TIBCO EBX® uses a directory for user authentication and user role definition.
A default directory is provided and integrated into the EBX® repository; the 'Directory' administration section allows defining which users can connect and what their roles are.
It is also possible to integrate another type of enterprise directory.
In EBX®, a user can be a member of several roles, and a role can be shared by several users. Moreover, a role can be included into another role. The generic term profile is used to describe either a user or a role.
In addition to the directory-defined roles, EBX® provides the following built-in roles:
| Role | Definition |
|---|---|
Profile.ADMINISTRATOR | Built-in Administrator role. Allows performing general administrative tasks. |
Profile.READ_ONLY | Built-in read-only role. A user associated with the read-only role can only view the EBX® repository, and has no right to perform modifications in the repository. |
Profile.OWNER | Dynamic built-in owner role. This role is checked dynamically depending on the current element. It is only activated if the user belongs to the profile defined as owner of the current element. |
Profile.EVERYONE | All users belong to this role. |
Information related to profiles is primarily defined in the directory.
Associations between users and the built-in roles OWNER and EVERYONE are managed automatically by EBX®, and thus must not be modified through the directory.
User permissions are managed separately from the directory. See Permissions.
These properties configure the policies of the user and roles directory, for example, whether or not users can edit their own profiles.
This table lists all the users defined in the internal directory. New users can be added from there.
This table lists all the users defined in the internal directory. New roles can be created in this table.
The default directory is represented by the dataset 'Directory', in the 'Administration' area.
This dataset contains tables for users and roles, as well as users' roles table, roles' inclusions table and salutations table.
If a role inclusion cycle is detected, the role inclusion is ignored at the permission resolution. Refresh and check the directory validation report for cycle detection.
Users' roles, roles' inclusions and salutations tables are hidden by default.
Depending on the policies defined, users can modify information related to their own accounts, regardless of the permissions defined on the directory dataset.
It is not possible to delete or duplicate the default directory.
In the default directory, passwords are encrypted (by default with a SHA256-like algorithm), and stored in this state. Consequently, it is impossible to retrieve lost passwords. A new password must be generated and sent to the user.
There are two options for this procedure:
A notification email is sent to the administrator, the administrator manually changes the password and sends the new password to the user.
A procedure automatically generates a new password and sends it to the user.
By default, the first option is used. To activate the second option, specify the property ebx.password.remind.auto=true in the TIBCO EBX® main configuration file.
For security reasons, the password recovery procedure is not available for administrator profiles. If required, use the administrator recovery procedure instead.
If all the 'login/password' credentials of the administrators are lost, a special procedure must be followed. A specific directory class redefines an administrator user with login 'admin' and password 'admin'.
To activate this procedure:
Specify the following property in the TIBCO EBX® main configuration file:
ebx.directory.factory= com.orchestranetworks.service.directory.DirectoryDefaultRecoverFactory
Start EBX® and wait until the procedure completes.
Reset the 'ebx.directory.factory' property.
Restart EBX® and connect using the 'admin' account.
While the 'ebx.directory.factory' property is set for the recovery procedure, authentication of users will be denied.
As an alternative to the default directory, it is possible to integrate a specific company directory. For example, an LDAP instance, a relational database or a specific directory model instantiated into EBX®. The default login page can also be replaced by a specific company page.