Anonymous Access

In this section:

How to:

Anonymous access, also known as public access, is useful for applications that require neither authentication nor personalization. It allows unauthenticated users to list and run resources located in the WFC/Repository/Public folder, but makes no other privileges, such as the ability to create or edit resources, available to them. The limitations built into this mode of access enable administrators to protect the integrity of resources designed for general use, even while making them available to all users.

Anonymous access is disabled, by default. In order to make Anonymous access available, the Anonymous Authentication method must be enabled in the Security Zones that will require anonymous access

When you enable Anonymous Authentication in a security zone, the WebFOCUS Client supports anonymous or unauthenticated access to resources in the WFC/Repository/Public folder, as well as to procedures on the WebFOCUS Server. If you would like anonymous users to have access to other content stored in the repository, you can create rules that grant anonymous users access to those additional resources, as described in the topic, Changing the Security Policy for Anonymous Users. The WebFOCUS Server credentials used by the Anonymous User (IBI_ANONYMOUS_USER) setting are Reporting Server Anonymous User ID (IBI_WFRS_ANONYMOUS_USER) and Reporting Server Anonymous Password (IBI_WFRS_ANONYMOUS_PASS). All of these settings appear on the Advanced page of the Security tab.

A separate session is created for each anonymous user. These sessions are associated with each user by a non-persistent WF-JSESSIONID cookie stored in the web browser. Information that is unique to each anonymous user, such as foccache tokens and global amper variables is also tracked. All anonymous sessions have the same effective policy, that of the user account specified by the Anonymous User (IBI_ANONYMOUS_USER) setting.

Anonymous Authentication should disabled when WebFOCUS is configured for pre-authentication, because this configuration limits access to specific pre-authenticated users. WebFOCUS supports public access when configured for external authentication, but additional considerations apply.

For more information about configuring public access for external authentication, see External Authentication.

You can specify the default user ID for unauthenticated access with the Anonymous User ID (IBI_ANONYMOUS_USER) setting on the Advanced page of the Security tab. By default, this user ID is named public.

Procedure: How to Enable Anonymous Access for Individual Security Zones

Anonymous Access is disabled, by default. To enable it for the Default Security Zone or the Alternate Security Zone, you must enable the Anonymous Authentication method.

We recommend that you use the Export command to back up the Security Settings configuration files before making changes to the Authentication page.

  1. In the Administration Console, click the Security tab.
  2. Under the Security Zones folder, expand the folder for the Security Zone you want to update, and then click Authentication.
  3. Click the Anonymous Authentication entry. In the Actions section, click Enable, and then click Save.

    or

    Right-click the Anonymous Authentication entry, and click Enable. In the Actions section, click Save.

  4. When you receive the confirmation message, click OK.
  5. When you receive the message to reload the web application, click OK.
  6. Sign out of your current session.
  7. Stop and restart the application server.
  8. Sign in again as an administrator, and test the new configuration.

Procedure: How to Disable Anonymous Access for Individual Security Zones

Once Anonymous Access is enabled for an individual Security Zone, you can disable it for that zone by disabling the Anonymous Authentication Method.

We recommend that you use the Export command to back up the Security Settings configuration files before making changes to the Authentication page.

  1. In the Administration Console, click the Security tab.
  2. Under the Security Zones folder, expand the folder for the Security Zone you wish to update, and then click Authentication.
  3. Click the Anonymous Authentication entry. In the Actions section, click Disable, and then click Save.

    or

    Right-click the Anonymous Authentication entry, and click Disable. In the Actions section, click Save.

  4. When you receive the confirmation message, click OK.
  5. When you receive the message to reload the web application, click OK.
  6. Sign out of your current session.
  7. Stop and restart the application server.
  8. Sign in again as an administrator, and test the new configuration.

Procedure: How to Disable Anonymous Access for All Security Zones

To disable Anonymous Access throughout the application, remove the name and password assigned to the Anonymous user settings in the Advanced Security settings page, and then delete the Public User in the Security Center.

  1. In the Administration Console, click the Security tab.
  2. Under the Security Configuration folder, click Advanced.
  3. Clear the values assigned to the Reporting Server Anonymous User ID field and Reporting Server Anonymous User Password field.
  4. In the Security Configuration section, click Save.
  5. When you receive the changes have been successfully saved message, click OK.
  6. When you receive the Please clear cache in order for these change to take effect message, click OK.
  7. In the Administration Console menu bar, click Clear Cache.
  8. When you receive the confirmation that the cache is cleared, click OK.
  9. Navigate to the Security Center.
  10. In the Users pane, under the Users folder, click the Public entry, and then click Delete User.

