Advanced Topics

In this section:

This section reviews topics that may be of interest to larger enterprise deployments.

Top of page
x
Synchronizing the ReportCaster Repository During MR Sign-on
x

The SYNC_CASTER_ON_MRSIGNON setting, located on the MR Security Settings - Advanced window of the WebFOCUS Administration Console, specifies whether the Managed Reporting Realm Driver should synchronize the privileges and groups of the user with the ReportCaster Repository during MR (and Dashboard) sign-on. The setting is only valid when MR Authorization is set to an External Directory, and the synchronization only occurs if the user has ReportCaster privileges.

The internal default of false improves performance and should be used whenever the MR Administration tool is used to maintain the user repository. In this case, synchronization during sign-on is unnecessary because the tool updates the MR and ReportCaster repositories. You must change the value to true whenever the ReportCaster Repository does not reflect the authorization information located in the external source (such as Active Directory, LDAP, and some custom RDBMS authorization scenarios). When set to true, the driver calls createOrUpdateCasterUser() during sign-on, in the user context specified by IBIMR_RC_SVCUSER, in order to synchronize the privileges and groups of the user with ReportCaster.

Top of page
x
User ID Case Setting

For information about this setting, see User ID Case.
Top of page
x
Retrieving User Information From Two Directories

How to:

Reference:

Managed Reporting needs information about each user, and the location of this information can be an important issue in enterprise deployments. In addition to a user ID, the information includes the password, name, e-mail, role, and privileges of the user. The user name appears in front-end features like the user Dashboard greeting banner and also in user lists like Shared Reports and User Management. The Report Library requires the e-mail address of the user in the ReportCaster Repository.

The role and privileges of the user are authorization-related properties, and it makes sense that this information is maintained in the authorization directory. However, by default Managed Reporting also assumes that the name and e-mail of the user will be found alongside their other authorization-related properties. This creates duplication and synchronization issues since this data is also typically managed in authentication directories like Active Directory or in LDAP servers.

The Advanced MR Security Setting property USER.INFO.LOOKUP can be changed from AUTHORIZATION to DUAL, causing Managed Reporting to look up the name and e-mail properties of the user from the authentication directory, while finding their other properties from the authorization directory.

x
Procedure: How to Implement the USER.INFO.LOOKUP = DUAL Setting

By following the steps in this procedure, you can avoid a number of pitfalls that might not be obvious when considering this option. The procedure is based on a new installation of WebFOCUS, including ReportCaster, where the configuration includes Active Directory (or LDAP) authentication and Managed Reporting administered DBMS authorization.

The procedure assumes that you do not have (and will not create) Active Directory user IDs admin and public. It is also assumed that you have already created ibircsvc and ibibidsvc (or equivalent) IDs in Active Directory for use by ReportCaster and Dashboard, respectively.

You will begin by configuring Managed Reporting to authenticate and authorize to the relational DBMS. Then you will create an administrator account for yourself that matches your Active Directory ID. After logging on to the Managed Reporting Administration interface with this new ID, you will remove the admin and public accounts before configuring the USER.INFO.LOOKUP=DUAL setting. You will also make related changes to ReportCaster, WebFOCUS, and Dashboard.

