Managing Groups

In this section:

The Groups field in the Users & Groups tab of the Security Center lists all of the groups in the repository in hierarchical order. In the Groups field, subgroups are indented below their parent groups. The Users in Group field lists the members of a selected group. If no group is selected, the field is blank. The Search field in this tab allows you to search the name and description fields for groups. Simple wildcard searches are supported. A toolbar allows you to perform the following actions:

Understanding Groups

In this section:

How to:

A group is a collection of users or subgroups that require similar capabilities or access to the same resources. Although rules may also be applied to individual user roles, typically, the activities and resources made available to users depend upon the rules that apply to the groups to which they belong. Therefore, group assignments are a pivotal component of security policy implementation.

All users are automatically assigned to the EVERYONE group, by default. This group is the set of all named users in the system. Administrators must then assign users to the appropriate groups within the workspaces that contain the content resources they will need to use and to the appropriate groups within My Workspace and the Getting Started workspace.

By default, a newly created workspace includes four groups, Basic Users, Advanced Users, Developers, and Group Administrators. Each of these groups contains a pre-defined range of privileges that support the activities and resource needs of a typical user in that role. Preconfigured infrastructure groups, including My Workspace and the Getting Started Workspace, vary from this basic configuration.

Administrators can also create their own groups. These groups can supplement the original four groups within an individual workspace or they can be a specialized group that is assigned to multiple workspaces.

Users can belong to more than one group, and each group can contain a different set of privileges. The ability to assign users to different groups allows administrators to provide varying levels of access to the same user.

Workspace Groups

In this section:

The following groups are assigned to new workspaces automatically. They represent the most common types of users, and the privileges assigned to them support the typical set of activities that members of such a workspace group would be expected to perform.

When created from the resource template, these groups are generated automatically for each new workspace, and four of them, Basic Users, Advanced Users, Developers, and Group Administrators, are made available to the new workspace, by default. A fifth group, the Authors group, is available only in My Workspace and the Getting Started workspace.

Basic Users

Members of the Basic User group can view content within their workspaces. They can create folders within the My Content folder and save deferred reports to them. They can also copy autolink parameters from a previously-created report and save them in their folders. They cannot share, publish, copy, or paste any folder or content item.

Advanced Users

Members of the Advanced User group can view content within their workspaces. They can create folders within the My Content folder and save deferred reports to them. They can also copy autolink parameters from a previously-created report and save them in their folders, and they can create and share their own content items and folders.

Authors

This group is available only in the pre-configured workspaces entitled My Workspace and Getting Started. Members of the Authors group can view content, create folders, and save deferred reports to their folders. They can also copy autolink parameters from a previously created report and save them in their folders, and they can create and share folders and content items. In addition to these privileges, these self-service analytical users can connect to data, open data files, and create portals when working in their personal My Workspace view or in the Getting Started view.

Developers

Members of the Developers group can view content within their workspace. They can create folders within the My Content folder and save deferred reports to them. They can also copy autolink parameters from a previously-created report and save them in their folders, and they can create and share their own content items and folders. They can upload and connect to data, edit metadata, and create and organize workspace content. They can manage content made visible to other users. They can also copy and paste folders and content from their workspace to another workspace, but they must be sure that the workspace they target for this operation maintains connections to the same metadata as that used to create the content they are copying.

Group Administrators

Members of the Group Administrators group can determine the role each user can have within a workspace by adding users to or removing users from one of the five user type groups and can change the General Access setting assigned to a workspace. They do not have access to reporting or development capabilities.

These five user types cover the basic access levels that the majority of users will require when working with workspaces, freeing administrators to focus on the assignment of users to these five groups instead of requiring them to configure unique access level profiles for each user.

Infrastructure Groups

In this section:

The following groups are created automatically during the product installation. They provide a role for users when working outside of workspaces created to support content development.

My_Workspace Group

The My_Workspace group contains users who are assigned to the specialized workspace entitled My Workspace.

My Workspace is created from the standard resource template and uses the same security rules assigned to all templates. However, instead of the four groups that are typically assigned to workspaces, it contains only the Basic Users group and the Authors group. The privileges defined for these two groups apply when users are working within the My Content folder of My Workspace.

As with any other workspace, administrators must actively manage the assignment of users to the two groups within My Workspace. Privileges granted to a user in My Workspace are entirely independent of privileges granted to a user in any other workspace.

Some product installations may use a different workspace as the default workspace for content created directly from the Hub, the WebFOCUS Home Page, or outside of an existing workspace. They do so by defining a path to that alternative workspace in the Default Workspace Repository Path (IBI_DEFAULT_WORKSPACE_PATH) setting on the BI Portals settings page in the Administration Console.

Note that this configuration does not eliminate My Workspace or the groups assigned to it. Even when an alternative workspace is identified in the Default Workspace Repository Path, users assigned to sub-groups within the My Workspace group can still open My Workspace from the content view of the WebFOCUS Home Page and run or create new content as made possible by their My Workspace group assignment.

