Intro to WebFOCUS Security Understanding The Basics Lori Pieper May 31, 2015

Agenda Review Security Basics WebFOCUS8 Security Components Resources Groups Roles Rules Security Domain Templates Security Viewed from Different User Roles Q&A

Review Security Basics

Review Security Basics Authorization vs. Authentication Who can and cannot get into the application. Think of going into a building. If the door is locked and you have a key, then you are AUTHENTICATED and allowed to enter the building. Once in the building, your AUTHORIZATIONS say where in that building you can go and what you can do. Are you the electrician? The plumber? The CEO? The guest? These people would all be able to access different areas of the building. Authorization: What you can do once you are in the application.

Authentication Security [ ***_ ] Internal External Pre-Authentication Internal Authentication: Account and Password Policies Remember Me External Authentication: Active Directory, LDAP, DBMS, Web Service, Custom [ ***_ ] Pre-Authentication: Windows Authentication, Kerberos, Certificate Web SSO (SiteMinder, WebSeal, etc.), OpenID, CAS, Custom SAML 2.0, ADFS 2.0, Trusted Ticket (Version 8.2) Authentication Internal External Pre-Authentication Combinations Security WebFOCUS comes with many options for authenticating users. Internal authentication is best for organizations that don’t have a suitable user directory for the BI application. External authentication can be easily configured to work with existing user repositories such as Microsoft Active Directory. You can configure WebFOCUS for pre-authentication, so your end users can enjoy a “single sign-on” experience. And you can configure multiple forms of authentication to address special needs. A growing list of out of the box options also includes support for custom-developed sign-on integrations.

Authentication Authorization Security [ ***_ ] Internal Role-Based Access Control for: Portals, Pages, Content, Tools Row & Column-level Data Metadata [ ***_ ] Authentication Authorization Internal External Pre-Authentication Combinations Role-Based Access Internal External Mapping External Security Integration: Active Directory Groups LDAP Attributes RDBMS Data Web Service Custom Security We’ve already talked about how a user’s access to resources, tools, and data can be controlled by their role, and you can easily assign users to their roles using Security Center or the REST Web Services API. But you can also authorize users based on information maintained outside of WebFOCUS, including Active Directory groups, attributes in an LDAP directory, or data managed in an external RDBMS or Web Service. By leveraging external authorization sources you can improve security and administrator productivity.

Authentication Authorization Security Administration [ ***_ ] Internal External Pre-Authentication Combinations Role-Based Access Internal External Mapping Security WebFOCUS 8 includes tools and features designed to streamline the administration of both simple and enterprise-class BI deployments alike. WebFOCUS user accounts can be created within Security Center, with the REST Web Services API, and through the bulk load user tool. WebFOCUS can also automatically create user accounts, based on criteria you specify, and synchronize each user’s name and email with an external source such as Active Directory or an LDAP server. The WebFOCUS security model also supports delegation, so you can shift responsibilities to group administrators while retaining overall control of the system. And WebFOCUS includes a configurable auditing system that captures user and administrator events, such as who changed a user’s role. Administration Onboarding Tools Delegation Auditing Bulk Load Users Automatic Account Creation Directory Synchronization Delegated Security Administration User and Administrative Event Auditing

Authentication Authorization Security Built-in Protection [ ***_ ] Authentication Authorization Internal External Pre-Authentication Combinations Role-Based Access Internal External Mapping OWASP Top 10: Cross-site Scripting SQL Injection Validation Security Information Builders is a Corporate Sponsor of the Open Web Application Security Project (owasp.org), an organization whose charter is helping software vendors and organizations build and deploy software that can be trusted. Through this partnership WebFOCUS has incorporated protection against the critical Web Vulnerabilities including Cross Site scripting attacks, SQL Injection, and others. All of this means you can feel confident deploying WebFOCUS even for Internet-facing applications. WebFOCUS also supports options for end-to-end encryption of your data; from the data source to the browser, including encryption of emailed reports and (as of WebFOCUS Server 8.0.09) data at rest, such as in temporary disk storage and trace output. These measures support your initiatives that may be subject to PCI and HIPPA compliance. Built-in Protection Administration Web Vulnerabilities Data Encryption PCI & HIPPA Compliance Onboarding Tools Delegation Auditing Data Encryption: In Transit Data at Rest

WebFOCUS 8 Security Model Basic Security Concepts Security Rules Connect… Subjects – groups/users to authorize Roles – collection of privileges Resources – objects to secure (folders, portals, groups, roles, etc.) Access – type of rule: permit, deny, ... Apply To – scope of rule: folder, folder & children, ... Security Policy – Collection of Security Rules Effective Policy – Evaluation of the Security Policy Bob has privileges A, B, C on resource X Takes into account rule inheritance, rule conflicts, group membership, user-specific rules (if any)

WebFOCUS8 Security Components

Security Authorization Rules Four Components: Resources, Groups, Roles and Rules The ability to do anything within a WebFOCUS application is determined by privileges, roles, and rules. Resources – the object being secured, e.g., folders, portals, groups, and roles Groups – provides way to categorize users based upon data access needs and job requirements. Roles - groups of similar privileges. No decision is applied to it until a rule is created for it. Rules - what a user is allowed to do within a resource. Rules tie the above together for the actual enforced security.

