Migration Functionality and User Default Roles (UDR)

In this section:

How to:

In WebFOCUS 7.x, users are assigned a specific role and placed in a group or multiple groups. These groups are assigned to a domain or multiple domains. The effect of this feature is that users created in WebFOCUS 7.x have a single role throughout the entire repository and all the domains to which they have access.

An exception to this feature in WebFOCUS 7.x is when you give a user a Developer role, deselect Developer in all assigned Domains, and select a specific domain or domains in which the user is a Developer. This user is automatically assigned an Analytical User role for all the domains assigned and a Developer role in the specified Developer domains.

In WebFOCUS 8, user abilities are determined by rules based on groups, rather than user roles. The migration process maps WebFOCUS 7.x user roles to WebFOCUS User Default Roles (UDRs), which are implemented through rules associated with the groups and domains to which a user has access. It is important to understand this concept and how it works to effectively support and administer a migrated WebFOCUS 8 environment.

In WebFOCUS 7.x, roles are assigned a base MRFLAG. Usually, there is a single mapping of a role to a base MRFLAG. However, the Power User and Run Only User are based on the Analytical User role and both map to the same base MRFLAG of auser. The Content Manager is based on the Developer role and maps to the domadmin MRFLAG. If a Developer is assigned to administer certain domains, the MRFLAG of dadomains=domainHREF is assigned, and the Developer is considered an Analytical User role in all the other domains to which they are assigned. These Developers could also be selected as Group Administrators, and are then assigned the additional flag of gagroups=#groupHREF.

WebFOCUS 8 User Default Roles map to the base privileges created by the WebFOCUS 7.x role. For example, all Run Only Users and Power Users now migrate to the UDR of WF_Role_AnalyticalUser, with additional privileges either selected or deselected.

WebFOCUS 7.x Role

WebFOCUS 8 UDR

User

WF_Role_User

Run Only User

WF_Role_AnalyticalUser

Analytical User

WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent

Power User

WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent, WF_Privilege_Advanced, WF_Privilege_Share

Developer

WF_Role_Developer, WF_Privilege_SaveMyContent

Content Manager

WF_Role_Developer, WF_Privilege_SaveMyContent, WF_Privilege_DataServer, WF_Privilege_Share, WF_Privilege_Advanced

Managed Reporting Administrator

WF_Role_MRAdmin

Library Only User

WF_Privilege_Library

During the migration process, two different types of groups are created in WebFOCUS 8, along with their associated rules:

The built-in UDRs that exist in WebFOCUS 8 are similar to the legacy WebFOCUS 7.x roles and privileges.

Roles

WF_Role_AnalyticalUser

WF_Role_ContentManager (not used for migration)

WF_Role_Developer

WF_Role_MRAdmin

WF_Role_MRGrpAuthMgr

WF_Role_MRNoPrivs

WF_Role_MRSecObjMgr

WF_Role_PowerUser (not used for migration)

WF_Role_RunOnlyUser (not used for migration)

WF_Role_User

Privileges

WF_Privilege_Advanced

WF_Privilege_DataServer

WF_Privilege_Library

WF_Privilege_ParmReport

WF_Privilege_RCadmin_utilities

WF_Privilege_RCadminGroup

WF_Privilege_SaveMyContent

WF_Privilege_Schedule

WF_Privilege_Share

Note:

During the migration process, the following takes place:

The following is an example of the types of rules that are created for the Sales Group to allow access to the Stores and Vendors folder in WebFOCUS 8.

Rules Created for the Sales Group

#

Group

Verb

Role

Resource

Apply_To

1

Sales

DENY

UpdateResource

/WFC/Repository/Stores

FOLDER_ONLY

2

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Stores

FOLDER_AND_CHILDREN

3

Sales

DENY

UpdateResource

/WFC/Repository/Vendors

FOLDER_ONLY

4

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Vendors

FOLDER_AND_CHILDREN



x
Migrating a Developer in a Single Domain

This is an example of a WebFOCUS 7.x user given a Developer Role, assigned to the Sales Group, and only allowed to be a Developer in a single Domain.

In WebFOCUS 7.x, the user was:

After migration to WebFOCUS 8, the user is:

These rules are shown below:

Group Rules

#

Group

Verb

Role

Resource

Apply_To

1

Sales

DENY

UpdateResource

/WFC/Repository/Stores

FOLDER_ONLY

2

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Stores

FOLDER_AND_CHILDREN

3

Sales

DENY

UpdateResource

/WFC/Repository/Vendors

FOLDER_ONLY

4

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Vendors

FOLDER_AND_CHILDREN

5

Sales

DENY

UpdateResource

/WFC/Repository/HR

FOLDER_ONLY

6

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/HR

FOLDER_AND_CHILDREN

User Rules

#

User

Verb

Role

Resource

Apply_To

1

User

PERMIT

WF_Role_Developer

/WFC/Repository/Stores

FOLDER_AND_CHILDREN



x
Procedure: How to Display the User Default Role Tab in the Security Center
  1. Sign in to WebFOCUS 8 as an administrator and select Administration Console from the Administration menu.

    The Administration Console appears

  2. In the navigation pane, expand the Configuration node and then select Other.
  3. Set IBI_Enable_UDR to True, save your changes, and close the Administration Console.
  4. In the Portal, select Security Center from the Administration menu.

    The Security Center appears.

  5. Click the New User button or select an existing user and click Edit User.

    The New User or Edit User dialog box appears, with the Default Role tab enabled, as shown in the following image.

    New User dialog box with Default Role tab enabled


WebFOCUS