Understanding External Authorization

In this section:

When you configure WebFOCUS for external authorization, it uses the security providers configured on the WebFOCUS Server (WFRS) to query an external source for information about users when they sign in. The information can include their email addresses, their descriptions, and their external group memberships. The WebFOCUS Server then returns this information to WebFOCUS, where it is used to create or update user accounts and define user authorizations. The security provider also returns other external information about users and groups to WebFOCUS in support of administrative features, such as obtaining a list of all external groups or the list of users who belong to an external group.

Note: Some organizations manage authorization data externally in LDAP user profile attributes or roles, rather than using LDAP groups. WebFOCUS also supports this approach.

Some external authorization scenarios supported by WebFOCUS include:

EXTERNAL and EXTERNALONLY Options

There are two options for configuring how WebFOCUS groups are mapped to authorization data in an external directory. These options appear in the User Authorization group located in the Administration Console, Security tab. External page.

EXTERNAL

Specifies that some WebFOCUS groups may be mapped and some groups may be unmapped. Users are authorized if:

  • They are members of an external group that is mapped to a WebFOCUS group.
  • They are explicitly placed in an unmapped WebFOCUS group.

This is the recommended setting if the External Security Type (IBI_Authentication_Type) is set to Reporting Server.

EXTERNALONLY

Specifies that users are authorized only if they are members of an external group that is mapped to a WebFOCUS group.

Be careful when selecting this option. If you do not have an external authorization that has been mapped to the WebFOCUS Administrators group, you can be locked out of WebFOCUS.

To retain administrative rights over WebFOCUS when specifying the EXTERNALONLY authorization, you must do one of the following:

  • After configuring the EXTERNALONLY option, sign in to WebFOCUS with the superuser account, map the Administrators group to an external group, and then sign in to WebFOCUS with a user that belongs to the external group.
  • After initially configuring the EXTERNAL option, sign in to WebFOCUS with an administrator account, map the Administrators group to an external group, configure the EXTERNALONLY option, and then sign in to WebFOCUS with a user that belongs to the external group.

Note: When a parent group in WebFOCUS has an external mapping, a user must be a member of the parent group to be considered a member of its child groups, whether membership in the child is mapped or directly assigned.

AUTOADD

WebFOCUS offers the option of automatically adding pre-authenticated and externally authenticated users to WebFOCUS, if the user accounts exist in the external source, but do not already exist in WebFOCUS. Automatically added users can successfully sign in to WebFOCUS. Users who exist in the external source, do not exist in WebFOCUS, and are not automatically added, are denied access to WebFOCUS.

In the Security Center, WebFOCUS accounts which have been automatically created during the sign-in process have a status of AUTOADD, instead of ACTIVE.

Limitations When Configuring External Authentication With External Authorization

The following constraints apply when you configure external authentication with external authorization:

Special Considerations When Using User Profile Attributes for Authorization

To authorize users based on groups, roles, or user profile attribute values retrieved from an LDAP directory or Microsoft Active Directory, configure an LDAP security provider on the WebFOCUS Server. The WebFOCUS Server then retrieves information about users, groups, roles, or user profile attributes from the external user directory and passes it on to the WebFOCUS Client. This LDAP security provider can also be used to authenticate user credentials for the WebFOCUS Client.

Typically, LDAP and AD user directories maintain group membership information, which is made available to other applications to authorize users. However, some organizations rely on other information stored in the directory, such as roles or user profile attributes, to populate the attribute with the necessary authorization information. These attributes may be single-valued or multi-valued and are not required to have any relationship to other objects in the external directory. Each of these methods of authorization is supported.

Note: Depending on the vendor and version, the LDAP directory may require a user membership plug-in to support the full set of external authorization features in WebFOCUS. Active Directory supports user membership natively. For more information, contact your LDAP administrator.

The LDAP provider can be configured to retrieve the authorization data from a user profile attribute and pass it back to WebFOCUS for authorization, as shown in the following image, where the ldap_user_group_attribute AbcCorpRole is used to authorize users.

Authorization by LDAP custom attribute
Since there is no corresponding directory object for the custom attribute, as there is with LDAP groups, the following limitations apply:

  • The WebFOCUS Security Center will not show which users belong to WebFOCUS groups mapped to custom attributes.

