New MR Repository & Security
Universal Object Access
Brian A Suter
VP WebFOCUS Product Development
July 28, 2017
Copyright 2009, Information Builders. Slide 1
76x Security Structure - Review
Copyright 2009, Information Builders. Slide 2
WebFOCUS Managed Reporting Security
Release 76x and Earlier
 Internal (default) repository stored as HTM files on Application Server


(basedir)
Authentication – Internal or External
Authorization - Internal or External (RDBMS, Active Directory, LDAP)
using Realm Driver
External Authentication
Application Server/
Web Server
WF Servlet
& MR (Internal)
Repository
Browser
Machine
WebFOCUS
Server
Java Client
MR (External) Authorization
(SQL RDBMS, Active Directory, LDAP)
DB2
Oracle
Sybase
Informix
Teradata…
WebFOCUS 76x Managed Reporting Security
User Authorization
Groups
Users
Domains
Reports
Role(*)
Launch Pages
Documents
Role is assigned directly to user.
A user has only ONE role.
77x Repository and Security
Copyright 2009, Information Builders. Slide 5
77 Repository
 File System model:
 Domains are top level folders
 N-depth folder/file tree
 No special purpose folders
 Implemented in RDMS tables
 Derby shipped and installed
 Any RDBMS supported
 Audit, backup, clustering
 Special rules eliminated
Copyright 2009, Information Builders. Slide 6
Groups & Users
 Groups
 Groups can have sub-groups, sub-sub-groups, etc.
 Users are assigned to Groups (or sub-groups)
 Users can belong to multiple groups
 All users are in the EVERYONE group
 User Authorizations
 Group membership usually  authorization
 Matches standard LDAP/AD models
 User “flags” eliminated
 User Management
Copyright 2009, Information Builders. Slide 7
Security Rules
 All rules have 3 parts:
 A subject (Groups or Users) – the WHO
 Has permitted operations – the WHAT
 On some Folder (a resource) – the WHERE
 Examples:
 Group RepDev has Developer on folder /Sales
 Group EVERYONE has RunReports on folder /Sales
 WHO – WHAT – WHERE
Copyright 2009, Information Builders. Slide 8
Security Rules (continued)
 Permissions are inherited down the tree
 RepDev inherits Developer permissions on folder
/Sales/Forcasts
 Single User can have specific rules on every object
 Folder or file
 Recommend only as the exception!
Copyright 2009, Information Builders. Slide 9
Different roles on different folders
Copyright 2009, Information Builders. Slide 10
Permissions Sets - WHAT
 Named list of permissions on very granular operations
 WF ships with a set of defined permission sets
 Customers can create their own
 Reusable for multiple rules
 Usually declare what a subject can DO (permit)
 Can declare what can not be done (deny)
 Abilities are never implied
 if an individual operation is not permitted or denied – it is
an effective deny
 WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 11
Creating and controlling Rules
 “Access Rules” context menu choice
 Specifies the WHERE of the rules to be created
 Users need to be permitted to change rules on a resource
 Group to sub-group inheritance
 A rule for a group is inherited by sub-groups
 WHO - WHAT – WHERE
Copyright 2009, Information Builders. Slide 12
Example of setting Access Rules
Copyright 2009, Information Builders. Slide 13
Permission Sets – List of Operations
 Everything is an operation:
 Create file, Create folder, Run report, Run differed,




Schedule a report, Manage schedules, Create access
lists, Create distribution lists, Update properties, Update
Execution properties, Read file, Write file, Delete, Change
Ownership, Share, ...
Launch InfoAssist, Launch Editor, Launch security central,
Launch RC admin, Launch developer Studio tools, ...
Create groups, Assign users to groups, Make rules for the
Group (group as subject), Share with Group,...
Create User, Update user status/password, ...
Create PSET, Update PSET, Delete PSET, ...
Copyright 2009, Information Builders. Slide 14
Private Files & Folders (aka MyReports)
 Private files can exist anywhere you allow them
 Private folders recommended
 Private files can be owned by users or by Groups
 “In development”
 Private files can be shared
 With specific groups/users
 Two special Permission-Sets:
 Owners have PrivateFilePermissions on PrivateFiles
 Sharees have SharedFilePermissions on SharedFiles
 WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 15
Example of setting Shares
Copyright 2009, Information Builders. Slide 16
User and Group Administration
 Users are permitted operations to act on groups
 Create sub-groups
 Assign users to groups
 Assign users from groups
 Manage users in groups
 Names, passwords
 User management
 GlobalUserAdmin has ManageUsers on /EVERYONE
Copyright 2009, Information Builders. Slide 17
Everything is a Resource – a WHERE
 /WFC
 /Repository
 Sales Domain, etc.
 /UserInfo – preference files, deferred receipts
 /SSYS
 /GROUPS
 /USERS
 /PSETS
 /WEB - APPROOT application directories
 In the works
 /VIEWS/viewname/tabname
Copyright 2009, Information Builders. Slide 18
Thank you!
Copyright 2009, Information Builders. Slide 19