File System Permissions for Windows and UNIX

After a successful operating system (O/S) logon, access to all files and applications is in the security context of that user account, which is the user the O/S considers physically logged on to the server. This allows an administrator to control access based on this account.

The effective user is the user account that is actually interacting with the O/S (files and applications). Depending on the server (Web Server, Application Server, WebFOCUS Reporting Server, ReportCaster Distribution Server) the effective user may be the predetermined account that started the service, or it may be an impersonated account (for example, connecting as the root account to a secured WebFOCUS Reporting Server).

WebFOCUS Reporting Server Permissions

Reference:

Windows Only Considerations

The following are the recommended file system permissions that should be set for the effective user ID of the WebFOCUS Reporting Server:

Directory	Access
\ibi\apps	Read, Write. Write access depends on the WebFOCUS components being used.
\ibi\srv77	Read, Execute.
\ibi\srv77\home\	Read.
\ibi\srv77\home\bin	Read, Execute.
\ibi\srv77\wfs	Read.
\ibi\srv77\wfs\bin	Read.
\ibi\srv77\wfs\catalog	Read.
\ibi\srv77\wfs\dfm_dir	Depends on the WebFOCUS components being used. If using Deferred Receipt: Read, Write.
\ibi\srv77\wfs\edatemp	Created and managed by the Workspace Manager.
\ibi\srv77\wfs\etc	Read.
\ibi\srv77\wfs\fds	Depends on the WebFOCUS components being used.
\ibi\srv77\wfs\share	Windows only. Created and managed by the Workspace Manager.
\ibi\srv77\wfs\tst	None.
\ibi\srv77\wfs\user	Read, Execute.
\ibi\srv77\wfs\web	None.

Note:

Only the WebFOCUS Reporting Server Administrator should have access to the inu.log file. Access should be denied to all other users.

Additional roles (such as a WebFOCUS Administrator) should be defined for WebFOCUS maintenance (adding or changing WebFOCUS procedures, Master Files), since all users do not need this type of unrestricted access.

When a request to execute a procedure is received by the Reporting Server, it uses one of two methods to locate the target procedure: EDAPATH or APP PATH. If EDAPATH is enabled, APP PATH is automatically disabled as the search method. However, if a user adds the IBIAPP_app variable to point to a specific application path in the URL, this application path is used, effectively bypassing the EDAPATH method of searching and giving the user access to unauthorized information. To prevent this, any application whose front-end HTML contains those variables should have read-only access and that access should only be granted to users allowed to run the application.
You can also prevent a user from typing a particular variable in the URL by setting the protect option for that variable in a WebFOCUS script (see WebFOCUS Script Commands).

Top of page

Reference: Windows Only Considerations

To run an authenticating secure server, the built-in local system account has the following privileges by default:

Act as part of the operating system.
Replace a process level token.
Increase quotas.

If you want to use an account other than local system, it must also have the above privileges. If these privileges are not set, authentication is automatically turned off.

WebFOCUS Client Permissions

The following are the recommended file system permissions that should be set for the effective user ID running WebFOCUS:

Directory	Access
ibi\WebFOCUS77\basedir	Read, Write (Managed Reporting/Dashboard).
ibi\WebFOCUS77\worp	Read, Write (Dashboard).
ibi\WebFOCUS77\temp	Read, Write.
ibi\WebFOCUS77\ibi_html	Read.
ibi\WebFOCUS77\ibi_html\publish	Depends on the WebFOCUS components being used. If using the Managed Reporting Publish feature: Read, Write.
ibi\client\wfc	Read.
ibi\client\wfc\etc	Read. Write access should be set for the WebFOCUS Administration Console only.
ibi\client\wfc\web\cgi	Read (WebFOCUS Servlet only), Execute. For the ibiweb.exe file, write access should be set for the WebFOCUS Administration Console only.
CGI only:
ibi\client\home	Read, Execute.

Note:

Effective user IDs vary depending on the location and type of authentication being used. For example, if Web server authentication is not being utilized, the effective ID for file access on a typical Windows machine is the anonymous or IUSR_machinename. This is the user ID that would require these ibi directory structure permissions.
Depending on the optional WebFOCUS products that are installed (Managed Reporting, ReportCaster), additional directories may require write privileges.
If multiple copies of the WebFOCUS Client access the same Managed Reporting Repository, they must all have the same IUSR_username account to access the basedir directory (where the Managed Reporting Repository resides).

Developer Studio Deployment

During the deployment process of Developer Studio, if the Web Server and Application Server run separate processes using different credentials:

The effective user on the Application Server containing the WFServlet requires Write access to deploy Web components (for example, HTML pages and GIFs) to the approot directory (ibi/apps).
The effective user on the Web Server requires Read access to the approot directory (ibi/apps) to return data to the browser.
The approot alias on the Web server must be able to read data passed by the WFServlet. One solution to ensure this is to put the effective user of the Application Server and the effective user of the Web Server in the same group.

Note: If you are using a single approot, the effective user of the WebFOCUS Reporting Server requires Read, Write access.

ReportCaster Distribution Server Permissions

Running the ReportCaster Distribution Server as a root or administrator account could provide a ReportCaster user with the ability to distribute any file to which the root/administrator account has access. On Windows, the ReportCaster Distribution Server Service is installed with Logon As Local System permissions.

A separate operating system account should be created for the ReportCaster Distribution Server with privileges limited to only what the ReportCaster Distribution Server requires to run scheduled requests. The ReportCaster Distribution Server requires access to the ReportCaster Repository JDBC driver, and may require access to directories if you are distributing files from the file system.

The following are the recommended file system permissions that should be set for the effective user ID of the ReportCaster Distribution Server:

Directory	Access
ibi\WebFOCUS77\ReportCaster\bin	Read, Execute
ibi\WebFOCUS77\ReportCaster\cfg	Read, Write
ibi\WebFOCUS77\ReportCaster\lib	Read
ibi\WebFOCUS77\ReportCaster\log	Read, Write
ibi\WebFOCUS77\ReportCaster\resources	Read
ibi\WebFOCUS77\ReportCaster\temp	Read, Write
ibi\WebFOCUS77\ReportCaster\trc	Read, Write