  • In the Security Center, the Browse button in the Edit Group dialog box does not allow you to search for custom attribute values. However, you can manually enter the attribute values.

Configuring External Authorization

In this section:

How to:

Setting up external authorization consists of the following steps:

  1. Configure a security provider or providers on the WebFOCUS Server for the external source you will use for authorization. The security provider may be LDAP, Active Directory, or a custom provider, such as a provider that authorizes users to a relational database management system (RDBMS) or a web service.
  2. Configure WebFOCUS to use the WebFOCUS Server for external authorization.
  3. Restart the WebFOCUS web application.
  4. Map WebFOCUS groups to external authorization data.

Procedure: How to Configure TIBCO WebFOCUS for External Authorization

Before you configure WebFOCUS for external authorization, you must have already configured the external authorization source as a security provider on the WebFOCUS Server. We strongly recommend that you also configure a trusted connection between the WebFOCUS Client and the WebFOCUS Server.

For more information on configuring security providers, see Configuring a Security Provider on the TIBCO WebFOCUS Server. For more information on configuring trusted connections, see How to Configure the WebFOCUS Client to Make a Trusted Connection to the TIBCO WebFOCUS Server.

  1. In the Administration Console, on the Security tab, under the Security Configuration folder, click External.
  2. Select the Enable External Security check box.

    The External page displays the settings currently assigned to the WebFOCUS Server.

  3. Type a WebFOCUS Server Administrator account service user name in the Server Administrator ID field, using the format ProviderName\serviceUserName.
  4. Type the password assigned to the Security User in the Password field.
  5. Click Connect.
  6. When you receive a confirmation message, click OK.
  7. To update accounts in WebFOCUS with the AD or LDAP user description and email during authentication, select the Synchronize User Information with Authentication Provider check box.
  8. In the User Authorization group, click External Only to assign all authorization tasks to an external provider, or Internal and External to share authorization tasks between WebFOCUS and an External Provider.
  9. Save your changes.
  10. In the Security Configuration section, click Save.
  11. When you receive the confirmation message, click OK.
  12. When you receive the message to reload the web application, click OK.
  13. Sign out of your current session.
  14. Stop and restart the WebFOCUS Server.
  15. Sign in as an administrator, and test the new configuration.
  16. Optionally, enable security tracing to help troubleshoot any issues with the new configuration.
    • If you installed Apache Tomcat with WebFOCUS, make a backup copy of the drive:/ibi/WebFOCUS82/webapps/webfocus/WEB-INF/classes/log4j.xml file, then edit the log4j.xml file to change the level value for com.ibilog from info to trace.
    • If you deployed the WebFOCUS web application from the web archive using the webfocus.war file, you can edit the log4j.xml file in its original location, then re-create the webfocus.war file.
    • Alternatively, if you deployed the WebFOCUS web application from the web archive using the webfocus.war file, you can edit the log4j.xml file in its deployed location within the expanded directory. Check with your Java application administrator if you are unsure of this location or if you do not have access rights to modify the log4j.xml file.
  17. Stop and restart the web application.

    Note: Before restarting, you may wish to delete or rename the drive:/ibi/WebFOCUS82/logs/event.log file so that you will have a clean log file when WebFOCUS restarts in external authorization mode.

  18. Sign in using the user account you created earlier.

    Tip: The event.log file displays the external authorization information retrieved from the WebFOCUS Server security provider.

    If you enabled security tracing in step 16, the event.log looks like the following example: 

    -WFRS.authenticate userName:userName  
 - EDA.authConnect node:EDASERVE User:userID  
security:EXPLICIT-DYNAMIC
 - EDA.authConnect node() provider:null reqName:userID  
 - edaAuth for node:EDASERVE user:userID returned:1000
 - edaAuth for user:userID returned email:userEmail 
 - edaAuth for user:userID returned description:userDescription userID 
 - EDA.getGroupsForUser() node:EDASERVE userName:userID 
 - EDA.getGroupsForUser() provider:null reqName:userID userID 
 - group 1=#WF-ALL description=WF-ALL MAILING LIST userID 
 - group 2=#SharePointSiteAdmins description=SharePoint AdminsuserID 
 - group 3=#Summit_Lab_Staff description=#Summit_Lab Mailing List userID 
 - group 4=CORP-WF-DEV description=WF Product Team userID 
 - EDA.getGroupsForUser() from provider:null group count:4 userID 
 - User:userID has 4 external groups

    If you were not able to sign in, try the account specified in the Root User (IBI_Admin_Name) setting.

