webfocus 8: technical overview

Jim ThorstadTechnical Director, WebFOCUS Product Management

WebFOCUS 8: Technical Overview

1

Agenda

WebFOCUS 8 ArchitectureSecurity ModelEnhancement HighlightsDemo

2

WebFOCUS 8 Architecture

3

What is WebFOCUS 8?Understanding Middle-tier vs. Server-tier Components

4

WebFOCUS Client

Managed Reporting

ReportCaster

BI Portal/Dashboard

WebFOCUS Report Server

Report Server 7.7.04+

Users Data

WebFOCUS 8.0

WebFOCUS 8 Updates the Middle-tier

Report Server 8.0.01+WebFOCUS 8.0.01

WebFOCUS 8 ArchitectureIntegrated Repository

5

Application Directories

MetadataUploaded Data

WebFOCUS 8 Repository

WebFOCUS Client

Managed Reporting

BI Portal

ReportCaster

WebFOCUS Report Server

UsersGroupsSecurity

ReportsSchedules

Content

Information Builders File SystemWebFOCUS 8 Architecture Is Built Around IBFS IBFS Service Layer – Internal Subsystem IBFS Path – an Object Addressing Scheme

6

IBFS paths used in drill-down links, schedules, security rulesFor backward compatibility, migrated content can still be accessed via HREF properties

Information Builders File SystemIBFS is All-EncompassingIBFS Used to Reference

Reports, portal pages Schedules, outputUsers, groupsReport Servers

7

IBFS governs access to everything

IBFS is Hierarchical and EnablesSecurity policy inheritanceGroup nestingFull control over content

organization

Information Builders File SystemIBFS Enables Full Control of Content Organization

8

Mandatory folders in 7x are migrated “as is”

… but are no longer required in 8.0

Reports, reporting objects, and library

output can be deployed in the

same folder

Folder depth not limited to one sub-folder

RC Distribution

Server

WebFOCUS 8 ArchitectureAll Content is Accessed via the IBFS Service Layer

WebFOCUS 8 Repository

IBFS Service LayerHT

TP S

ervi

ce

9

Core WFMR/BIP/RC

ReportCaster uses an IBFS Service API to access report procedures in the repository

Eliminates problematic HTTP requests to the web tier

WebFOCUS 8 High-level ArchitectureRunning Report Requests

WebFOCUS 8 Repository

IBFS Service LayerHT

TP S

ervi

ce

WebFOCUS Report Server

Web Requests

10

Core WFMR/BIP/RC

User ID and Groups can be passed to the Server:• Connection=Trusted/IBIMR_user• IBI_WFRS_Passthrough_Groups=ALL

WebFOCUS runs interactive requests through IBFS

u=jim, g=Tenant22

WebFOCUS 8 Security Model

11

Why a New Security Model?Customer Feedback Related to WebFOCUS 7xManaged Reporting Role Security was Limiting

Only 5 base roles and 9 permissions One role for all Domains

Domain Security Model was Limiting Couldn’t customize security on sub-folders

Content Sharing was Limiting Couldn’t share with specific people

Challenging for Multi-tenancy SaaS Deployments Couldn’t allow sharing in a common Domain—user’s would

see content from other tenants Dilemma: abandon common domain or drop sharing?

12

WebFOCUS 8 Addresses These Challenges!

WebFOCUS 8 Security ModelBasic Security ConceptsSecurity Rules Connect…

Subjects – groups/users to authorize Roles – collection of privileges Resources – objects to secure Access – type of rule: permit, deny, ... Apply To – scope of rule: folder, folder & children, ...

