The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information Builders. Slide 1
Release 77x/76x Security Structure - Review Copyright 2009, Information Builders. Slide 2
WebFOCUS Managed Reporting Security Release 77x/76x and Earlier Authentication – Internal or External (Basedir, RDBMS, AD, LDAP, WFRS, Trusted) Authorization – Internal or External (Basedir, RDBMS, AD, LDAP) All MR assets are stored on the filesystem Browser Machine Application Server/ Web Server WebFOCUS Server WF Servlet & MR (Internal) Repository DB2 Oracle Sybase Informix Teradata… MR (External) Authorization (SQL RDBMS, Active Directory, LDAP) Java Client External Authentication
WebFOCUS 77x/76x Managed Reporting Security User Authorization Groups Users Domains Reports Role(*) Launch Pages Documents Role is assigned directly to user. A user has only ONE role. Except in case of a Group Administrator
WebFOCUS 77x/76x Managed Reporting Security User Authorization Create Domain, and Assign Reporting Server Properties Create Groups, and assign those Groups to Domains Create User, assign user to a Specific Role and place that user in a specific Group A user is associated with a Group(s) and those Group(s) are associated with Domain(s), but only has one ROLE Copyright 2007, Information Builders. Slide 5
Release 8 Repository and Security Authorization Copyright 2009, Information Builders. Slide 6
Release 8 Repository Implemented in RDBMS tables Accessed via jdbc Derby shipped and can be installed All content stored in RDBMS Any RDBMS with BLOB field support Utilize your existing RDBMS infrastructure (audit, backup, clustering etc…) Copyright 2009, Information Builders. Slide 7
File System model: Domains are top level folders N-depth folder/file tree No special purpose folders Standard Reports Reporting Objects Other Files My Reports Shared Reports … Unless you want them Private content can exist anywhere you allow them ReportCaster content (schedules, access/distribution lists) Release 8 Repository Copyright 2009, Information Builders. Slide 8
Release 8.0 How to Approach Security Authorization Copyright 2009, Information Builders. Slide 9
How to Approach Security Authorization Decide what types of Users you want (Rules with legacy Groups/PSETS shipped) Create Groups that will contain those user types Create/Use existing Permission Set Create Rule For a Group on a Resource Group G1 can do action A1 on Sales Folder (Domain) Assign Users to the Groups Copyright 2009, Information Builders. Slide 10
Security Rules All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations (PSET)– the WHAT On some resource– the WHERE (Folder, Group, PSET / User or Item) Examples: Group RepDev has Developer on Folder /SalesReports Group EVERYONE has RunReports on Folder /SalesReports Group RepAdmin has ManageUsers on Group Sales WHO – WHAT – WHERE Copyright 2009, Information Builders. Slide 11
Security Rules (Continued..) Permissions are inherited down the Repository tree RepDev inherits Developer permissions on folder /SalesReports/Budget Group to sub-group inheritance Granting RunReports to Group /Sales also grants RunReports to members of /Sales/Admin, etc. Subject can have specific rules on every item Recommend only as the exception! Copyright 2009, Information Builders. Slide 12
Groups & Users - WHO Groups with sub-Groups Group: /Sales Group: /Sales/Admin Group: /Sales/Developer Users are assigned to Groups (or sub-Groups) All users are in the EVERYONE Group User Authorizations by Group membership When in multiple Groups, order of precedence decides User authorization “flags” eliminated WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 13
Permissions Sets - WHAT Named list of permitted or denied operations WF ships with a set of predefined permission sets Can create your own Reusable for multiple rules Usually declare what a subject can do (PERMIT) Can declare what a subject cannot do (DENY) Abilities are never implied if an individual operation is UNSET, it is an effective deny WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 14
Permission Sets – WHAT List of Operations Operation is some atomic ability that is permitted or denied Tree Items: Create File, Delete File, Read File, Write File, Create Folder, Run Report, Run Deferred, Update Properties, Change Ownership, Share, Schedule Report,... Tools: Launch InfoAssist, Launch Editor, Launch Security Center, Launch RC Admin, Launch Developer Studio Tools,... Groups: Create Groups, Assign Users to Groups, Share with Group, Make rules for the Group (group as subject),... Users: Create User, Update User Status/Password,... Privilege Sets: Create PSET, Update PSET, Delete PSET,... Copyright 2009, Information Builders. Slide 15
Everything is a Resource - WHERE /WFC/Repository Folders Sub Folders Items /SSYS Groups Sub Groups Users Permission Sets /WEB – APPROOT application Directories WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 16
Different abilities at the Folder/SubFolder Level Copyright 2009, Information Builders. Slide 17
Private Files & Folders (aka My Reports) Private files can exist anywhere you allow them Private folders recommended Private files can be owned by Users or by Groups “In development” Private files can be shared With specific groups/users Two special Permission-Sets: Owners have PrivateResourcePermits on Private Items Sharees have ShareResourcePermits on Shared Items WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 18
User and Group Administration Users are permitted operations to act on Groups Create sub-Groups(opCreateGroup) Assign users to Groups(opAssignUsersTo) Assign users from Groups(opAssignUsersFrom) Manage users in Groups(opUpdateGroup) Copyright 2009, Information Builders. Slide 19
Release 8 Repository and Security Authorization Auditing/Logging Log4j - Open Source popular logging package All logs/traces utilize log4j Files (default) Can log to RDBMS SMTP Event Log Set level of detail INFO shows SUCCESS and FAILURE ERROR shows only FAILURE Copyright 2010, Information Builders. Slide 20
Release 8 Repository and Security Authorization Auditing/Logging Security Signon/Signoff User Create/Update/Delete/Remove Group Create/Update/Delete PSET Create/Update/Delete Rule Create/Update/Delete Configuration Object FolderCreate/Update/Delete Time Updated Item Create/Update/Delete Time Accessed, Start/End Run Copyright 2010, Information Builders. Slide 21
Release 8 Repository and Security Authorization In the works… Copyright 2009, Information Builders. Slide 22
Change Management and Migration External Authentication Additional components stored within RDBMS Default Group for Tool Preferences /VIEWS/viewname/tabname Password Policies Configuration Logging Object Logging FolderCreate/Update/Delete Time Updated Item Create/Update/Delete Time Accessed, Start/End Run Copyright 2010, Information Builders. Slide 23 Release 8 Repository and Security Authorization In the works…
Questions? Copyright 2009, Information Builders. Slide 24
Thank You ! Copyright 2009, Information Builders. Slide 25
UOA Advanced Topics Copyright 2009, Information Builders. Slide 26
Effective Policy What a USER can do to a Specific Resource Effective group membership All Groups assigned directly to and parents EVERYONE group Walk down resource tree to combine rules /WFC/Repository, /WFC/Repository/Sales,... Private resources If owned – add PrivateResourcePermits Else If shared – add ShareResourcePermits Combination rules: DENY overrides a PERMIT OVERPERMIT overrides a DENY Copyright 2009, Information Builders. Slide 27
External User and Group Administration User authentication Pre-authorized (single signon, etc.) LDAP authentication User Authorization Direct group assignment retrieved from LDAP Group hierarchy managed in UOA Rules managed in UOA Migration In 76x - Realm driver said “user has ROBOT flag” In 77x – User is in ROBOT group ROBOT has Schedule on /Repository Copyright 2009, Information Builders. Slide 28