    When you receive a confirmation message, click Yes to delete the user.

  11. Click Close.

Procedure: How to Specify a Different Account for the Anonymous User

To specify a different user account for the Anonymous User, create a new user account and then change the name assigned to the Anonymous User ID (IBI_Anonymous_User) setting to the name assigned to the new user account.

  1. In the Security Center, on the Users & Groups tab, click New User.
  2. In the New User dialog box, type a user name for the new anonymous user account, and optionally, add a description.

    Note: Do not specify an email address or password for the account.

  3. Click Anonymous in the Create in Group list, and then click Active in the Status list.
  4. Click OK.

    You have now created the account for the new anonymous user.

  5. Open the Administration console, and click the Security tab.
  6. In order to designate the new user as the default Anonymous User ID, perform the following steps:
    1. Under the Security Configuration folder, click Advanced.
    2. In the Anonymous User ID (IBI_ANONYMOUS_USER) field, type the name of the user Account you just created in the Security Center.

    You have now configured WebFOCUS to use the new user account as the anonymous user.

Reference: Changing the Security Policy for Anonymous Users

By default, anonymous users have access to resources in the Public folder. If you would like anonymous users to have access to other folders or to portals, you can create new rules to enable access. We recommend that you manage the security policy for anonymous users by placing rules on the Anonymous group and placing the user account specified by the User field in the Anonymous Authentication settings for a Security Zone in that group, rather than directly placing rules on the user account

For more information about creating rules, see How to Create a Rule on a Group, User, or Role.

Making BI Portals Available to Anonymous Users

In this section:

In the WebFOCUS Enterprise Edition, administrators can make BI Portals intended for general use available to anonymous users working in security zones that have enabled Anonymous Access.

Basic portals are located on the Portals Node and in the Portals area of the start page. They are not located in workspace folders or in the Public folder. To make them available to anonymous users, an administrator must:

Collaborative portals and designer portals are located in workspace folders or in the Public folder. Therefore, administrators must assign rules to the Public folder or to those workspace folders that contain these portals and their content resources to make the collaborative and designer portals they contain available to anonymous users.

A rule making the ListAndRun role available to the EVERYONE group is assigned to the Public folder, by default. Therefore, to make collaborative and designer portals that are located in the Public folder available to anonymous users, an administrator must:

To make collaborative and designer portals that are located in workspaces outside of the Public folder available to anonymous users, an administrator must:

For more information about how to assign a rule, see How to Create a Rule on a Group, User, or Role or How to Create a Rule on a Content Resource.

Limitations in the AnonymousRestrictions role, which is assigned to the Anonymous users group, by default, prevent individuals working under the Anonymous User ID from affecting the content or performance of BI Portals made accessible to them.

Distinguishing Basic Portals from Collaborative Portals and Designer Portals

When working in the tile view, portal icons appear in the content section. Icons for basic portals contain a stack of squares, as shown in the following image.

The basic portal icon, showing a stack of squares.

Icons for collaborative and designer portals contain a stack of squares surrounded by a circle, as shown in the following image.

A collaborative portal icon showing a stack of squares surrounded by a circle.

There are no other distinguishing characteristics between entries for basic portals and other portal types in the tile view.

A more reliable test is the presence or absence of the Properties option on the menu that opens when you right-click a portal icon:

  • Basic portals do not include the Properties option in their shortcut menu.
  • Collaborative and designer portals do include the Properties option in their shortcut menu.

Form Based Authentication

How to:

Form based authentication is the default method of authentication for each of the security zones. To authenticate a user request in this method, the WebFOCUS Client presents the familiar Sign in page to a user, and uses an HTML Form tag to convey the User ID and Password collected during the sign-in process to the WebFOCUS Server for validation.

Procedure: How to Customize Form-Based Authentication Settings

We recommend that you use the Export command to back up the Security Settings configuration files before making changes to the Authentication page.

  1. In the Administration Console, click the Security tab.
  2. Under the Security Zones folder, expand the folder for the Security Zone you wish to update, and then click Authentication.
  3. Click the Form Based Authentication entry.
  4. In the Actions section, click Edit to open the Edit Form Based Authentication Settings dialog box.

    In that dialog box, all three check boxes are cleared, by default.

  5. Click OK to accept the default settings.
  6. In the Actions section, click Save.
  7. When the confirmation message opens, click OK.
  8. When you receive a message to reload the web application, click OK.
  9. Sign out of your current session.
  10. Stop and restart the Application Server.
  11. Sign in again as an administrator, and test the new configuration.