The New MR Repository & Security Authorization Model
Ben Naphtali WebFOCUS Product Manager
Architecture and SecurityMay 2010
Copyright 2009, Information Builders. Slide 1
Release 77x/76x Security Structure - Review
Copyright 2009, Information Builders. Slide 2
WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier
Authentication – Internal or External
(Basedir, RDBMS, AD, LDAP, WFRS, Trusted) Authorization – Internal or External (Basedir, RDBMS, AD, LDAP) All MR assets are stored on the filesystem
BrowserMachine
Application Server/Web Server
WebFOCUSServer
WF
Servlet
& M
R (In
ternal)
Rep
osito
ry
DB2OracleSybaseInformixTeradata…
MR (External) Authorization (SQL RDBMS, Active Directory, LDAP)
Java Client
External Authentication
WebFOCUS 77x/76x Managed Reporting Security User Authorization WebFOCUS 77x/76x Managed Reporting Security User Authorization
Groups
Users Domains Reports
Role(*) Launch Pages
Documents
Role is assigned directly to user.
A user has only ONE role.
Except in case of a Group Administrator
WebFOCUS 77x/76x Managed Reporting Security User Authorization
Create Domain, and Assign Reporting Server Properties
Create Groups, and assign those Groups to Domains
Create User, assign user to a Specific Role and place that user in a specific Group
A user is associated with a Group(s) and those Group(s) are associated with Domain(s), but only has one ROLE
Copyright 2007, Information Builders. Slide 5
Release 8 Repository and Security Authorization
Copyright 2009, Information Builders. Slide 6
Release 8 Repository
Implemented in RDBMS tables Accessed via jdbc
Derby shipped and can be installed
All content stored in RDBMS
Any RDBMS with BLOB field support
Utilize your existing RDBMS infrastructure
(audit, backup, clustering etc…)
Copyright 2009, Information Builders. Slide 7
File System model: Domains are top level folders N-depth folder/file tree No special purpose folders
Standard Reports Reporting Objects Other Files My Reports Shared Reports
…Unless you want them Private content can exist anywhere you allow them ReportCaster content (schedules, access/distribution lists)
Release 8 Repository
Copyright 2009, Information Builders. Slide 8
Release 8.0How to Approach Security Authorization
Copyright 2009, Information Builders. Slide 9
How to Approach Security Authorization
Decide what types of Users you want
(Rules with legacy Groups/PSETS shipped)
Create Groups that will contain those user types
Create/Use existing Permission Set
Create Rule For a Group on a Resource
Group G1 can do action A1 on Sales Folder (Domain)
Assign Users to the Groups
Copyright 2009, Information Builders. Slide 10
Security Rules
All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations (PSET) – the WHAT On some resource – the WHERE
(Folder, Group, PSET / User or Item)
Examples: Group RepDev has Developer on Folder /SalesReports Group EVERYONE has RunReports on Folder /SalesReports Group RepAdmin has ManageUsers on Group Sales
WHO – WHAT – WHERE
Copyright 2009, Information Builders. Slide 11
Security Rules (Continued..)
Permissions are inherited down the Repository tree RepDev inherits Developer permissions on folder
/SalesReports/Budget
Group to sub-group inheritance Granting RunReports to Group /Sales also grants
RunReports to members of /Sales/Admin, etc.
Subject can have specific rules on every item Recommend only as the exception!
Copyright 2009, Information Builders. Slide 12
Groups & Users - WHO
Groups with sub-Groups Group: /Sales Group: /Sales/Admin Group: /Sales/Developer
Users are assigned to Groups (or sub-Groups) All users are in the EVERYONE Group
User Authorizations by Group membership When in multiple Groups, order of precedence decides User authorization “flags” eliminated
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 13
Permissions Sets - WHAT
Named list of permitted or denied operations
WF ships with a set of predefined permission sets Can create your own Reusable for multiple rules Usually declare what a subject can do (PERMIT) Can declare what a subject cannot do (DENY)
Abilities are never implied if an individual operation is UNSET,
it is an effective deny
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 14
Permission Sets – WHATList of Operations
Operation is some atomic ability that is permitted or denied Tree Items:
Create File, Delete File, Read File, Write File, Create Folder, Run Report, Run Deferred, Update Properties, Change Ownership, Share, Schedule Report, ...
