In this section: |
This section reviews topics that may be of interest to larger enterprise deployments.
The SYNC_CASTER_ON_MRSIGNON setting, located on the MR Security Settings - Advanced window of the WebFOCUS Administration Console, specifies whether the Managed Reporting Realm Driver should synchronize the privileges and groups of the user with the ReportCaster Repository during MR (and Dashboard) sign-on. The setting is only valid when MR Authorization is set to an External Directory, and the synchronization only occurs if the user has ReportCaster privileges.
The internal default of false improves performance and should be used whenever the MR Administration tool is used to maintain the user repository. In this case, synchronization during sign-on is unnecessary because the tool updates the MR and ReportCaster repositories. You must change the value to true whenever the ReportCaster Repository does not reflect the authorization information located in the external source (such as Active Directory, LDAP, and some custom RDBMS authorization scenarios). When set to true, the driver calls createOrUpdateCasterUser() during sign-on, in the user context specified by IBIMR_RC_SVCUSER, in order to synchronize the privileges and groups of the user with ReportCaster.
How to: Reference: |
Managed Reporting needs information about each user, and the location of this information can be an important issue in enterprise deployments. In addition to a user ID, the information includes the password, name, e-mail, role, and privileges of the user. The user name appears in front-end features like the user Dashboard greeting banner and also in user lists like Shared Reports and User Management. The Report Library requires the e-mail address of the user in the ReportCaster Repository.
The role and privileges of the user are authorization-related properties, and it makes sense that this information is maintained in the authorization directory. However, by default Managed Reporting also assumes that the name and e-mail of the user will be found alongside their other authorization-related properties. This creates duplication and synchronization issues since this data is also typically managed in authentication directories like Active Directory or in LDAP servers.
The Advanced MR Security Setting property USER.INFO.LOOKUP can be changed from AUTHORIZATION to DUAL, causing Managed Reporting to look up the name and e-mail properties of the user from the authentication directory, while finding their other properties from the authorization directory.
By following the steps in this procedure, you can avoid a number of pitfalls that might not be obvious when considering this option. The procedure is based on a new installation of WebFOCUS, including ReportCaster, where the configuration includes Active Directory (or LDAP) authentication and Managed Reporting administered DBMS authorization.
The procedure assumes that you do not have (and will not create) Active Directory user IDs admin and public. It is also assumed that you have already created ibircsvc and ibibidsvc (or equivalent) IDs in Active Directory for use by ReportCaster and Dashboard, respectively.
You will begin by configuring Managed Reporting to authenticate and authorize to the relational DBMS. Then you will create an administrator account for yourself that matches your Active Directory ID. After logging on to the Managed Reporting Administration interface with this new ID, you will remove the admin and public accounts before configuring the USER.INFO.LOOKUP=DUAL setting. You will also make related changes to ReportCaster, WebFOCUS, and Dashboard.
You have now successfully configured Managed Reporting to authorize users to the relational DBMS while authenticating and retrieving name and e-mail information from Active Directory (or LDAP).
You may want to change the directory attributes used by Managed Reporting to retrieve the full name and e-mail address of the user from Active Directory or an LDAP server. These properties are accessible by editing the appropriate directory prefix in the Configuration, MR Security Settings, External Directories panel of the WebFOCUS Administration Console.
Coordinate your decision with the directory administrator.
Once this setting is made, the Managed Reporting Administration interface disables the name, email, and password fields in its data entry panel because these fields display read-only data from the authentication directory.
When adding new users to Managed Reporting, you specify their user ID, role, privileges, and groups and click Save. During the save operation, Managed Reporting retrieves their name and e-mail from the authentication directory. The user name is written to the Managed Reporting authorization directory (to speed up retrieval of queries for user lists) and to the ReportCaster Repository (which needs the name for display purposes in its tools). The e-mail address of the user is also copied into the ReportCaster Repository for use with Report Library features. However, the e-mail address is not written to the Managed Reporting authorization directory.
As explained in Configuring Managed Reporting for Trusted or External Authentication, Managed Reporting treats user IDs as case-insensitive (specifically, it treats them as their lowercase value) for authorization and internal purposes. While you can manipulate the USERID.CASE property to control how Managed Reporting treats the case of the ID provided by the user for authentication, the case you use to enter the ID when creating users in the Managed Reporting Administration interface is not important.
You can only add users to Managed Reporting whose ID exists in the authentication directory. Note that there is a known issue where attempting to create a user with an invalid ID results in a WebFOCUS API error. Until the issue is resolved with a better message, be sure to enter user IDs with the correct spelling.
When using large directories with Managed Reporting, there are some settings that can be used to improve the performance of features that return lists of users.
In the WebFOCUS Administration Console MR Security Settings, Advanced panel, you can adjust the MAX_RECORDS_TO_RETRIEVE setting from 10000 to a smaller number to improve the response time of the MR Realm Driver returning unconstrained answer sets to the MR API. However, decreasing this setting limits the number of users returned to the User Management feature of the Managed Reporting Domain Builder applet, which is used by administrators to access end user My Reports.
You can also change the maxNumberOf settings in the WebFOCUS77/config/mradmin-config.xml file to limit the number of objects returned to the list of the interface. This limit is applied after the answer set is returned by the MR API.
The USE_DEFAULT_SETTINGS feature on the WebFOCUS Administration Console Configuration, MR Security Settings, Advanced panel was intended to provide a way to assign a default group or groups to users who had no groups assigned to them in the external directory. This feature was not tested thoroughly and you should use caution if you want to experiment with it.
By default, the MR Realm Driver cache feature is enabled and information about MR domains, groups, roles, and users is cached. Generally speaking, you should leave the cache feature enabled to improve performance. The user cache retains information about each user that logs on. As users log on, their cache (if any) is purged to ensure that their latest privileges are retrieved from the external directory. Write-backs to the RDBMS repository option initiated from any of the MR tools also result in the cache being purged.
When using an external directory option like LDAP or Active Directory, however, there is no write-back support. Therefore, there may be a situation where the cache becomes stale. Consider the case where a new MR Group is created in Active Directory after Managed Reporting is already online and in use. To recognize this new MR Group when the cache feature is enabled, you must recycle the Web application (in order to eliminate the cache).
You can disable portions of the cache by setting one or more of the following properties to true in the MR Security Settings - Advanced panel in the WebFOCUS Administration Console:
DISABLE_USER_CACHE=true
DISABLE_DOMAINS_CACHE=true
DISABLE_GROUPS_CACHE=true
DISABLE_ROLES_CACHE=true
You can also disable the entire cache feature by setting the following property to true:
DISABLE_CACHE=true
In a development environment, you may want to disable the domains, groups, and roles cache. In a production environment, you may want to disable anything that will be changing frequently. Generally speaking, you should always leave the user cache enabled since it is purged during sign-on for each user.
When used with an RDBMS, the MR Realm Driver maintains a connection pool to improve performance. Should the RDBMS restart while WebFOCUS is operational, the Realm Driver receives a SQL State error code from the RDBMS when it attempts to use one of these connections. The Realm Driver drops and reestablishes its connection pool when it encounters any of the following SQL state error codes: 08S01, 08003, IX000, HY010, 17002. You can specify additional error codes by typing them in the DBMS_RECOVERY_CODES property in the MR Security Settings - Advanced panel in the WebFOCUS Administration Console.
WebFOCUS |