the new mr repository & security authorization model ben naphtali webfocus product manager...
TRANSCRIPT
![Page 1: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/1.jpg)
The New MR Repository & Security Authorization Model
Ben Naphtali WebFOCUS Product Manager
Architecture and SecurityMay 2010
Copyright 2009, Information Builders. Slide 1
![Page 2: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/2.jpg)
Release 77x/76x Security Structure - Review
Copyright 2009, Information Builders. Slide 2
![Page 3: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/3.jpg)
WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier WebFOCUS Managed Reporting SecurityRelease 77x/76x and Earlier
Authentication – Internal or External
(Basedir, RDBMS, AD, LDAP, WFRS, Trusted) Authorization – Internal or External (Basedir, RDBMS, AD, LDAP) All MR assets are stored on the filesystem
BrowserMachine
Application Server/Web Server
WebFOCUSServer
WF
Servlet
& M
R (In
ternal)
Rep
osito
ry
DB2OracleSybaseInformixTeradata…
MR (External) Authorization (SQL RDBMS, Active Directory, LDAP)
Java Client
External Authentication
![Page 4: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/4.jpg)
WebFOCUS 77x/76x Managed Reporting Security User Authorization WebFOCUS 77x/76x Managed Reporting Security User Authorization
Groups
Users Domains Reports
Role(*) Launch Pages
Documents
Role is assigned directly to user.
A user has only ONE role.
Except in case of a Group Administrator
![Page 5: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/5.jpg)
WebFOCUS 77x/76x Managed Reporting Security User Authorization
Create Domain, and Assign Reporting Server Properties
Create Groups, and assign those Groups to Domains
Create User, assign user to a Specific Role and place that user in a specific Group
A user is associated with a Group(s) and those Group(s) are associated with Domain(s), but only has one ROLE
Copyright 2007, Information Builders. Slide 5
![Page 6: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/6.jpg)
Release 8 Repository and Security Authorization
Copyright 2009, Information Builders. Slide 6
![Page 7: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/7.jpg)
Release 8 Repository
Implemented in RDBMS tables Accessed via jdbc
Derby shipped and can be installed
All content stored in RDBMS
Any RDBMS with BLOB field support
Utilize your existing RDBMS infrastructure
(audit, backup, clustering etc…)
Copyright 2009, Information Builders. Slide 7
![Page 8: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/8.jpg)
File System model: Domains are top level folders N-depth folder/file tree No special purpose folders
Standard Reports Reporting Objects Other Files My Reports Shared Reports
…Unless you want them Private content can exist anywhere you allow them ReportCaster content (schedules, access/distribution lists)
Release 8 Repository
Copyright 2009, Information Builders. Slide 8
![Page 9: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/9.jpg)
Release 8.0How to Approach Security Authorization
Copyright 2009, Information Builders. Slide 9
![Page 10: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/10.jpg)
How to Approach Security Authorization
Decide what types of Users you want
(Rules with legacy Groups/PSETS shipped)
Create Groups that will contain those user types
Create/Use existing Permission Set
Create Rule For a Group on a Resource
Group G1 can do action A1 on Sales Folder (Domain)
Assign Users to the Groups
Copyright 2009, Information Builders. Slide 10
![Page 11: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/11.jpg)
Security Rules
All rules have 3 parts: A subject (Groups or Users) – the WHO Has permitted operations (PSET) – the WHAT On some resource – the WHERE
(Folder, Group, PSET / User or Item)
Examples: Group RepDev has Developer on Folder /SalesReports Group EVERYONE has RunReports on Folder /SalesReports Group RepAdmin has ManageUsers on Group Sales
WHO – WHAT – WHERE
Copyright 2009, Information Builders. Slide 11
![Page 12: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/12.jpg)
Security Rules (Continued..)
Permissions are inherited down the Repository tree RepDev inherits Developer permissions on folder
/SalesReports/Budget
Group to sub-group inheritance Granting RunReports to Group /Sales also grants
RunReports to members of /Sales/Admin, etc.
Subject can have specific rules on every item Recommend only as the exception!
Copyright 2009, Information Builders. Slide 12
![Page 13: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/13.jpg)
Groups & Users - WHO
Groups with sub-Groups Group: /Sales Group: /Sales/Admin Group: /Sales/Developer
Users are assigned to Groups (or sub-Groups) All users are in the EVERYONE Group
User Authorizations by Group membership When in multiple Groups, order of precedence decides User authorization “flags” eliminated
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 13
![Page 14: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/14.jpg)
Permissions Sets - WHAT
Named list of permitted or denied operations
WF ships with a set of predefined permission sets Can create your own Reusable for multiple rules Usually declare what a subject can do (PERMIT) Can declare what a subject cannot do (DENY)
Abilities are never implied if an individual operation is UNSET,
it is an effective deny
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 14
![Page 15: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/15.jpg)
Permission Sets – WHATList of Operations
Operation is some atomic ability that is permitted or denied Tree Items:
Create File, Delete File, Read File, Write File, Create Folder, Run Report, Run Deferred, Update Properties, Change Ownership, Share, Schedule Report, ...
