TIBCO EBX®
Documentation > Administration Guide > Technical administration
Navigation modeDocumentation > Administration Guide > Technical administration

Users and roles directory

Overview

TIBCO EBX® uses a directory for user authentication and user role definition.

A default directory is provided and integrated into the EBX® repository; the 'Directory' administration section allows defining which users can connect and what their roles are.

It is also possible to integrate another type of enterprise directory.

Concepts

In EBX®, a user can be a member of several roles, and a role can be shared by several users. Moreover, a role can be included into another role. The generic term profile is used to describe either a user or a role.

In addition to the directory-defined roles, EBX® provides the following built-in roles:

RoleDefinition

Profile.ADMINISTRATOR

Built-in Administrator role. Allows performing general administrative tasks.

Profile.READ_ONLY

Built-in read-only role. A user associated with the read-only role can only view the EBX® repository, and has no right to perform modifications in the repository.

Profile.OWNER

Dynamic built-in owner role. This role is checked dynamically depending on the current element. It is only activated if the user belongs to the profile defined as owner of the current element.

Profile.EVERYONE

All users belong to this role.

Information related to profiles is primarily defined in the directory.

Attention

Associations between users and the built-in roles OWNER and EVERYONE are managed automatically by EBX®, and thus must not be modified through the directory.

User permissions are managed separately from the directory. See Permissions.

Policy

These properties configure the policies of the user and roles directory, for example, whether or not users can edit their own profiles.

Users

This table lists all the users defined in the internal directory. New users can be added from there.

Roles

This table lists all the users defined in the internal directory. New roles can be created in this table.

Default directory

Directory content

The default directory is represented by the dataset 'Directory', in the 'Administration' area.

This dataset contains tables for users and roles, as well as users' roles table, roles' inclusions table and salutations table.

Note

If a role inclusion cycle is detected, the role inclusion is ignored at the permission resolution. Refresh and check the directory validation report for cycle detection.

Note

Users' roles, roles' inclusions and salutations tables are hidden by default.

Depending on the policies defined, users can modify information related to their own accounts, regardless of the permissions defined on the directory dataset.

Note

It is not possible to delete or duplicate the default directory.

Password recovery procedure

In the default directory, passwords are encrypted (by default with a SHA256-like algorithm), and stored in this state. Consequently, it is impossible to retrieve lost passwords. A new password must be generated and sent to the user.

There are two options for this procedure:

  1. A notification email is sent to the administrator, the administrator manually changes the password and sends the new password to the user.

  2. A procedure automatically generates a new password and sends it to the user.

By default, the first option is used. To activate the second option, specify the property ebx.password.remind.auto=true in the TIBCO EBX® main configuration file.

Note

For security reasons, the password recovery procedure is not available for administrator profiles. If required, use the administrator recovery procedure instead.

Administrator recovery procedure

If all the 'login/password' credentials of the administrators are lost, a special procedure must be followed. A specific directory class redefines an administrator user with login 'admin' and password 'admin'.

To activate this procedure:

Note

While the 'ebx.directory.factory' property is set for the recovery procedure, authentication of users will be denied.

Custom directory

As an alternative to the default directory, it is possible to integrate a specific company directory. For example, an LDAP instance, a relational database or a specific directory model instantiated into EBX®.

See also
Documentation > Administration Guide > Technical administration