Managing Roles

In this section:

How to:

Reference:

The Roles tab lists the name of each role, the subsystems to which it applies, and a description of what it does, as shown in the following image.

The Security Center Roles tab

A role icon with a lock indicates that the role is read-only and cannot be edited or deleted. All pre-installed roles are read-only. Locked and pre-installed roles are not updated automatically when you choose to install a custom resource template. However, you may choose to revise them as part of your configuration of the custom resource template. For more information, see Adding Customizations to the Custom Resource Template.

Access to WebFOCUS Server applications is determined by the permissions assigned to any group that fits the access control template for that server instead of the pre-defined locked role. For more information, see Understanding Access Control Templates.

The Roles tab allows you to perform the following actions:

When you create or view a role, its privileges are displayed in a list that includes the privilege name, description, subsystems affected, and privilege ID, as shown in the following image.

New Role dialog box

If the description is too long to display, rest your mouse on it to display a tooltip with the full description. Resting your mouse on a privilege name brings up a tooltip that includes the privilege ID at the end, or you can scroll to the ID column. The privilege ID is a unique internal identifier and, except for Customer Support Services, is not generally used.

Privilege Categories

When you create a new role, you assign privileges to the role. To make the privileges easier to find, they are grouped into several categories, as shown in the following image and described in the following table.

New Role dialog box with privilege categories collapsed

Privilege Category

Description

Basic Reporting

Privileges that can be assigned to most users, including those with minimal training. All of the other sets of privileges are granted in addition to the basic reporting features.

Advanced Reporting

Privileges that can be assigned to users who need to create and share their own reports. They are generally granted as a supplement to the basic reporting privileges, not as a replacement for them.

Scheduling and Distribution

Privileges that can be assigned to users, developers, and administrators so they can create schedules that distribute reports with ReportCaster.

Application Development

Privileges that can be assigned to developers that enable them to create complete WebFOCUS applications using only web-based tools. To enable access to the full set of WebFOCUS application development capabilities, you should also assign the privileges in the Desktop Development category to your development team.

Desktop Development

Privileges that enable developers to use the Windows-based WebFOCUS desktop products. These privileges must be assigned along with those in the Application Development, Advanced Reporting, and Basic Reporting categories to enable the full set of development capabilities.

Group Administration

Privileges that can be assigned to department or tenant group administrators so that they can manage their users and the content created by their users.

Administration

System administrator privileges that are generally only assigned to WebFOCUS administrators.

Legacy

Privileges that enable legacy product behavior for customers migrating to WebFOCUS 8 from previous versions.

Within each category, privileges are listed in alphabetical order by their Name in English. The order of localized privilege names remains the same in all other languages, ensuring that privileges remain in a consistent order regardless of the language in which they are displayed. The use of a consistent location makes privileges easier to locate and identify.

You can select privileges individually by selecting the check box next to them or you can select an entire category of privileges by selecting the check box next to the folder for the category. You can also select a category and then remove some of the automatically selected privileges under that category.

The appearance of the check box next to the title entry for a category indicates the range of privileges selected within it. If none of the privileges within a category are selected, the check box is blank. If one or more of the individual privileges within a category are selected, the check box contains a block. If all of the privileges within the category are selected, the check box contains a check mark.

For more information about the privileges included in each category, see Privileges.

Reference: Subsystems

Some privileges can apply to any subsystem, but most are limited to a particular kind of subsystem. For example, Access Portal only applies to the BIP (BI Portal) subsystem and Access Resource Properties only applies to the WFC (Content) subsystem and the EDA (WebFOCUS Reporting Servers) subsystem. Access Resource applies to every subsystem, which is indicated by an asterisk (*) in the Subsystem(s) or Used With column. Session indicates that the privilege is cached for the duration of the user session rather than applying to a specific subsystem.

When you create a role, all possible privileges are displayed. You can filter the list of privileges displayed by selecting Clear All from the Select Subsystems for this Role list, and then clicking the subsystems you intend to use with the role. Since the list closes each time you select a subsystem, to add multiple subsystems, you will need to open the list again for each new selection.

