dashboard with ID b5ec6366-1f3e-4334-8a81-ae8c11a717c41 and all pages of that dashboard.

dashboard/*/**/* All dashboards with all pages under each dashboard and all cards and linkages under each page.

page/System Info/**/* All pages whose name matches “System Info” with all cards and linkages under such pages.

page/System.*/**/* All pages whose name begins with “System” with all cards and linkages under such pages.

dashboard/-1 Used to grant or revoke dashboard CREATE permission for a user.

page/-1 Used to grant or revoke page CREATE permission for a user. card/-1 Used to grant or revoke card CREATE permission for a user. linkage/-1 Used to grant or revoke linkage CREATE permission for a user.

Documents

TIBCO LiveView Web User Authorization Guide · LDAP database configuration. Enable authentication and authorization for your LDM project as described on the LiveView Server System