In this section: How to: |
In WebFOCUS 7.x, users are assigned a specific role and placed in a group or multiple groups. These groups are assigned to a domain or multiple domains. The effect of this feature is that users created in WebFOCUS 7.x have a single role throughout the entire repository and all the domains to which they have access.
An exception to this feature in WebFOCUS 7.x is when you give a user a Developer role, deselect Developer in all assigned Domains, and select a specific domain or domains in which the user is a Developer. This user is automatically assigned an Analytical User role for all the domains assigned and a Developer role in the specified Developer domains.
In WebFOCUS 8, user abilities are determined by rules based on groups, rather than user roles. The migration process maps WebFOCUS 7.x user roles to WebFOCUS User Default Roles (UDRs), which are implemented through rules associated with the groups and domains to which a user has access. It is important to understand this concept and how it works to effectively support and administer a migrated WebFOCUS 8 environment.
In WebFOCUS 7.x, roles are assigned a base MRFLAG. Usually, there is a single mapping of a role to a base MRFLAG. However, the Power User and Run Only User are based on the Analytical User role and both map to the same base MRFLAG of auser. The Content Manager is based on the Developer role and maps to the domadmin MRFLAG. If a Developer is assigned to administer certain domains, the MRFLAG of dadomains=domainHREF is assigned, and the Developer is considered an Analytical User role in all the other domains to which they are assigned. These Developers could also be selected as Group Administrators, and are then assigned the additional flag of gagroups=#groupHREF.
WebFOCUS 8 User Default Roles map to the base privileges created by the WebFOCUS 7.x role. For example, all Run Only Users and Power Users now migrate to the UDR of WF_Role_AnalyticalUser, with additional privileges either selected or deselected.
WebFOCUS 7.x Role |
WebFOCUS 8 UDR |
---|---|
User |
WF_Role_User |
Run Only User |
WF_Role_AnalyticalUser |
Analytical User |
WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent |
Power User |
WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent, WF_Privilege_Advanced, WF_Privilege_Share |
Developer |
WF_Role_Developer, WF_Privilege_SaveMyContent |
Content Manager |
WF_Role_Developer, WF_Privilege_SaveMyContent, WF_Privilege_DataServer, WF_Privilege_Share, WF_Privilege_Advanced |
Managed Reporting Administrator |
WF_Role_MRAdmin |
Library Only User |
WF_Privilege_Library |
During the migration process, two different types of groups are created in WebFOCUS 8, along with their associated rules:
Rules are created for these groups in the form of:
GROUPn PERMIT UDR on FOLDERx FOLDER_AND_CHILDREN
GROUPn DENY UpdateResource on FOLDERx FOLDER_ONLY
The names, rules, and folders of the migrated privileges are:
Name |
Rules |
Migrated Folder |
---|---|---|
MRAdmin_privilege |
PERMIT SystemUserDefaultRole PERMIT SystemUserDefaultRole PERMIT SystemFullControl |
IBFS:/WFC IBFS:/SSYS IBFS:/EDA |
RCAdmin_privilege |
PERMIT WF_Privilege_RCadmin_utilities PERMIT WF_Privilege_RCadminGroup |
IBFS:/WFC/Repository IBFS:/SSYS/GROUPS |
Schedule_privilege |
PERMIT WF_Privilege_Schedule PERMIT List |
IBFS:/WFC/Repository/ReportCaster IBFS:/WFC/Repository/ReportCaster |
Library_privilege |
PERMIT WF_Privilege_Library PERMIT List |
IBFS:/WFC/Repository/Library_Content IBFS:/WFC/Repository/Library_Content |
DataServer_privilege |
PERMIT SystemFullControl |
IBFS:/EDA |
Note: Rules are created for these groups on the /WFC/Repository.
The built-in UDRs that exist in WebFOCUS 8 are similar to the legacy WebFOCUS 7.x roles and privileges.
Roles
WF_Role_AnalyticalUser
WF_Role_ContentManager (not used for migration)
WF_Role_Developer
WF_Role_MRAdmin
WF_Role_MRGrpAuthMgr
WF_Role_MRNoPrivs
WF_Role_MRSecObjMgr
WF_Role_PowerUser (not used for migration)
WF_Role_RunOnlyUser (not used for migration)
WF_Role_User
Privileges
WF_Privilege_Advanced
WF_Privilege_DataServer
WF_Privilege_Library
WF_Privilege_ParmReport
WF_Privilege_RCadmin_utilities
WF_Privilege_RCadminGroup
WF_Privilege_SaveMyContent
WF_Privilege_Schedule
WF_Privilege_Share
Note:
During the migration process, the following takes place:
The following is an example of the types of rules that are created for the Sales Group to allow access to the Stores and Vendors folder in WebFOCUS 8.
Rules Created for the Sales Group
# |
Group |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Stores |
FOLDER_ONLY |
2 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
3 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Vendors |
FOLDER_ONLY |
4 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Vendors |
FOLDER_AND_CHILDREN |
This is an example of a WebFOCUS 7.x user given a Developer Role, assigned to the Sales Group, and only allowed to be a Developer in a single Domain.
In WebFOCUS 7.x, the user was:
After migration to WebFOCUS 8, the user is:
These rules are shown below:
Group Rules
# |
Group |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Stores |
FOLDER_ONLY |
2 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
3 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Vendors |
FOLDER_ONLY |
4 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Vendors |
FOLDER_AND_CHILDREN |
5 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/HR |
FOLDER_ONLY |
6 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/HR |
FOLDER_AND_CHILDREN |
User Rules
# |
User |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
User |
PERMIT |
WF_Role_Developer |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
The Administration Console appears
The Security Center appears.
The New User or Edit User dialog box appears, with the Default Role tab enabled, as shown in the following image.
WebFOCUS |