Presentation is loading. Please wait.

Presentation is loading. Please wait.

The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information.

Published byAndra Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information."— Presentation transcript:

1 The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information Builders. Slide 1

2 Release 77x/76x Security Structure - Review Copyright 2009, Information Builders. Slide 2

3 WebFOCUS Managed Reporting Security Release 77x/76x and Earlier  Authentication – Internal or External (Basedir, RDBMS, AD, LDAP, WFRS, Trusted)  Authorization – Internal or External (Basedir, RDBMS, AD, LDAP)  All MR assets are stored on the filesystem Browser Machine Application Server/ Web Server WebFOCUS Server WF Servlet & MR (Internal) Repository DB2 Oracle Sybase Informix Teradata… MR (External) Authorization (SQL RDBMS, Active Directory, LDAP) Java Client External Authentication

4 WebFOCUS 77x/76x Managed Reporting Security User Authorization Groups Users Domains Reports Role(*) Launch Pages Documents Role is assigned directly to user. A user has only ONE role. Except in case of a Group Administrator

5 WebFOCUS 77x/76x Managed Reporting Security User Authorization  Create Domain, and Assign Reporting Server Properties  Create Groups, and assign those Groups to Domains  Create User, assign user to a Specific Role and place that user in a specific Group  A user is associated with a Group(s) and those Group(s) are associated with Domain(s), but only has one ROLE Copyright 2007, Information Builders. Slide 5

6 Release 8 Repository and Security Authorization Copyright 2009, Information Builders. Slide 6

7 Release 8 Repository  Implemented in RDBMS tables  Accessed via jdbc  Derby shipped and can be installed  All content stored in RDBMS  Any RDBMS with BLOB field support  Utilize your existing RDBMS infrastructure (audit, backup, clustering etc…) Copyright 2009, Information Builders. Slide 7

8 File System model:  Domains are top level folders  N-depth folder/file tree  No special purpose folders  Standard Reports  Reporting Objects  Other Files  My Reports  Shared Reports … Unless you want them  Private content can exist anywhere you allow them  ReportCaster content (schedules, access/distribution lists) Release 8 Repository Copyright 2009, Information Builders. Slide 8

9 Release 8.0 How to Approach Security Authorization Copyright 2009, Information Builders. Slide 9

10 How to Approach Security Authorization  Decide what types of Users you want (Rules with legacy Groups/PSETS shipped)  Create Groups that will contain those user types  Create/Use existing Permission Set  Create Rule For a Group on a Resource Group G1 can do action A1 on Sales Folder (Domain)  Assign Users to the Groups Copyright 2009, Information Builders. Slide 10

11 Security Rules  All rules have 3 parts:  A subject (Groups or Users) – the WHO  Has permitted operations (PSET)– the WHAT  On some resource– the WHERE (Folder, Group, PSET / User or Item)  Examples:  Group RepDev has Developer on Folder /SalesReports  Group EVERYONE has RunReports on Folder /SalesReports  Group RepAdmin has ManageUsers on Group Sales WHO – WHAT – WHERE Copyright 2009, Information Builders. Slide 11

12 Security Rules (Continued..)  Permissions are inherited down the Repository tree  RepDev inherits Developer permissions on folder /SalesReports/Budget  Group to sub-group inheritance  Granting RunReports to Group /Sales also grants RunReports to members of /Sales/Admin, etc.  Subject can have specific rules on every item  Recommend only as the exception! Copyright 2009, Information Builders. Slide 12

13 Groups & Users - WHO  Groups with sub-Groups  Group: /Sales  Group: /Sales/Admin  Group: /Sales/Developer  Users are assigned to Groups (or sub-Groups)  All users are in the EVERYONE Group  User Authorizations by Group membership  When in multiple Groups, order of precedence decides  User authorization “flags” eliminated WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 13

14 Permissions Sets - WHAT  Named list of permitted or denied operations  WF ships with a set of predefined permission sets  Can create your own  Reusable for multiple rules  Usually declare what a subject can do (PERMIT)  Can declare what a subject cannot do (DENY)  Abilities are never implied  if an individual operation is UNSET, it is an effective deny WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 14