You can now map WebFOCUS groups to external authorization data.

Group Mapping

How to:

Mapping is the process of associating a WebFOCUS group with external authorization data, including external group memberships, external user profile data, or user information stored in an RDBMS. External authorization can be based on:

  • Groups, roles, and user profile attribute values retrieved from any directory that supports the Lightweight Directory Access Protocol (LDAP), including Microsoft Active Directory (AD).
  • Data retrieved from a relational database management system (RDBMS).
  • Data retrieved from any WebFOCUS Server data adapter, including information from a web service or an ERP system.

When WebFOCUS is configured for external authorization, individual WebFOCUS groups can be either mapped or unmapped.

Note: Mapping WebFOCUS groups to external authorization data requires the Group Mapping privilege (opExternalGroupMapping). By default, this privilege is assigned only to members of the Administrators group.

You can configure the authorization data used in the mapping through the Security Center or you can set external authorization attributes programmatically through a web service. For more information on using a web service, see the WebFOCUS RESTful Web Services section of the TIBCO WebFOCUS® Embedded Business Intelligence User's Guide.

The mapping is a property on a WebFOCUS group. The value of the property is a text string specifying the authorization data attribute in the external directory. To map a WebFOCUS group to multiple external groups or role attribute values, you can delimit the values with semi-colons (;) or use a wildcard symbol to match multiple external groups. For example, mapping a WebFOCUS group to SALES-* will map the WebFOCUS group to any external group beginning with SALES-. The text string may be up to 2,000 characters, including semi-colons (;).

The Security Center indicates mapped groups with a blue chain icon next to the group name. The tooltip for the group name displays the external data or user attribute to which it is mapped. The following image displays a configuration where a WebFOCUS group, the Sales/AdvancedUsers group, is mapped to an external group called CORP-Sales, but the other Sales subgroups are unmapped.

Mapped and unmapped groups

If members of a WebFOCUS group must be defined both internally in WebFOCUS and externally by a security provider, you can use an unmapped group for the internally authorized members and a mapped subgroup for the externally authorized members. The following image shows an example where the WebFOCUS Administrators group has a subgroup named External, which is mapped to the external group named CORP-BI-Admins.

Unmapped parent group with mapped subgroup

Members of both groups share the security policy of the unmapped parent group, while their memberships can each be managed separately.

Procedure: How to Map TIBCOWebFOCUS Groups to External Authorization Data

  1. In the Security Center, select the WebFOCUS group that you want to map to an external group and click Edit Group.

    The Edit Group dialog box appears, as shown in the following image.

    Edit Group dialog box

    Tip: If the Browse button is not visible, WebFOCUS has not been configured for external authorization. For information on how to configure external authorization, see How to Configure WebFOCUS for External Authorization.

  2. If you know the value of the attribute to be used for external authorization, you can enter it manually. Otherwise, click Browse.

    Note: If you want to use a custom user profile attribute for authorization, you must enter the value manually.

    The Browse External Groups dialog box appears, as shown in the following image.

    Browse External Groups dialog box

  3. Enter the search term and click Search.

    Note: By default, WebFOCUS searches only the primary security provider. To look up data using a secondary security provider, you must include the provider name in your query. For example, to find Sales groups for a secondary PTH provider, you would search for PTH\*Sales. To find all groups for all security providers, search for *\*.

  4. Select the values to which the WebFOCUS group will be mapped and click OK.

    Note: You can select multiple values.

  5. When you return to the Edit Group dialog box, the external groups you have selected appear in the External Groups field. Click OK to save your changes.
When you return to the Security Center, the mapped group appears with a link icon, as shown in the following image.

Mapped group link icon

When you mouse over the group, the tooltip displays the mapped external authorization data in parentheses after the WebFOCUS group name.