the new mr repository & security authorization model ben naphtali webfocus product manager...

The New MR Repository & Security Authorization Model

Ben Naphtali WebFOCUS Product Manager

Architecture and SecurityMay 2010

Copyright 2009, Information Builders. Slide 1

Release 77x/76x Security Structure - Review


WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier

Authentication – Internal or External

(Basedir, RDBMS, AD, LDAP, WFRS, Trusted) Authorization – Internal or External (Basedir, RDBMS, AD, LDAP) All MR assets are stored on the filesystem

BrowserMachine

Application Server/Web Server

WebFOCUSServer

WF

Servlet

& M

R (In

ternal)

Rep

osito

ry

DB2OracleSybaseInformixTeradata…

MR (External) Authorization (SQL RDBMS, Active Directory, LDAP)

Java Client

External Authentication

WebFOCUS 77x/76x Managed Reporting Security User Authorization WebFOCUS 77x/76x Managed Reporting Security User Authorization

Groups

Users Domains Reports

Role(*) Launch Pages

Documents

Role is assigned directly to user.

A user has only ONE role.

Except in case of a Group Administrator

WebFOCUS 77x/76x Managed Reporting Security User Authorization

Create Domain, and Assign Reporting Server Properties

Create Groups, and assign those Groups to Domains

Create User, assign user to a Specific Role and place that user in a specific Group

A user is associated with a Group(s) and those Group(s) are associated with Domain(s), but only has one ROLE


Release 8 Repository and Security Authorization


Release 8 Repository

Implemented in RDBMS tables Accessed via jdbc

Derby shipped and can be installed

All content stored in RDBMS

Any RDBMS with BLOB field support

Utilize your existing RDBMS infrastructure

(audit, backup, clustering etc…)


File System model: Domains are top level folders N-depth folder/file tree No special purpose folders

Standard Reports Reporting Objects Other Files My Reports Shared Reports

…Unless you want them Private content can exist anywhere you allow them ReportCaster content (schedules, access/distribution lists)

Release 8 Repository


Release 8.0How to Approach Security Authorization


How to Approach Security Authorization

Decide what types of Users you want

(Rules with legacy Groups/PSETS shipped)

Create Groups that will contain those user types

Create/Use existing Permission Set

Create Rule For a Group on a Resource

Group G1 can do action A1 on Sales Folder (Domain)

Assign Users to the Groups


Security Rules

All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations (PSET) – the WHAT On some resource – the WHERE

(Folder, Group, PSET / User or Item)

Examples: Group RepDev has Developer on Folder /SalesReports Group EVERYONE has RunReports on Folder /SalesReports Group RepAdmin has ManageUsers on Group Sales

WHO – WHAT – WHERE


Security Rules (Continued..)

Permissions are inherited down the Repository tree RepDev inherits Developer permissions on folder

/SalesReports/Budget

Group to sub-group inheritance Granting RunReports to Group /Sales also grants

RunReports to members of /Sales/Admin, etc.

Subject can have specific rules on every item Recommend only as the exception!


Groups & Users - WHO

Groups with sub-Groups Group: /Sales Group: /Sales/Admin Group: /Sales/Developer

Users are assigned to Groups (or sub-Groups) All users are in the EVERYONE Group

User Authorizations by Group membership When in multiple Groups, order of precedence decides User authorization “flags” eliminated

WHO – WHAT - WHERE


Permissions Sets - WHAT

Named list of permitted or denied operations

WF ships with a set of predefined permission sets Can create your own Reusable for multiple rules Usually declare what a subject can do (PERMIT) Can declare what a subject cannot do (DENY)

Abilities are never implied if an individual operation is UNSET,

it is an effective deny



Permission Sets – WHATList of Operations

Operation is some atomic ability that is permitted or denied Tree Items:

Create File, Delete File, Read File, Write File, Create Folder, Run Report, Run Deferred, Update Properties, Change Ownership, Share, Schedule Report, ...

Tools:Launch InfoAssist, Launch Editor, Launch Security Center, Launch RC Admin, Launch Developer Studio Tools, ...

Groups:Create Groups, Assign Users to Groups, Share with Group,Make rules for the Group (group as subject),...

Users:Create User, Update User Status/Password, ...

Privilege Sets:Create PSET, Update PSET, Delete PSET, ...


Everything is a Resource - WHERE

/WFC/Repository Folders Sub Folders Items

/SSYS Groups Sub Groups Users Permission Sets

/WEB – APPROOT application Directories


WHO – WHAT - WHERECopyright 2009, Information Builders. Slide 16

Different abilities at the Folder/SubFolder Level


Private Files & Folders (aka My Reports)

Private files can exist anywhere you allow them Private folders recommended

Private files can be owned by Users or by Groups “In development”

Private files can be shared With specific groups/users

Two special Permission-Sets: Owners have PrivateResourcePermits on Private Items Sharees have ShareResourcePermits on Shared Items



User and Group Administration

Users are permitted operations to act on Groups Create sub-Groups (opCreateGroup) Assign users to Groups (opAssignUsersTo) Assign users from Groups (opAssignUsersFrom) Manage users in Groups (opUpdateGroup)


Release 8 Repository and Security AuthorizationAuditing/Logging

Log4j - Open Source popular logging package All logs/traces utilize log4j Files (default) Can log to RDBMS SMTP Event Log

Set level of detail INFO shows SUCCESS and FAILURE ERROR shows only FAILURE


Release 8 Repository and Security AuthorizationAuditing/Logging

Security Signon/Signoff User Create/Update/Delete/Remove Group Create/Update/Delete PSET Create/Update/Delete Rule Create/Update/Delete Configuration

Object Folder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,

Start/End Run


Release 8 Repository and Security AuthorizationIn the works…


Change Management and MigrationExternal AuthenticationAdditional components stored within RDBMSDefault Group for Tool Preferences /VIEWS/viewname/tabnamePassword PoliciesConfiguration LoggingObject LoggingFolder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,

Start/End Run


Release 8 Repository and Security AuthorizationIn the works…

Questions?


Thank You !


UOA Advanced Topics


Effective PolicyWhat a USER can do to a Specific Resource

Effective group membership All Groups assigned directly to and parents EVERYONE group

Walk down resource tree to combine rules /WFC/Repository, /WFC/Repository/Sales, ...

Private resources If owned – add PrivateResourcePermits Else If shared – add ShareResourcePermits

Combination rules: DENY overrides a PERMIT OVERPERMIT overrides a DENY


External User and Group Administration

User authentication Pre-authorized (single signon, etc.) LDAP authentication

User Authorization Direct group assignment retrieved from LDAP Group hierarchy managed in UOA Rules managed in UOA

Migration In 76x - Realm driver said “user has ROBOT flag” In 77x – User is in ROBOT group

ROBOT has Schedule on /Repository


the new mr repository & security authorization model ben naphtali webfocus product manager...

Documents

information builders

pset user

domainscreate user

group sales

security authorizationdecide

security rulesall rules

specific groupa user

subject groups