15 Permission Sets – WHAT List of Operations  Operation is some atomic ability that is permitted or denied  Tree Items: Create File, Delete File, Read File, Write File, Create Folder, Run Report, Run Deferred, Update Properties, Change Ownership, Share, Schedule Report,...  Tools: Launch InfoAssist, Launch Editor, Launch Security Center, Launch RC Admin, Launch Developer Studio Tools,...  Groups: Create Groups, Assign Users to Groups, Share with Group, Make rules for the Group (group as subject),...  Users: Create User, Update User Status/Password,...  Privilege Sets: Create PSET, Update PSET, Delete PSET,... Copyright 2009, Information Builders. Slide 15

16 Everything is a Resource - WHERE  /WFC/Repository  Folders  Sub Folders  Items  /SSYS  Groups  Sub Groups  Users  Permission Sets  /WEB – APPROOT application Directories WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 16

17 Different abilities at the Folder/SubFolder Level Copyright 2009, Information Builders. Slide 17

18 Private Files & Folders (aka My Reports)  Private files can exist anywhere you allow them  Private folders recommended  Private files can be owned by Users or by Groups  “In development”  Private files can be shared  With specific groups/users  Two special Permission-Sets:  Owners have PrivateResourcePermits on Private Items  Sharees have ShareResourcePermits on Shared Items WHO – WHAT - WHERE Copyright 2009, Information Builders. Slide 18

19 User and Group Administration  Users are permitted operations to act on Groups  Create sub-Groups(opCreateGroup)  Assign users to Groups(opAssignUsersTo)  Assign users from Groups(opAssignUsersFrom)  Manage users in Groups(opUpdateGroup) Copyright 2009, Information Builders. Slide 19

20 Release 8 Repository and Security Authorization Auditing/Logging  Log4j - Open Source popular logging package  All logs/traces utilize log4j  Files (default)  Can log to RDBMS  SMTP  Event Log  Set level of detail  INFO shows SUCCESS and FAILURE  ERROR shows only FAILURE Copyright 2010, Information Builders. Slide 20

21 Release 8 Repository and Security Authorization Auditing/Logging  Security  Signon/Signoff  User Create/Update/Delete/Remove  Group Create/Update/Delete  PSET Create/Update/Delete  Rule Create/Update/Delete  Configuration  Object  FolderCreate/Update/Delete Time Updated  Item Create/Update/Delete Time Accessed, Start/End Run Copyright 2010, Information Builders. Slide 21

22 Release 8 Repository and Security Authorization In the works… Copyright 2009, Information Builders. Slide 22

23  Change Management and Migration  External Authentication  Additional components stored within RDBMS  Default Group for Tool Preferences  /VIEWS/viewname/tabname  Password Policies  Configuration Logging  Object Logging  FolderCreate/Update/Delete Time Updated  Item Create/Update/Delete Time Accessed, Start/End Run Copyright 2010, Information Builders. Slide 23 Release 8 Repository and Security Authorization In the works…

24 Questions? Copyright 2009, Information Builders. Slide 24

25 Thank You ! Copyright 2009, Information Builders. Slide 25

26 UOA Advanced Topics Copyright 2009, Information Builders. Slide 26

27 Effective Policy What a USER can do to a Specific Resource  Effective group membership  All Groups assigned directly to and parents  EVERYONE group  Walk down resource tree to combine rules  /WFC/Repository, /WFC/Repository/Sales,...  Private resources  If owned – add PrivateResourcePermits  Else If shared – add ShareResourcePermits  Combination rules:  DENY overrides a PERMIT  OVERPERMIT overrides a DENY Copyright 2009, Information Builders. Slide 27

28 External User and Group Administration  User authentication  Pre-authorized (single signon, etc.)  LDAP authentication  User Authorization  Direct group assignment retrieved from LDAP  Group hierarchy managed in UOA  Rules managed in UOA  Migration  In 76x - Realm driver said “user has ROBOT flag”  In 77x – User is in ROBOT group  ROBOT has Schedule on /Repository Copyright 2009, Information Builders. Slide 28

Download ppt "The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
WebFOCUS 8: Technical Overview

WebFOCUS 8: Technical Overview
WebFOCUS 8: Technical Overview

WebFOCUS 8: Technical Overview
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Understanding Active Directory

Understanding Active Directory
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
WebFOCUS 8: Best Practices for Migration

WebFOCUS 8: Best Practices for Migration
December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

December 5, OBIEE Technical Conference Security Overview Dan Malone.
Exchange 2010 Recipient and Mailbox Management IT:Network:Applications.

Exchange 2010 Recipient and Mailbox Management IT:Network:Applications.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Similar presentations

Ads by Google