Security Policy – Collection of Security RulesEffective Policy – Evaluation of the Security Policy

Bob has privileges A, B, C on resource X Takes into account rule inheritance, rule conflicts, group

membership, user-specific rules (if any)

13

The Security Model in WebFOCUS 8 Provides Complete Control of Your Security Policies

WebFOCUS 8 Security Model Understanding Group MembershipPolicy Evaluation Includes Processing of a User’s:

Explicitly assigned groupsImplicit groups

14

• Therefore Bob implicitly belongs to Sales…

• And the rules associated with both groups apply

• Bob is assigned to the Sales Basic Users group

Bob

explicit

• Sales Basic Users belongs to Sales Group

implicit

WebFOCUS 8 Security Model WebFOCUS 8 Security Center – Users & Groups Tab

15

WebFOCUS 8 Security Model WebFOCUS 8 Security Center – Roles Tab

16

WebFOCUS 8 Security Model WebFOCUS 8 Security Center – Role Customization

17

Select all or a portion of the privileges within each category

Choose whether users select a Master File or Reporting Object with InfoAssist

Choose whether users can upload a spreadsheet to the Reporting Server

WebFOCUS 8 Security Model Creating Security Rules

18

and then Security > Rules…

Select any IBFS resource …

WebFOCUS 8 Security Model Creating Security Rules – Security Rules Dialog

19

You select a subject…

The resource

…role, type, and scope

Click OK tocreate rule(s)

WebFOCUS 8 Security Model Managing Your Security Policies

20

Rules on this Resource answers: “Who can access this?”

WebFOCUS 8 Security Model Managing Your Security Policies

21

Rules for this Group answers: “What does this group have access to?”

WebFOCUS 8 Security ModelUnderstanding the Built-in Global Groups

22

Consider Using Global Groups Carefully

Global groups have access to all content through inheritance

WebFOCUS 8 Security Model Benefits

23

Flexible Security ModelOver 150 assignable privilegesYou can develop custom roles

Sub-Groups and Inheritance Simplify Policy CreationTools simplify Creation and Management of PoliciesPossible to Address Enterprise and SaaS MarketsPossible to Address Each Customer’s Unique Needs

WebFOCUS 8 Enhancement Highlights

24

WebFOCUS 8 Enhancement Highlights

25

Resource TemplatesPrivate Content, Publishing, and Content SharingLocalizationLicensingAuthorization Mapping

Resource TemplatesThe Deployment Challenges Facing Administrators

26

What are our security requirements?How do I design and implement a security policy?How long will it take to create security rules?What best practices should I be aware of?Where do I start?

Resource TemplatesSimplifying the Creation of Security Policies

27

Resource Templates Automate the Creation ofFolders, portals, groups, roles, security rules

WebFOCUS 8.0.01 Includes Two Resource Templates:Enterprise Domain templateSaaS Tenant Domain template

Resource TemplatesSimplifying the Creation of Security Policies

28

The Enterprise Domain Template Creates:1 Domain-specific Folder,

Portal, and Group4 Sub-groups21 Domain-specific Rules8 Configurable Roles

Resource TemplatesSimplifying the Creation of Security Policies

29

The SaaS Tenant Template Creates the Same Things PlusA Common folder

The EVERYONE group is hidden

Resource TemplatesSimplifying the Creation of Security PoliciesThe template also creates the required security rules

30

Resource TemplatesSupport Site and Roadmap

31

Latest Information on Templates:

Download the Policy Design WorksheetUse this to plan your custom deployment

Roadmap: Create Your Own Templates

https://techsupport.informationbuilders.com/tech/wbf/v8templates/wbf_8_resource_templates.html

Private Content, Publishing, and SharingPrivate Content

32

All Content Initially Created as Private Visible only to owner Doesn’t inherit security Administrators with Manage Private Resources can access

private contentAuthority to Create Private Items Outside of a My

Content Folder Can be Assigned

In 8.0.01 private content is indicated with a grayscale overlay on the icon

Private Content, Publishing, and SharingPublishing Private Content

33

Authorized Users Can Publish a Private Resource Published resources inherit security rules from parent Create, Publish & Un-Publish are separately assignable

Contrast with Formal Change Control Model Isolated DEV/TEST/PROD environments Developers don’t have write access to TEST/PROD