  1. Log on to the WebFOCUS Administration Console. Configure and then select your DBMS directory prefix for both authentication and authorization. Click OK to load the MR Realm Driver.
  2. Run the MR Realm Driver DBMS Configuration Utility and select Option 1 to create the schema. You do not need to run Option 2. Remember that you need to update the JDBC_DRIVER_JARS setting in the batch file (WebFOCUS\utility\realm\realmutil.bat) before running this utility.
  3. Log on to the Managed Reporting Administration interface as admin with password pass (pass is loaded as the password for admin in the WF_MRUSERS table by the utility).
  4. Create an account for yourself using your Active Directory ID as the Managed Reporting user ID. How you enter your Name (for example, James Thompson) and Email is unimportant because these fields will be automatically updated with information from Active Directory. Make the following additional choices for the account, then save the user and log out of the interface:
    • Password. Whatever you supply will only be used once in the next step. You can leave it blank if you want. After you configure Active Directory authentication, any passwords stored in the WF_MRUSERS table are ignored.
    • Role. MR Administrator.
    • Privileges. Select all privileges.
    • Groups. Select the Default and Public Groups.
  5. Log on to the Managed Reporting Administration interface again with your new ID and the password you entered (or left blank).
  6. Create the user ibircsvc (ReportCaster Service Account). Grant it the MR Administrator role (no additional privileges or groups are required). The Password and Email fields can also be left blank.
  7. Create the user ibibidsvc (Dashboard Service Account). Grant it the User role and Public Group (no additional properties or privileges need to be configured).
  8. Delete (or disable login rights for) the admin and public users, then log out of the interface. You may prefer to delete them now because if you leave them disabled they will display in the Users list but you will be unable to delete or edit them after you configure Active Directory authentication with the DUAL setting.
  9. From the WebFOCUS Welcome page (http://hostname:port/ibi_apps/, where hostname is the domain name of the machine on which the WebFOCUS Client is installed, and port is the port on which it listens), click the ReportCaster link and log on with admin and no password. You can do this because admin is defined as the Default ReportCaster Administrator ID in the ReportCaster Server Configuration tool (with no password), and you have not yet set the MR Trusted Sign-on option for ReportCaster. The ReportCaster Development and Administration interface opens.
  10. Click the ReportCaster Server Configuration link to access the configuration tool. On the General tab, for the Authentication Plug-in setting located under the Security folder, select MR Trusted Sign-on from the drop-down list.
  11. On the same tab, change admin to ibircsvc in the User Info, Administrator setting. You do not need to supply a password. Once this change takes affect, you will be able to log on to the ReportCaster Server Configuration tool with this ID or with your own ID. In either case, the password required will be that in Active Directory because of the setting you made in step 10.
  12. Save your changes and restart the ReportCaster Distribution Server. You can start it as a Windows service now, if desired.
  13. Log on to the WebFOCUS Administration Console. Console security is not governed by the Managed Reporting features used in the procedure. For more information about protecting the console, see Securing the WebFOCUS Administration Console.
  14. Configure the properties for your Active Directory (or LDAP) directory prefix under Configuration, MR Security Settings, External Directories. Click Save.
  15. Select your Active Directory (or LDAP) prefix now for the MR Security Settings, General, Authentication setting. Click Save. You can click Cancel when prompted to reload the driver because you will need to reload the Web application later.
  16. Select DUAL for the MR Security Settings, Advanced, USER.INFO.LOOKUP setting. Click Save. You can click Cancel again.
  17. Change admin to ibircsvc in the Configuration, Managed Reporting, IBIMR_RC_SVCUSER setting and click Save. This ID is used to synchronize the externally defined ReportCaster privileges of the user with the ReportCaster Repository during Managed Reporting sign-on. For more information, see Understanding Sign-on Processing with External Authorization.
  18. Log out of the console.
  19. Reload the WebFOCUS and ReportCaster Web applications. This updates your IBIMR_RC_SVCUSER and MR Realm Driver settings and removes the old configuration from the ReportCaster Web application components.
  20. You should also update the Dashboard Service account and password as explained in Preparing Dashboard.

You have now successfully configured Managed Reporting to authorize users to the relational DBMS while authenticating and retrieving name and e-mail information from Active Directory (or LDAP).
x
Procedure: How to Configure the Name and E-mail Properties

You may want to change the directory attributes used by Managed Reporting to retrieve the full name and e-mail address of the user from Active Directory or an LDAP server. These properties are accessible by editing the appropriate directory prefix in the Configuration, MR Security Settings, External Directories panel of the WebFOCUS Administration Console.

USER.DESCRIPTION
Defines the attribute used to retrieve the full name of the user for display purposes in Managed Reporting. Initially set to displayName for the built-in AD prefix and cn for LDAP.
USER.EMAIL
Defines the attribute used to retrieve the e-mail account of the user in order to create the user's ReportCaster account (if configured). Initially set to userPrincipalName for the built-in AD prefix and mail for LDAP.

Coordinate your decision with the directory administrator.
x
Reference: Creating Users With USER.INFO.LOOKUP = DUAL
x

Once this setting is made, the Managed Reporting Administration interface disables the name, email, and password fields in its data entry panel because these fields display read-only data from the authentication directory.

