510 likes | 706 Views
WebFOCUS 8: Technical Overview. Jim Thorstad Technical Director, WebFOCUS Product Management. Agenda. WebFOCUS 8 Architecture Security Model Enhancement Highlights Demo. WebFOCUS 8 Architecture. What is WebFOCUS 8? Understanding Middle-tier vs. Server-tier Components.
E N D
WebFOCUS 8: Technical Overview Jim Thorstad Technical Director, WebFOCUS Product Management
Agenda • WebFOCUS 8 Architecture • Security Model • Enhancement Highlights • Demo
What is WebFOCUS 8?Understanding Middle-tier vs. Server-tier Components WebFOCUS 8 Updates the Middle-tier WebFOCUS Client Managed Reporting ReportCaster BI Portal/Dashboard WebFOCUS Report Server Users Data WebFOCUS 8.0 + Report Server 7.7.04 WebFOCUS 8.0.01 + Report Server 8.0.01
WebFOCUS 8 ArchitectureIntegrated Repository WebFOCUS Client Managed Reporting BI Portal ReportCaster WebFOCUS Report Server Reports Schedules Content Users Groups Security Metadata Uploaded Data Application Directories WebFOCUS 8 Repository
Information Builders File SystemWebFOCUS 8 Architecture Is Built Around IBFS • IBFS Service Layer – Internal Subsystem • IBFS Path – an Object Addressing Scheme IBFS paths used in drill-down links, schedules, security rules For backward compatibility, migrated content can still be accessed via HREF properties
Information Builders File SystemIBFS is All-Encompassing • IBFS Used to Reference • Reports, portal pages • Schedules, output • Users, groups • Report Servers IBFS governs access to everything • IBFS is Hierarchical and Enables • Security policy inheritance • Group nesting • Full control over content organization
Information Builders File SystemIBFS Enables Full Control of Content Organization Mandatory folders in 7x are migrated “as is” … but are no longer required in 8.0 Reports, reporting objects, and library output can be deployed in the same folder Folder depth not limited to one sub-folder
WebFOCUS 8 ArchitectureAll Content is Accessed via the IBFS Service Layer RC Distribution Server IBFS Service Layer HTTP Service Core WFMR/BIP/RC ReportCaster uses an IBFS Service API to access report procedures in the repository Eliminates problematic HTTP requests to the web tier WebFOCUS 8 Repository
WebFOCUS 8 High-level ArchitectureRunning Report Requests WebFOCUS runs interactive requests through IBFS • User ID and Groups can be passed to the Server: • Connection=Trusted/IBIMR_user • IBI_WFRS_Passthrough_Groups=ALL IBFS Service Layer HTTP Service Core WFMR/BIP/RC u=jim, g=Tenant22 Web Requests WebFOCUS Report Server WebFOCUS 8 Repository
Why a New Security Model?Customer Feedback Related to WebFOCUS 7x • Managed Reporting Role Security was Limiting • Only 5 base roles and 9 permissions • One role for all Domains • Domain Security Model was Limiting • Couldn’t customize security on sub-folders • Content Sharing was Limiting • Couldn’t share with specific people • Challenging for Multi-tenancy SaaS Deployments • Couldn’t allow sharing in a common Domain—user’s would see content from other tenants • Dilemma: abandon common domain or drop sharing? WebFOCUS 8 Addresses These Challenges!
WebFOCUS 8 Security ModelBasic Security Concepts • Security Rules Connect… • Subjects – groups/users to authorize • Roles – collection of privileges • Resources – objects to secure • Access – type of rule: permit, deny, ... • Apply To – scope of rule: folder, folder & children, ... • Security Policy – Collection of Security Rules • Effective Policy – Evaluation of the Security Policy • Bob has privileges A, B, C on resource X • Takes into account rule inheritance, rule conflicts, group membership, user-specific rules (if any) The Security Model in WebFOCUS 8 Provides Complete Control of Your Security Policies
WebFOCUS 8 Security Model Understanding Group Membership • Policy Evaluation Includes Processing of a User’s: • Explicitly assigned groups • Implicit groups • Bob is assigned to the Sales Basic Users group • Sales Basic Users belongs to Sales Group • Therefore Bob implicitly belongs to Sales… • And the rules associated with both groups apply implicit Bob explicit
WebFOCUS 8 Security Model WebFOCUS 8 Security Center – Users & Groups Tab
WebFOCUS 8 Security ModelWebFOCUS 8 Security Center – Roles Tab
WebFOCUS 8 Security ModelWebFOCUS 8 Security Center – Role Customization Select all or a portion of the privileges within each category Choose whether users select a Master File or Reporting Object with InfoAssist Choose whether users can upload a spreadsheet to the Reporting Server
WebFOCUS 8 Security Model Creating Security Rules Select any IBFS resource … and then Security > Rules…
WebFOCUS 8 Security ModelCreating Security Rules – Security Rules Dialog The resource You select a subject… …role, type, and scope Click OK to create rule(s)
WebFOCUS 8 Security Model Managing Your Security Policies Rules on this Resource answers: “Who can access this?”
WebFOCUS 8 Security Model Managing Your Security Policies Rules for this Group answers: “What does this group have access to?”
WebFOCUS 8 Security ModelUnderstanding the Built-in Global Groups • Consider Using Global Groups Carefully Global groups have access to all contentthrough inheritance
WebFOCUS 8 Security Model Benefits • Flexible Security Model • Over 150 assignable privileges • You can develop custom roles • Sub-Groups and Inheritance Simplify Policy Creation • Tools simplify Creation and Management of Policies • Possible to Address Enterprise and SaaS Markets • Possible to Address Each Customer’s Unique Needs
WebFOCUS 8 Enhancement Highlights • Resource Templates • Private Content, Publishing, and Content Sharing • Localization • Licensing • Authorization Mapping
Resource TemplatesThe Deployment Challenges Facing Administrators • What are our security requirements? • How do I design and implement a security policy? • How long will it take to create security rules? • What best practices should I be aware of? • Where do I start?
