Server Security Overview

Server security is based on a three step process: authenticating the connecting user, establishing his/her group and role, and then assigning privileges and other authorizations based on the user, group, and role.

Authentication

Authentication can be performed based on the following types of credentials:

Explicit. User ID and password are supplied when logging on to the server.
SSO (Single sign on). The user is authenticated by a single sign on product prior to logging onto the server, and a token is passed to the server. Single sign on products include Kerberos, NTLM tickets or browser cookies such as passed by MYSAPSSO2.
Trusted. The user ID is submitted without the password from the application server or mid-tier, which has the user already authenticated.

Security Providers

A security provider is used to authenticate the incoming connection.

The security provider can be of several types:

OPSYS. Users are authenticated against the native OS security repository, such as the windows domain controller, z/OS RACF/ACF2, UNIX password files or other operating system security products using the native OS API.
LDAP. Users are authenticated against an LDAP server or active directory using the LDAP API.
DBMS. Users are authenticated by connecting to a DBMS such as Oracle, SAP, or DB2.
PTH. Users are authenticated against a list of users kept internally by the server in the admin.cfg configuration file.

In many typical installations there is only one security provider determined at server start up time by the EDAEXTSEC variable. If the value OFF is specified, no security provider is used, so users are not authenticated.

Multiple providers are supported on the same server instance. For example, two distinct LDAP providers can be configured against two separate LDAP servers that can contain different users and different groups.

One provider is considered the primary provider, and for other providers the user name is prefixed with the provider name, for example LDAP1\usera. Note that users (or groups) from two providers that have identical names (such as LDAP1\usera and LDAP2\usera) are considered different security subjects and can be given different privileges and profiles.

At login time, a user needs to provide the security provider name in addition to userid/password.

Note that OPSYS providers cannot be configured with other security providers. However, on Windows multiple windows domains act as different security providers and users. For example, domain1\usera and domain2\usera are not identical.

Privileges and Other Authorizations

In this section:

The server supports a large number of objects, and access to them should normally be restricted.

Top of page

DBMS

With DBMS authorization, the main object to be protected is the DBMS resident data that the server reads and writes. Access control is implemented using ENGINE CONNECTION_ATTRIBUTES statements that define the security attributes that are used by the server agent for connecting to the DBMS. The connection security type depends on the DBMS and can be one of three subtypes:

Explicit. The userid/password is stored in a profile (encrypted).
Password passthru. The userid/password combination or cookie, such as MYSAPSSO2, that were provided during the connection to the server is passed to the DBMS connection.
Trusted. This type of connection applies to security provider OPSYS where the agent's operating system process impersonates the user, and the DBMS connection is derived from that process.

The CONNECTION_ATTRIBUTES statement itself can be defined in the user, group, role or server profile, and they override each other in this order.

It is common initially to create connections in the edasprof server profile. They will then be inherited by all users. Subsequent configuration steps may define connections on other levels, such as the group or user level.

The CONNECTION_ATTRIBUTES statement in effect passes the credentials to the DBMS, and the DBMS server ensures the correct access control: read and read/write rules on the DBMS tables, views, columns, and rows.

Top of page

Server DBA

The server engine can add an additional level of access control by defining DBA rules in synonyms to restrict access to columns and certain data values. This applies only to data access using the WebFOCUS language, and not to Direct SQL Passthru requests. For more information about Server DBA, see the Describing Data With WebFOCUS Language manual.

Top of page

Data and Application Folder Access

The server reads operating system files using standard I/O calls.

In the OPSYS security mode, the proper OS read/write privileges should be given using native OS tools such as RACF rules or Windows/UNIX permissions. Run time access control is achieved by the operating system validating the data agent access to any given file based on the agent process impersonation of the connecting user.

To protect files in other modes (LDAP, PTH, DBMS), the server access control feature should be used to assign read/write privileges to OS files and folders. The privileges are managed from the Web Console access control page and stored in the server admin.cfg file. They can be assigned at the role, group, and user levels and be allotted on the folder and file levels. Normal inheritance rules apply: a subfolder inherits from its parent folder, a file inherits from its parent folder, a user inherits from the group, and so on.

Note that this protection applies to WebFOCUS metadata objects in application folders such as synonyms, FOCEXECs, HTML files, style files, and to data files such FOCUS data sources and sequential files.

Application folders and files can have four types of privileges: read, write, execute, and list. For data files such as FTM files, only two privileges are used: read and write.

Operating system shell commands should be disabled completely using SET OPSYSCMD, as they are not subject to access control.

Top of page

General Server and Web Console Actions

The Web Console provides various actions, such as adapter configuration, server configuration and monitoring, Resource Analyzer configuration, metadata creation, and other actions, such as the ability to issue Direct SQL Passthru requests. To manage access to these actions, the server administrator uses the server access control feature to assign general privileges to users, groups, and roles.

Top of page

Groups

Groups are collections of users typically defined by the security provider for the purpose of giving common authorization to multiple instead of individual users. Groups are defined either on an external repository such as RACF, LDAP, or internal PTH. DBMS mode does not support groups. Except for PTH, user provisioning and all associated administration tasks (such as password reset, invalidating users, volume user creation) are accomplished using the respective security provider software and are outside of the reporting server software.

Top of page

Roles

Roles are a collections of privileges defined on the server for the purpose of registering groups and users to the collection (as opposed to assigning privileges to individual users). Five predefined user roles (Server Administrator, Application Administrator, Operator, Basic, and None) are created at server installation time. For example, the Server Administrator role has all privileges, and the Application Administrator role has privileges related to the creation of applications, such as creating synonyms and related tasks.

New roles can be added and existing roles can be modified to include and exclude individual privileges.

At server installation time, file access privileges are created with full access rights (read/write/execute/list) for all roles, in order to maintain compatibility with previous releases.

Top of page

Registering Users and Groups Under Roles

When the server is installed, the installing user is automatically registered as Server Administrator. All other users and groups are defaulted to the role Basic.

Note that no group, user, or role profile exists initially after the installation. It is typical at the initial stage to have the DBMS connections defined in the server profile, edasprof. Privileges are derived from the Basic role and are in effect for all users except the Server Administrator.

Recommended steps for securing the server:

Change the default role to NONE.
Remove the file privileges for the role NONE at the file root level.
Customize groups:
- Register groups to roles. For example, register LDAP group GRP1 to the Application Administrator role.
- Create group profiles with DBMS connections and APP PATH. For example, for group GPR1, create grp1.prf (through the Web Console adapter page or the application path configuration).
- Customize application level file privileges for groups. For example, group GRP1 can have read but not write access to baseapp.
Optional steps:
- Create new roles or customize the role privilege list. This should be done only if existing roles are not satisfactory. It allows registering groups to these roles.
- Register users. This should be done only if groups are not created adequately, and for special users such as managers.
- Register file privileges on the file level. This should be avoided in favor of folder level privileges, as they are inherited by files and are easier to manage.