Administrators Group

Members in the Administrators group have full access to all workspaces and product features. Users in this group are assigned to the SystemFullControl role, by default. The default administrator, identified with the admin user ID, is assigned to this group. You can supplement this default administrator, whose password is provided during installation and therefore potentially known by multiple individuals, with other users who have their own unique password.

Anonymous Group

Members in the Anonymous group have access, within the limitations imposed by the rules assigned to this group, to any resource made available to the EVERYONE group. Members in the Anonymous group are assigned to the BIDRunTimeAccess role, by default, which provides limited access to content resources. They are also assigned to the AnonymousRestrictions role, which prevents them from developing or copying resources. They can review and run resources only in My Workspace and in any other workspace made available to public users.

The public user is assigned to this group by default. The WebFOCUS Client automatically assigns this user ID to all unauthenticated requests to access resources within the WFC/Repository/Public folder and in the workspace folders to which the administrator has granted list and run access. A separate session is created for each anonymous user.

The user ID assigned to this default anonymous user is defined in the Anonymous User ID (IBI_ANONYMOUS_USER) setting on the Advanced Security page of the Administration Console Security tab. The name public is assigned to this setting, by default. Hence, in most installations, the default anonymous user is identified as the public user.

EVERYONE Group

Members in the EVERYONE group have Basic User access to all workspaces. They can view and run resources in workspaces but they cannot create content nor can they modify existing content in any other workspace but their own. Users are, by default, members of the EVERYONE group in addition to their assignment to other groups.

Managers Group

Members in the Managers group have access to all workspaces. They are assigned to the WebFOCUSManager role throughout the application, which provides a broad range of privileges that enables them to manage WebFOCUS operations.

SelfServiceDevelopers Group

Members in the Self Service Developers group have access to all system features. This specialized group of users applies only to customers who use WebFOCUS with a self-service license. These users work with a version of WebFOCUS that replaces the default user interface with an independently designed and developed user interface.

This group includes the Wfdesktop user ID, which is the default ID to access the Desktop tools. Members of this group can perform self-service development work in the Data Servers, and Web Applications areas. Access to the Repository is restricted to the access given to the Everyone group.

Procedure: How to Create a Group

  1. In the Security Center, on the Users & Groups tab:
    • To create a group, click the New Group button , or right-click the Groups level of the hierarchy and select New.
    • To create a subgroup (nested group), select the group under which you would like to create a subgroup, then click the New Group button. Alternatively, right-click the parent group and select New.

    The New Group dialog box appears, as shown in the following image.

    New Group dialog box

    If external groups are enabled, the dialog box will also allow you to type or browse and select from external groups.

    The Create in: location is determined by where you placed your cursor before you clicked New Group.

  2. Type the group name and an optional description, and then click OK.

    The group name may consist of alphanumeric characters and underscores, but blank spaces, and the characters * / | ; " , ? are prohibited. A group name may contain up to 255 characters. The description may consist of any characters allowed in your system. If you leave the description blank, WebFOCUS will automatically assign the group name as the description. You can edit the name or the description at any time.

Procedure: How to Edit a Group

  1. In the Security Center, on the Users & Groups tab, right-click a group and select Edit, or select the group and click the Edit Group button .

    The Edit Group dialog box opens.

  2. Edit the group name or the description as desired, then click OK.

Procedure: How to Delete a Group

  1. In the Security Center, on the Users & Groups tab, right-click a group and select Delete, or select the group and click the Delete Group button .
  2. When you receive a message asking if you want to delete all selected items, click Yes.

Procedure: How to Add a User to a Group

  1. Open the Security Center.
  2. On the Users & Groups tab, perform one of the following operations:
    1. Drag the user you wish to add to the group from the Users field into the Groups field, and drop it on the Name of a group or subgroup.
    2. Click a group or subgroup in the Groups field, and drag the user you wish to add to the group from the Users field into the Users in Group field.
    3. Click a group or subgroup in the Groups field, click the user you wish to add to the group in the Users field, and then click the Add selected users to group button .

      When your selected operation is complete, the user you added appears in the Users in Group field.

      Notes:

      • When you drag a user over a group in the Groups field, the group expands automatically, enabling you to drop the user on the name of a subgroup within that group.
      • If external group mapping is not activated, the members of the selected group appear in the Users in Group field when you click a group or subgroup.
      • If the WebFOCUS group is mapped to an external group, you cannot assign users directly to that group.

Procedure: How to View External Users in a Group

  1. In the Security Center, on the Users & Groups tab, under Groups, select a mapped group, as shown in the following image.

  2. Click the Users in Group field.

    The external users are listed.

Procedure: How to Remove a User From a Group

  1. In the Security Center, on the Users & Groups tab, under Groups, select a group.
  2. Select a user and click the Remove selected users from group button , or drag the user into the Users field.

    You can also remove a user from a group by right-clicking on the user and clicking Remove.