By Ben Naphtali
In the upcoming 7.7 release, WebFOCUS will use a new security infrastructure with a Universal Object Access (UOA) layer that enforces security across all resources within the Managed Reporting Repository.
With this release, we no longer will be using basedir implementation of MRE, and all of the MR Repository will be held in whatever DBMS a customer chooses. By default, we will supply the Apache Derby database but Oracle, Microsoft SQL Server and DB2, to name a few, may also be used.
Other changes that might take some getting used to include the elimination of the MR Applet tool and the current Managed Reporting Administration Tool. The Business Intelligence Dashboard will replace the MR Applet tool, accounting for all of its functionality. There is a replacement for the user administration tool referred to as "Security Center."
One of the major complaints of the old Managed Reporting security model was that the security roles were not granular enough. There are various examples of this, including the inability to create a helpdesk user role, which would allow users to just reset passwords.
Another example was a type of user administration for a particular domain, in which the only responsibility was to create users for that domain, without seeing users in other domains and without being able to view any content. In the current security model, you are either an administrator or not, but in the upcoming UOA Architecture you can create these types of user groups and more.
In the new UOA environment, access to objects or resources is controlled by security rules. Rules control what a user can do to an object within the repository in the following form:
Rule = Subject has a Permission Set on a Resource.
A Subjectis usually a group, but can also be an individual user. Using a user in a rule should be reserved for very limited types of situations. For the most part, the users will be placed in groups, and those groups would be the Subject of the Rule.
A Permission Set is a list of operations that define what a user "can do." For example, opHTMLRA is an operation that will allow a user to launch the HTML Report Assistant tool. Just because a user has the ability to Launch HTML Report Assistant, that does not mean the user has the ability to save the report created. Saving the report is controlled by the operation of opCreateItem.
It might seem a bit strange to allow the user to run a tool but not save the output, but we already have that ability today with Run Only User. The UOA architecture will of course allow the older types of abilities, and enhance and extend this.
Operations are individual permissions that can be given or taken away, and they are usually grouped within permission sets. A few examples would include opCreateItem:PERMIT, opDelete:PERMIT, opInfoAssist:DENY. These give you the ability to create an item with a folder, to delete an item within a folder, and to deny the ability to run InfoAssist respectively.
A Resourceis any object within the environment that needs to be controlled. A folder, report request, static document, user, group and permission set are all resources within UOA that can be controlled.
This is just a preview of what is going to be available for the upcoming 7.7 release, which will be out in the third or fourth quarter this year. And that means the types of functionality that our customers have been asking for will finally be available.
