In this section: |
When using internal authorization (which is configured by default), all of the information about users, groups, roles, and domains is managed in the internal file-system-based repository known as the basedir. Information about users and groups is stored in user.htm. Role information is stored in role.htm. Domain information is stored in mrrepos.htm. Internal authorization can be used with internal, external, or trusted authentication.
When evaluating alternatives for external authorization, you should first consider whether or not you want to use the built-in administration interface for managing your users, groups, and roles. This interface can only be used to update authorization data with the RDBMS option, as shown in the following image.
Managed Reporting reads but cannot edit information stored in the external directory. The built-in MR Administration interface can be used to browse, but not edit, authorization data. Three types of externally administered authorization are:
External authorization is only supported in conjunction with the Trusted or External option for Managed Reporting authentication. For more information about these options, see Configuring Managed Reporting for Trusted or External Authentication.
The Managed Reporting authorization model is the same regardless of whether you select internal, Managed Reporting administered DBMS, or externally administered authorization. When you use internal or Managed Reporting administered DBMS authorization, the rules associated with this model are enforced in the MR Administration interface. When you configure externally administered authorization, you must make sure that your external authorization data complies with the model yourself.
An overview of the authorization model is presented below. See also Creating Roles, Groups, and Users in the WebFOCUS Managed Reporting Administrator's Manual.
The Realm Driver does not detect or correct conflicting privilege settings. When implementing externally administered authorization, be careful not to create a situation where there are conflicting privileges between a user role and his or her individual privilege assignment.
Optionally, each group can be linked with a single Dashboard Group View and a Dashboard Role Tree. Users with access to more than one group are able to select between the multiple Group Views and Role Trees where applicable.
When Managed Reporting is configured for external authorization, several important actions take place during sign-on that do not occur with the internal authorization scenario. Administrators need to understand this behavior to more effectively manage the installation and to aid with troubleshooting.
It is useful first to understand what happens when Managed Reporting is configured for internal authorization and you create a new user account with the Managed Reporting Administration interface. After entering the required information in the interface and clicking Save, Managed Reporting creates a storage folder (basedir/userhref) for the user reports, a reference file (basedir/userhref.htm) for metadata about the user reports and deferred receipt tickets, and writes an entry for the user into basedir/user.htm. The value of userhref is formed by taking the first eight characters of the User ID found in the set [a..z | 0..9].
If ReportCaster is installed and the user has ReportCaster privileges, Managed Reporting also calls the ReportCaster API to make an entry in the ReportCaster Repository for the user. A similar synchronization is performed for Groups. WebFOCUS needs these storage/reference structures in place before a user can access any Managed Reporting or ReportCaster features.
Another important concept to understand is how reporting domains are created in the internal authorization scenario. Only a user with Managed Reporting administration privileges can create, rename, or delete a domain. These operations are performed through Developer Studio, the Domain Builder applet, and the Change Management load utility. When a new domain is created in these tools, Managed Reporting creates a storage folder (basedir/domainhref) for report content, a reference file (basedir/domainhref.htm) for metadata about the domain, and writes an entry for the domain into basedir/mrrepos.htm. Domain information is not synchronized with ReportCaster.
When you configure Managed Reporting for external authorization, you follow these guidelines:
If you have reason to update the DBMS tables directly (this is not recommended), you need to read the information and recommendations related to externally administered authorization carefully. Otherwise, you can skip to Preparing Dashboard and ReportCaster.
If you create domains with the Managed Reporting tools provided, the basedir/mrrepos.htm file is updated, but domain references in the external directory (which are used to determine authorization) are not. Two ways to approach this synchronization issue are presented in Creating Domains With Externally Administered Authorization.
This call to the API is made in the user context specified by the IBIMR_RC_SVCUSER setting (select Configuration, Managed Reporting in the WebFOCUS Administration Console). The ID specified in this setting is admin by default. The ID used for this call must have ReportCaster administrator privileges, meaning that it must either be a user in BOTUPROF with ReportCaster administrator privileges, or it must be specified in the General, User Info, Administrator setting in the ReportCaster Server Configuration tool.
Note: When creating users with the Managed Reporting Administration interface, the user context of the administrator user in the tool makes the call to the API and not the user specified in IBIMR_RC_SVCUSER.
The storage folder of the user and reference file are always created in lowercase, regardless of the case the user entered in the login page or the value of the USERID.CASE setting in the console.
Note: Special characters in the user ID are converted to a hexadecimal format when the storage folder of the user is created in the basedir. The set of special characters includes the space and any of the following characters: \ / : * ? " < > |
For more information, see Creating Domains With Externally Administered Authorization.
Key points to remember are that the basedir/user.htm file is not maintained when external authorization is configured, and that you need to decide how to handle domain creation with externally administered authorization.
Also, it is generally possible to switch from internal to external authorization, provided that the user IDs match in each case. However, users who have logged on to a system configured for external authorization will no longer be able to log on if authorization is switched to internal. This is because even though the users have a storage area under basedir, they will have no entry in basedir/user.htm.
If you are using Managed Reporting administered DBMS authorization, you should create domains with the Developer Studio and/or Domain Builder applet tools, and you can skip this section.
If you are using an externally administered configuration, you have two choices.
Either approach is supported, but it is important to enter your domain ID in the external directory with exactly eight alphanumeric characters (and no spaces or special characters).
For more information, see Using Active Directory Application Mode.
You can enter information about a new domain in an external repository like the following:
The repository will be created in Managed Reporting as shown in the following image:
Important: If you define domain href values in your external directory with spaces or fewer or more than eight alphanumeric characters, Managed Reporting will use an eight character reference (padded with random characters) to create the domain storage and reference objects and will be unable to locate them.
In Configuring Managed Reporting for Trusted or External Authentication, specific recommendations and requirements are given for how to prepare Dashboard and ReportCaster for trusted or external authentication. When configuring external authorization, you need to be aware of the following additional requirements.
Note: If you are using DBMS authorization, you can skip this section unless you plan to manage your authorizations externally (without the MR Administration interface). The public and admin users are created properly by the MR Realm Driver DBMS Configuration Utility.
The service account specified for Public Views in the Dashboard ViewBuilder interface (for example, public or ibibidsvc) must be defined in the external authorization directory with the following characteristics:
The default administrator account specified in the ReportCaster Server Configuration tool (for example, admin or ibircsvc) must be defined in the external authorization directory with the following characteristics:
WebFOCUS |