Security Authorization The Resource The “resource” to be secured is any object that you can see from the Resource Tree. …or from the Security Center:

Security Authorization (continued) The Groups and Users Security Groups Security Groups Group users into similar job duties, e.g.: Administrators Developers Basic users Advanced users, etc. Users can be auto-added using LDAP/AD or using the WebFOCUS8 Custom Security option. NOTE: Authorization, or the privileges a user or group of users has, is not determined here. In earlier versions of WebFOCUS, each user was assigned a role and that was their role everywhere in WebFOCUS. E.g., if you were labeled an Administrator, you were an administrator everywhere. With WebFOCUS8 security your privileges can change based upon the resource you are accessing. E.g., I may be a developer in the Sales folder/portal, but a Basic User in the Marketing folder/portal. Users assigned to that group

Security Authorization (continued) Roles and Privileges Roles Roles are groups of similar privileges, e.g., what a user can do. There are 54 roles out of the box in WebFOCUS8. There are 25 roles to aid in migration from older versions of WebFOCUS. The Domain Template will create 8 roles. There are 140+ privileges. NOTE: Roles are building blocks, but no actual authorization is applied here. Role In earlier versions of WebFOCUS, each user was assigned a role and that was their role everywhere in WebFOCUS. E.g., if you were labeled an Administrator, you were an administrator everywhere. With WebFOCUS8 security your privileges can change based upon the resource you are accessing. E.g., I may be a developer in the Sales folder/portal, but a Basic User in the Marketing folder/portal. Privileges

Security Authorization (continued) The Roles and Privileges (continued) Here is a list of roles. (Roles starting with “Domain” are created by the template.) Double-click DomainAdvancedUser to see the privileges for that role. Looking at the list of Roles, you will notice a few things: 1) Some roles have a lock icon on them. These cannot be changed. However, you can make a copy of them and change the copy. 2) Roles starting with “Domain” are created by the security domain template. There is no lock icon on them, so they can be changed. Note that the change will apply to all security rules using these roles. 3) Roles starting with “WF_” are “legacy” roles and used when migrating from releases prior to WebFOCUS8. Things to notice when you look at the list of privileges: The privileges are categorized into folders to make it easier to find items. If the folder has a check by it, then all items under that folder are checked. If the folder has a dot in it then some of the items in that folder are checked. If the folder has neither a check nor a dot, then no items in that folder are checked.

Security Authorization (continued) How the components fit together Rules Rules combine the resource, security groups and roles to determine what a user is allowed to do on a particular resource. No rule equals no access. Note: Rules can be inherited. Resource Security rules Security roles Security groups Scope Access options are listed in order of precedence, e.g., “Permitted” trumps “Not Set” and “Denied” trumps “permitted”, etc. Not Set – inheritance may apply if access was set at a higher level Permitted – user is permitted Denied – user is denied Over Permitted – usually only used for administrators, so they can’t be accidentally “denied” access. Clear Inheritance – removes any settings that were applied at a higher level. “Apply To” Options: Folder and Children Folder Only – Example, use this when you want to allow access to some objects in the folder but not to everything Children Only

Security Authorization The Rules Best Practice: Secure objects at the folder level vs. individual object level Secure by security groups vs. by individuals Create a group even if it’s for one person: the group may grow less maintenance if the user changes roles

Security Domain Templates An easy way … and the recommended way … to get started

Security Domain Templates Recommended place to start WebFOCUS8 Security provides: a lot of flexibility 54 Roles 140+ privileges security options at a very granular level on user (not recommended) on specific resource, etc. (not recommended) So where do you begin? Security Domain Templates

Security Domain Templates Defining the Security Domain Template WebFOCUS provides security templates that can be used to set up your security groups, users, roles and privileges. There are three options: Enterprise – Allows the administrator the choice of isolating groups or allowing some sharing between groups. Saas** Tenant – Allows complete isolation of content between tenants. Saas** Tenant (Shared Portal) - Allows complete isolation of content between tenants, except for one portal that the SaaS provider can use for general tenant information. **SaaS = Software as a Service SaaS = Software as a Service The security domain template creates the basics. You need to add users to the security groups, and the content as needed. Once the security template is created, you have the ability to change the rules, roles, etc. Note that if you change the roles created by the Domain Template you change them for all domains created by that template. If you need to change a role, consider whether you want it to apply to all or not. If not, consider copying the role and making changes to the copy. Or consider creating a new role with the privileges you want to add/remove and permit/deny that role to the resource as needed.

