File System Security for Managed Reporting

How to:

You can optionally enhance the security of Managed Reporting by restricting access to its data and preventing users from accessing Managed Reporting data through the file system. File system access to Managed Reporting data should be avoided because sensitive information can be exposed, production reports can be altered, and Managed Reporting itself can be rendered inoperable.

Managed Reporting maintains most of its files in its repository directory: 

/install_directory/ibi/WebFOCUS80/basedir

and uses the following directory for processing:

/install_directory/ibi/WebFOCUS80/temp

During normal operation, these directories should only be accesses by accounts that run WebFOCUS servlets. This depends on your configuration and varies considerably depending on your application server and environment. Consult your third-party documentation for more information and review the user ID requirements in User ID Requirements for the WebFOCUS Client.

Your system administrator may assign *RWX data authority to individual users, or use an authorization list to manage authority to the following folder:

/install_directory/ibi/WebFOCUS80/temp

After the installation is completed, PUBLIC user is given *RW authority to:

/install_directory/ibi/WebFOCUS80/temp

It is advised to remove PUBLIC authority.

Note: You may also want to grant file system access to an administrator group for support and debugging purposes.
Top of page
x
Procedure: How to Secure a Managed Reporting Repository

To establish a secure Managed Reporting repository on UNIX, log on as root and perform the following procedure.

  1. Determine which user IDs require access to the Managed Reporting repository. If multiple user IDs are used, ensure all required user IDs belong to a group in which those user IDs are the only members. If you need assistance, contact your UNIX system administrator.
  2. Navigate to the following directory: 
    /install_directory/ibi/WebFOCUS80
  3. Set permissions so only the owner and/or group can access the basedir and temp directories.
    • If only one user ID is needed, enter:
      chmod 700 basedir temp
    • If group ownership is needed, enter:
      chmod 770 basedir temp
  4. Set user ownership by typing the following command and pressing Enter: 
    chown -R wf_user basedir temp

    where:

    wf_user

    Is the account that should own the directories. This should be the user ID under which the WebFOCUS servlet runs.

  5. If group ownership is needed, set group ownership by typing the following command and pressing Enter: 
    chgrp -R wf_admin basedir temp

    where:

    wf_admin

    Is the group containing the user IDs that require access to the repository.

WebFOCUS