But a Useful Alternative in SaaS Deployments SaaS tenant developers only interact with PROD Tenant developers can work out of view from users Publishing completed reports is simple IBFS paths don’t change

Consider Developing In-Place with Private Content

Private Content, Publishing, and SharingMy Content Folders

34

End-Users Need to Create Resources in Production This is facilitated by special My Content folders

A Folder Property Enables Support for My Content

Assignable Privilege Determines Who Gets One

Private content, created and saved by a user to their My Content folder

Private Content, Publishing, and SharingContent Sharing

35

Complete Control Over Content Sharing Share – simple sharing determined by WebFOCUS Share with – user determines who to share with

Configurable Policy Determines Available Users/Groups

Shared content

Assignable sharing options

Enhanced Shared Content View Only Users Sharing Content are Shown

Authorization MappingKey Requirement for Enterprise & SaaS Deployments

36

What if you Manage Authorizations in LDAP/AD via…The user’s group membershipsA custom attribute on the user entry

Groups in AD/LDAP User Attribute in Oracle LDAP

Authorization Mapping is Built-in to WebFOCUS 8

Authorization MappingKey Requirement for Enterprise & SaaS Deployments

37

Administrator Maps the Value to a WebFOCUS GroupResource Templates Can Configure the Mapping

Group DN or user attribute value is mapped to WF group

LDAP Authorization MappingKey Requirement for Enterprise & SaaS Deployments

38

User accounts are automatically created during sign-on

Mapped WebFOCUS groups have a link icon

Other Security EnhancementsPassword Policies, Auditing For Customers Using Internal Authentication

Strong encryption for password hashes Configurable password policies

Built-in Protection from Web VulnerabilitiesBuilt-in User and Administrative Activity Auditing

39

[2012-05-30 08:30:13,267] INFO groups ed214e45667f0f1

thoja13 addUserToGroup SUCCESS user:smija03 (314568704)

group:IBFS:/SSYS/GROUPS/Retail/Developers (614187006)

This user

Used this API

To move this user

Into this group

Localizable Content TitlesA Complete Solution for Localized Applications

40

User sees label based on their language preference

Repository data can be localized

WebFOCUS 8 Client LicenseNew for WebFOCUS 8

41

Enforces Licensed Options Features: BI Portal, InfoAssist, ReportCaster, etc. Managed Reporting user count InfoAssist user count (future release)

Work with Customer Support/Account Team Make sure your site code (XXXX.nn) reflects your products

Migrating to WebFOCUS 8

42

Migrating to WebFOCUS 8Built-in Utilities to Simplify the ProcessUtility Migrates 7x Content

ReportCaster ContentManaged Reporting ContentDashboards

Dashboard Conversion to BI PortalsNot Automatic

User Experience and Policies Preserved Identical folder structure Identical security policy

43

7x

8.0

44

Understanding a Migrated PolicyMR7x to WF8MR 7x users had only a single role and optionally a

few extra privilegesThe role was defined on the userMigration creates a policy with this same behaviorRequires the User Default Role (UDR) Setting

45

Understanding a Migrated PolicyMR7x to WF8Sets special system Roles between migrated Groups

and Domain folders

46

Understanding a Migrated PolicyMR7x to WF8Enables Default Role tab on the user accountHere the user’s 7x “role” and “privileges” are definedThey apply to all Domain folders

Summary

47

WebFOCUS 8 Technical OverviewSummary

Rich Portal and Tool Interfaces Replace BI Dashboard and Java Applet UIs

Integrated Repository Based on IBFS Unified, fully localizable repository for MR, BIP, RC Full control of content organization and security policy Resource Templates simplify security policy creation

Enhanced Content Publishing and SharingExternal Authorization Built-inMigration Utilities Streamline UpgradeWebFOCUS 8.0.01 requires 8.0.01 Report Server

48

49

Thank you!