Resource TemplatesSimplifying the Creation of Security Policies • Resource Templates Automate the Creation of • Folders, portals, groups, roles, security rules • WebFOCUS 8.0.01 Includes Two Resource Templates: • Enterprise Domain template • SaaS Tenant Domain template
Resource TemplatesSimplifying the Creation of Security Policies • The Enterprise Domain Template Creates: • 1 Domain-specific Folder, Portal, and Group • 4 Sub-groups • 21 Domain-specific Rules • 8 Configurable Roles
Resource TemplatesSimplifying the Creation of Security Policies • The SaaS Tenant Template Creates the Same Things Plus • A Common folder • The EVERYONE group is hidden
Resource TemplatesSimplifying the Creation of Security Policies • The template also creates the required security rules
Resource TemplatesSupport Site and Roadmap • Latest Information on Templates: • Download the Policy Design Worksheet • Use this to plan your custom deployment • Roadmap: Create Your Own Templates https://techsupport.informationbuilders.com/tech /wbf/v8templates/wbf_8_resource_templates.html
Private Content, Publishing, and SharingPrivate Content • All Content Initially Created as Private • Visible only to owner • Doesn’t inherit security • Administrators with Manage Private Resources can access private content • Authority to Create Private Items Outside of a My Content Folder Can be Assigned In 8.0.01 private content is indicated with a grayscale overlay on the icon
Private Content, Publishing, and SharingPublishing Private Content • Authorized Users Can Publish a Private Resource • Published resources inherit security rules from parent • Create, Publish & Un-Publish are separately assignable • Contrast with Formal Change Control Model • Isolated DEV/TEST/PROD environments • Developers don’t have write access to TEST/PROD • But a Useful Alternative in SaaS Deployments • SaaS tenant developers only interact with PROD • Tenant developers can work out of view from users • Publishing completed reports is simple • IBFS paths don’t change • Consider Developing In-Place with Private Content
Private Content, Publishing, and SharingMy Content Folders • End-Users Need to Create Resources in Production • This is facilitated by special My Content folders • A Folder Property Enables Support for My Content • Assignable Privilege Determines Who Gets One Private content, created and saved by a user to their My Content folder
Private Content, Publishing, and SharingContent Sharing • Complete Control Over Content Sharing • Share – simple sharing determined by WebFOCUS • Share with – user determines who to share with • Configurable Policy Determines Available Users/Groups • Enhanced Shared Content View • Only Users Sharing Content are Shown Shared content Assignable sharing options
Authorization MappingKey Requirement for Enterprise & SaaS Deployments • What if you Manage Authorizations in LDAP/AD via… • The user’s group memberships • A custom attribute on the user entry • Authorization Mapping is Built-in to WebFOCUS 8 Groups in AD/LDAP User Attribute in Oracle LDAP
Authorization MappingKey Requirement for Enterprise & SaaS Deployments • Administrator Maps the Value to a WebFOCUS Group • Resource Templates Can Configure the Mapping Group DN or user attribute value is mapped to WF group
LDAP Authorization MappingKey Requirement for Enterprise & SaaS Deployments Mapped WebFOCUS groups have a link icon User accounts are automatically created during sign-on
Other Security EnhancementsPassword Policies, Auditing • For Customers Using Internal Authentication • Strong encryption for password hashes • Configurable password policies • Built-in Protection from Web Vulnerabilities • Built-in User and Administrative Activity Auditing This user Used this API To move this user [2012-05-30 08:30:13,267] INFO groups ed214e45667f0f1 thoja13 addUserToGroup SUCCESS user:smija03 (314568704) group:IBFS:/SSYS/GROUPS/Retail/Developers (614187006) Into this group
Localizable Content TitlesA Complete Solution for Localized Applications Repository data can be localized User sees label based on their language preference
WebFOCUS 8 Client LicenseNew for WebFOCUS 8 • Enforces Licensed Options • Features: BI Portal, InfoAssist, ReportCaster, etc. • Managed Reporting user count • InfoAssist user count (future release) • Work with Customer Support/Account Team • Make sure your site code (XXXX.nn) reflects your products
Migrating to WebFOCUS 8Built-in Utilities to Simplify the Process • Utility Migrates 7x Content • ReportCaster Content • Managed Reporting Content • Dashboards • Dashboard Conversion to BI Portals • Not Automatic • User Experience and Policies Preserved • Identical folder structure • Identical security policy 8.0 7x
Understanding a Migrated PolicyMR7x to WF8 • MR 7x users had only a single role and optionally a few extra privileges • The role was defined on the user • Migration creates a policy with this same behavior • Requires the User Default Role (UDR) Setting
Understanding a Migrated PolicyMR7x to WF8 • Sets special system Roles between migrated Groups and Domain folders
Understanding a Migrated PolicyMR7x to WF8 • Enables Default Role tab on the user account • Here the user’s 7x “role” and “privileges” are defined • They apply to all Domain folders
WebFOCUS 8 Technical OverviewSummary • Rich Portal and Tool Interfaces • Replace BI Dashboard and Java Applet UIs • Integrated Repository Based on IBFS • Unified, fully localizable repository for MR, BIP, RC • Full control of content organization and security policy • Resource Templates simplify security policy creation • Enhanced Content Publishing and Sharing • External Authorization Built-in • Migration Utilities Streamline Upgrade • WebFOCUS 8.0.01 requires 8.0.01 Report Server