Tools:Launch InfoAssist, Launch Editor, Launch Security Center, Launch RC Admin, Launch Developer Studio Tools, ...
Groups:Create Groups, Assign Users to Groups, Share with Group,Make rules for the Group (group as subject),...
Users:Create User, Update User Status/Password, ...
Privilege Sets:Create PSET, Update PSET, Delete PSET, ...
Copyright 2009, Information Builders. Slide 15
![Page 16: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/16.jpg)
Everything is a Resource - WHERE
/WFC/Repository Folders Sub Folders Items
/SSYS Groups Sub Groups Users Permission Sets
/WEB – APPROOT application Directories
WHO – WHAT - WHERE
WHO – WHAT - WHERECopyright 2009, Information Builders. Slide 16
![Page 17: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/17.jpg)
Different abilities at the Folder/SubFolder Level
Copyright 2009, Information Builders. Slide 17
![Page 18: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/18.jpg)
Private Files & Folders (aka My Reports)
Private files can exist anywhere you allow them Private folders recommended
Private files can be owned by Users or by Groups “In development”
Private files can be shared With specific groups/users
Two special Permission-Sets: Owners have PrivateResourcePermits on Private Items Sharees have ShareResourcePermits on Shared Items
WHO – WHAT - WHERE
Copyright 2009, Information Builders. Slide 18
![Page 19: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/19.jpg)
User and Group Administration
Users are permitted operations to act on Groups Create sub-Groups (opCreateGroup) Assign users to Groups (opAssignUsersTo) Assign users from Groups (opAssignUsersFrom) Manage users in Groups (opUpdateGroup)
Copyright 2009, Information Builders. Slide 19
![Page 20: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/20.jpg)
Release 8 Repository and Security AuthorizationAuditing/Logging
Log4j - Open Source popular logging package All logs/traces utilize log4j Files (default) Can log to RDBMS SMTP Event Log
Set level of detail INFO shows SUCCESS and FAILURE ERROR shows only FAILURE
Copyright 2010, Information Builders. Slide 20
![Page 21: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/21.jpg)
Release 8 Repository and Security AuthorizationAuditing/Logging
Security Signon/Signoff User Create/Update/Delete/Remove Group Create/Update/Delete PSET Create/Update/Delete Rule Create/Update/Delete Configuration
Object Folder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,
Start/End Run
Copyright 2010, Information Builders. Slide 21
![Page 22: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/22.jpg)
Release 8 Repository and Security AuthorizationIn the works…
Copyright 2009, Information Builders. Slide 22
![Page 23: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/23.jpg)
Change Management and MigrationExternal AuthenticationAdditional components stored within RDBMSDefault Group for Tool Preferences /VIEWS/viewname/tabnamePassword PoliciesConfiguration LoggingObject LoggingFolder Create/Update/Delete Time Updated Item Create/Update/Delete Time Accessed,
Start/End Run
Copyright 2010, Information Builders. Slide 23
Release 8 Repository and Security AuthorizationIn the works…
![Page 24: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/24.jpg)
Questions?
Copyright 2009, Information Builders. Slide 24
![Page 25: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/25.jpg)
Thank You !
Copyright 2009, Information Builders. Slide 25
![Page 26: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/26.jpg)
UOA Advanced Topics
Copyright 2009, Information Builders. Slide 26
![Page 27: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/27.jpg)
Effective PolicyWhat a USER can do to a Specific Resource
Effective group membership All Groups assigned directly to and parents EVERYONE group
Walk down resource tree to combine rules /WFC/Repository, /WFC/Repository/Sales, ...
Private resources If owned – add PrivateResourcePermits Else If shared – add ShareResourcePermits
Combination rules: DENY overrides a PERMIT OVERPERMIT overrides a DENY
Copyright 2009, Information Builders. Slide 27
![Page 28: The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ee05503460f94bf0173/html5/thumbnails/28.jpg)
External User and Group Administration
User authentication Pre-authorized (single signon, etc.) LDAP authentication
User Authorization Direct group assignment retrieved from LDAP Group hierarchy managed in UOA Rules managed in UOA
Migration In 76x - Realm driver said “user has ROBOT flag” In 77x – User is in ROBOT group
ROBOT has Schedule on /Repository
Copyright 2009, Information Builders. Slide 28