Tools:Launch InfoAssist, Launch Editor, Launch Security Center, Launch RC Admin, Launch Developer Studio Tools, ...
Groups:Create Groups, Assign Users to Groups, Share with Group,Make rules for the Group (group as subject),...
Users:Create User, Update User Status/Password, ...
Privilege Sets:Create PSET, Update PSET, Delete PSET, ...
Copyright 2009, Information Builders. Slide 15
Everything is a Resource - WHERE
/WFC/Repository Folders Sub Folders Items
/SSYS Groups Sub Groups Users Permission Sets
/WEB – APPROOT application Directories
WHO – WHAT - WHERE
WHO – WHAT - WHERECopyright 2009, Information Builders. Slide 16
Different abilities at the Folder/SubFolder Level
Copyright 2009, Information Builders. Slide 17
Private Files & Folders (aka My Reports)
Private files can exist anywhere you allow them Private folders recommended
Private files can be owned by Users or by Groups “In development”
Private files can be shared With specific groups/users
Two special Permission-Sets: Owners have PrivateResourcePermits on Private Items Sharees have ShareResourcePermits on Shared Items
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 18
User and Group Administration
Users are permitted operations to act on Groups Create sub-Groups (opCreateGroup) Assign users to Groups (opAssignUsersTo) Assign users from Groups (opAssignUsersFrom) Manage users in Groups (opUpdateGroup)
Copyright 2009, Information Builders. Slide 19
Release 8 Repository and Security AuthorizationAuditing/Logging
Log4j - Open Source popular logging package All logs/traces utilize log4j Files (default) Can log to RDBMS SMTP Event Log
Set level of detail INFO shows SUCCESS and FAILURE ERROR shows only FAILURE
Copyright 2010, Information Builders. Slide 20
Release 8 Repository and Security AuthorizationAuditing/Logging
Security Signon/Signoff User Create/Update/Delete/Remove Group Create/Update/Delete PSET Create/Update/Delete Rule Create/Update/Delete Configuration
Object Folder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,
Start/End Run
Copyright 2010, Information Builders. Slide 21
Release 8 Repository and Security AuthorizationIn the works…
Copyright 2009, Information Builders. Slide 22
Change Management and MigrationExternal AuthenticationAdditional components stored within RDBMSDefault Group for Tool Preferences /VIEWS/viewname/tabnamePassword PoliciesConfiguration LoggingObject LoggingFolder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,
Start/End Run
Copyright 2010, Information Builders. Slide 23
Release 8 Repository and Security AuthorizationIn the works…
Questions?
Copyright 2009, Information Builders. Slide 24
Thank You !
Copyright 2009, Information Builders. Slide 25
UOA Advanced Topics
Copyright 2009, Information Builders. Slide 26
Effective PolicyWhat a USER can do to a Specific Resource
Effective group membership All Groups assigned directly to and parents EVERYONE group
Walk down resource tree to combine rules /WFC/Repository, /WFC/Repository/Sales, ...
Private resources If owned – add PrivateResourcePermits Else If shared – add ShareResourcePermits
Combination rules: DENY overrides a PERMIT OVERPERMIT overrides a DENY
Copyright 2009, Information Builders. Slide 27
External User and Group Administration
User authentication Pre-authorized (single signon, etc.) LDAP authentication
User Authorization Direct group assignment retrieved from LDAP Group hierarchy managed in UOA Rules managed in UOA
Migration In 76x - Realm driver said “user has ROBOT flag” In 77x – User is in ROBOT group
ROBOT has Schedule on /Repository
Copyright 2009, Information Builders. Slide 28