Security Domain Templates Creating a Security Domain Template Create a Security Domain Template: Right-mouse click on the Content folder and select the security domain of your choice: Enter the Domain name and title: Note: You need administrative privileges to do this.

Security Domain Templates What does it create? four security groups representing typical user categories folder under the Content tree with security rules applied portal with security rules applied An administrator needs to assign users to the security groups that get created.

Security Domain Templates The portal The portal that gets created has 2 pages: Ad Hoc – a way for users to run existing reports and create their own if permitted Page 2 – a portal “starter” page Tabbed Container for report output Resource Tree Tabbed Container Accordion Container Panel Container

Security Domain Templates The Security Roles Applied to Created Content Basic Users – run and view content, save parameters, view and personalize portals Advanced Users – the above plus create reports and charts under “My Content” Developers – all of the above plus create content to be published for general consumption Group Administrators - only manage users, resources and security policies in their group; cannot run procedures or view report output.

Security Viewed from Different User Roles Discussion and Demo

Security Viewed from Different User Roles The Managed Reporting Administrator The Managed Reporting Administrator has full access and can: Configure the Managed Reporting environmental settings Create security groups and users Create/modify privileges and roles Assign security rules to resources Create content/portal folders and content In other words…all powerful!  Let’s see how to : Create a security domain template Create a user Add users to a security group Secure a resource

Demo – Managed Reporting Administrator Create Domain Template, Users and Rules Scenario: need to create a new domain, but every Domain has a HR sub folder that HR personnel can see as well as the domain developer and domain admin, but the advanced and basic users cannot see. Create security Template Show what it creates (compare to creating a new folder?) Show the portal – run a report from adhoc Show the security groups and that there are no users Create user and add to that domain Add a new sub group to the security group (HR) Add a user to that subgroup Create new sub folder under the new domain folder for Human Resources Create a rule to allow access to this folder for the HR person: Create “BasicUser” access at the “folder only” level to the “Summit 2015” primary folder Create “BasicUser” access at the “folder and children” level to the “Summit HR” subfolder This gives the Summit_HR subgroup only access to the “Summit HR” folder. They do not have access to any other folder, nor to any content outside of the “Summit HR” folder. I could have added the HR security sub group under the Advanced user sub group, but then they would have access to all other content under the main domain folder and we didn’t want that. I could restrict that access, but then I would need to constantly assure that nothing gets added without restrictions applied. NOTE: the HR user will not have access to any “shared” content either, even if they are specifically selected for sharing. This is because they only have access to that folder.

Security Viewed from Different User Roles The Developer The Group Developer can do the below in their own group: Run and View reports, portals, schedules and other content Develop and edit content for use by others Manage metadata Upload data Access WebFOCUS Reporting Server resources Publish content for use by others Let’s see how: The Developer’s view is different The Developer has “Edit” capabilities ….but only in their group

Demo - Developer

Security Viewed from Different User Roles The Advanced User The Group Advanced User can do the below in their own group: Run and view reports and portals Save customizations in the portal Create schedules on existing content Create their own reports and charts using InfoAssist Add to “Favorites” Let’s see how: The Advanced User’s view is different The Advanced User has adhoc capabilities using InfoAssist Share “My Content” with others ….but only in their group The list of “with whom you can share” can be set at the security group folder level. “Share” – share with your group. “Share With” – You can specify the individuals or groups with whom you want to share. Again this is limited by the overall security policy in place. Content can only be shared with users who have access to high level content folder where you are when you “share”. What happens if you share with someone and then their access to the group folder is revoked? The user will no longer have access to the shared content either.

Demo – Advanced User

Security Viewed from Different User Roles The Basic User The Group Basic User can do the following in their own group: Run and view reports and portals Add to “Favorites” Access reports that have been “shared” with them Let’s see how: The Basic User’s view is different and quite limited ….and only in their group

Demo – Basic User

Security Viewed from Different User Roles The Group Administrator The Group Administrator can do the following in their own group: View reports and portals The cannot run reports Manage resources Access Security Center Manage users within the group Let’s see how: The Group Administrator’s view is quite different ….and only in their group

Demo – Group Administrator

Security Domain Templates How do I remember all of this? To get a detailed spreadsheet of the roles created for Enterprise and SaaS domain templates, complete with privileges for the roles, go to: https://techsupport.informationbuilders.com/tech/wbf/v8templates/wbf_8_resource_templates.html …or search the site with “Policy design worksheet” enclosed in double quotes.

Security Domain Templates How do I remember all of this? Columns for Roles Tabs for Domain type

Questions?

WebFOCUS Performance Basics … for Attending!