When adding new users to Managed Reporting, you specify their user ID, role, privileges, and groups and click Save. During the save operation, Managed Reporting retrieves their name and e-mail from the authentication directory. The user name is written to the Managed Reporting authorization directory (to speed up retrieval of queries for user lists) and to the ReportCaster Repository (which needs the name for display purposes in its tools). The e-mail address of the user is also copied into the ReportCaster Repository for use with Report Library features. However, the e-mail address is not written to the Managed Reporting authorization directory.

As explained in Configuring Managed Reporting for Trusted or External Authentication, Managed Reporting treats user IDs as case-insensitive (specifically, it treats them as their lowercase value) for authorization and internal purposes. While you can manipulate the USERID.CASE property to control how Managed Reporting treats the case of the ID provided by the user for authentication, the case you use to enter the ID when creating users in the Managed Reporting Administration interface is not important.

You can only add users to Managed Reporting whose ID exists in the authentication directory. Note that there is a known issue where attempting to create a user with an invalid ID results in a WebFOCUS API error. Until the issue is resolved with a better message, be sure to enter user IDs with the correct spelling.

Top of page
x
Managing Large Directories
x

When using large directories with Managed Reporting, there are some settings that can be used to improve the performance of features that return lists of users.

In the WebFOCUS Administration Console MR Security Settings, Advanced panel, you can adjust the MAX_RECORDS_TO_RETRIEVE setting from 10000 to a smaller number to improve the response time of the MR Realm Driver returning unconstrained answer sets to the MR API. However, decreasing this setting limits the number of users returned to the User Management feature of the Managed Reporting Domain Builder applet, which is used by administrators to access end user My Reports.

You can also change the maxNumberOf settings in the WebFOCUS77/config/mradmin-config.xml file to limit the number of objects returned to the list of the interface. This limit is applied after the answer set is returned by the MR API.
Top of page
x
Using the Default Groups Feature
x

The USE_DEFAULT_SETTINGS feature on the WebFOCUS Administration Console Configuration, MR Security Settings, Advanced panel was intended to provide a way to assign a default group or groups to users who had no groups assigned to them in the external directory. This feature was not tested thoroughly and you should use caution if you want to experiment with it.

Top of page
x
Cache Control Settings

By default, the MR Realm Driver cache feature is enabled and information about MR domains, groups, roles, and users is cached. Generally speaking, you should leave the cache feature enabled to improve performance. The user cache retains information about each user that logs on. As users log on, their cache (if any) is purged to ensure that their latest privileges are retrieved from the external directory. Write-backs to the RDBMS repository option initiated from any of the MR tools also result in the cache being purged.

When using an external directory option like LDAP or Active Directory, however, there is no write-back support. Therefore, there may be a situation where the cache becomes stale. Consider the case where a new MR Group is created in Active Directory after Managed Reporting is already online and in use. To recognize this new MR Group when the cache feature is enabled, you must recycle the Web application (in order to eliminate the cache).

You can disable portions of the cache by setting one or more of the following properties to true in the MR Security Settings - Advanced panel in the WebFOCUS Administration Console: x x x x 

DISABLE_USER_CACHE=true
DISABLE_DOMAINS_CACHE=true
DISABLE_GROUPS_CACHE=true
DISABLE_ROLES_CACHE=true

You can also disable the entire cache feature by setting the following property to true: x

DISABLE_CACHE=true

In a development environment, you may want to disable the domains, groups, and roles cache. In a production environment, you may want to disable anything that will be changing frequently. Generally speaking, you should always leave the user cache enabled since it is purged during sign-on for each user.

Top of page
x
DBMS Recovery Codes

When used with an RDBMS, the MR Realm Driver maintains a connection pool to improve performance. Should the RDBMS restart while WebFOCUS is operational, the Realm Driver receives a SQL State error code from the RDBMS when it attempts to use one of these connections. The Realm Driver drops and reestablishes its connection pool when it encounters any of the following SQL state error codes: 08S01, 08003, IX000, HY010, 17002. You can specify additional error codes by typing them in the DBMS_RECOVERY_CODES property in the MR Security Settings - Advanced panel in the WebFOCUS Administration Console.

WebFOCUS