Note:
  • When you remove subsystem settings from the list of subsystems for a role, you receive a message warning you that it will remove any configured privileges that do not match the new subsystem settings. When you select Clear All from the list, there is no warning and all privileges are removed from the list. If you inadvertently made this selection, click Cancel to dismiss the Role dialog box without saving your changes.
  • When you add, delete, or replace a rule, WebFOCUS checks to ensure that you will still have access to the resources affected by the rule through the Access Resources (opList), and Manage Rules on Resources (opManageRulesOn) privileges for those resources. If the new rule would deny you access to these resources, the changes will not be saved and you will receive the ERROR_RULE_WOULD_DROP_CONTROL error.

For more information about subsystems and session privileges, see Session Privileges.

Procedure: How to Create a Role

  1. In the Security Center, click the Roles tab, and then click the New Role button .

    The New Role dialog box appears, as shown in the following image.

    New Role dialog box with the Basic Privilege category expanded.
  2. Type a name in the Name field and a description in the Description field. If the Description field is blank, then the name is used.
  3. If you want to omit any subsystems from this new role, open the Select Subsystems for this Role drop-down list and clear the check box for each subsystem you want to omit. The default selection is All.

    Note: When you create rules for folder resources, this role will only be available for rules that apply to the selected subsystems and their children.

  4. Perform one of the following steps to add privileges to the role:
    1. Select the check box next to an individual privilege.
    2. Select the check box next to a privilege category folder.
    3. Clear the check boxes next to any individual privilege or category that must not be included in the role.
  5. Repeat the previous step as often as necessary.
  6. Click OK.

    The new role appears in the Roles tab list in alphabetical order by name.

Procedure: How to Clone a Role

  1. In the Security Center, click the Roles tab, right-click a role, and select Clone.

    The new role appears below the original role with the extension _copy.

    Note: When you clone a role, the rules associated with the source role are dropped from the cloned role.

Procedure: How to Edit a Role

  1. In the Security Center, click the Roles tab, right-click a role, and then click Edit, or click a role, and then click Edit Role to open the Edit Role dialog box.
  2. To change the name or description, type the new value in the appropriate field.
  3. To change the subsystem, select a new option from the Select Subsystems for this Role drop-down list.
  4. Select the privilege category containing the privileges you wish to modify. If necessary, clear any individual privileges.
  5. Repeat Step 5 for each privilege category you wish to update.
  6. Click OK.

Procedure: How to Delete a Role

  1. In the Security Center, on the Roles tab, right-click a role and select Delete, or select the role and click the Delete Role button .
  2. When you receive the Delete all selected items? confirmation message, click Yes.
  3. Click Yes to proceed with the deletion.

    Note: None of the default installed roles can be deleted.

Migration Functionality and User Defined Roles (UDR)

How to:

In WebFOCUS 7.x, users are assigned to a specific role and placed in a group or multiple groups. In WebFOCUS 8.x, user abilities are determined by rules based on groups, rather than user roles. The migration process maps WebFOCUS 7.x user roles to WebFOCUS User Default Roles (UDRs), which are implemented through rules, associated with the groups and workspaces, to which a user has access.

If you are using WebFOCUS 8 in a migrated environment, you can see UDR information by enabling the display of the User Default Role tab in the Security Center. For more information, see the TIBCO WebFOCUS® Migration technical content.

Procedure: How to Display the User Default Role Tab in the Security Center

  1. In the Administration Console, on the Configuration tab, click Other to display the Other settings page.
  2. Select the User Default Roles (Used For Migration) (IBI_ENABLE_UDR) check box, and then click Save.
  3. When you receive the Successfully Saved message, click OK.
  4. Sign out of your current session.
  5. Sign in again as an administrator, and navigate to the Security Center.
  6. In the Security Center, click the New User button, or click an existing user, and then click Edit User.

    The New User or Edit User dialog box opens, with the Default Role tab enabled, as shown in the following image.

    New User dialog box with Default Role tab enabled