How to: |
In WebFOCUS Version 7.x, users are assigned a specific role and placed in a Group or multiple Groups. These Groups are assigned to a Domain or multiple Domains. The effect of this feature is that users created in Version 7.x have a single role throughout the entire repository and all the Domains to which they have access.
One exception to this feature in Version 7.x is when a user is given a Developer Role, deselects Developer in all assigned Domains, and selects a specific Domain or Domains in which to be a Developer. This user is automatically assigned an Analytical User Role for all the Domains assigned, and a Developer Role in the specified Developer Domains.
The mapping of a Version 7.x User Role to Version 8.x is done through the migration process, by implementing a User Default Role, or UDR for each user. Also, additional rules are created, associated with the Groups and Domains to which the user has access. It is important to understand this concept and how it works, to effectively support and administer a migrated WebFOCUS Version 8.x environment.
In Version 7.x, roles are assigned a base MRFLAG. Usually, there is a single mapping of a role, to a base MRFLAG. However, the Power User and Run Only User are based on the Analytical User Role and all map to the same base MRFLAG of auser. The Content Manager is based on the Developer Role and maps to the domadmin MRFLAG. If a Developer is assigned to administer certain Domains, the MRFLAG of dadomains=domainhref is assigned, and the Developer is considered an Analytical User Role, in all the other Domains to which they are assigned. These Developers could also be selected as Group Administrators, and are then assigned the additional flag of gagroups=#grouphref.
During the migration process from Version 7.x to Version 8.x, each user is assigned a User Default Role (UDR), based on the prior user Version 7.x role and optional privileges. These UDRs map to the base privileges created. For example, all Run Only Users and Power Users now migrate to the UDR of WF_Role_AnalyticalUser, with additional privileges either selected or deselected.
7.x Role |
8.x UDR |
---|---|
User |
WF_Role_User |
Run Only User |
WF_Role_AnalyticalUser |
Analytical User |
WF_Role_AnayticalUser, WF_Privilege_SaveMyContent |
Power User |
WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent, WF_Privilege_Advanced, WF_Privilege_Share |
Developer |
WF_Role_Developer, WF_Privilege_SaveMyContent |
Content Manager |
WF_Role_Developer, WF_Privilege_SaveMyContent, WF_Privilege_DataServer, WF_Privilege_Share, WF_Privilege_Advanced |
Managed Reporting Administrator |
WF_Role_MRAdmin |
Library Only User |
WF_Privilege_Library |
During the migration process, two different types of Groups are created with rules associated with them.
Rules are created for these Groups in the form of:
GROUPn PERMIT UDR on FOLDERx FOLDER_AND_CHILDREN
GROUPn DENY UpdateResource on FOLDERx FOLDER_ONLY
The names, rules, and folders of the migrated privileges are:
Name |
Rules |
Migrated Folder |
---|---|---|
MRAdmin_privilege |
PERMIT SystemUserDefaultRole PERMIT SystemUserDefaultRole PERMIT SystemFullControl |
IBFS:/WFC IBFS:/SSYS IBFS:/EDA |
RCAdmin_privilege |
PERMIT WF_Privilege_RCadmin_utilities PERMIT WF_Privilege_RCadminGroup |
IBFS:/WFC/Repository IBFS:/SSYS/GROUPS |
Schedule_privilege |
PERMIT WF_Privilege_Schedule PERMIT List |
IBFS:/WFC/Repository/ReportCaster IBFS:/WFC/Repository/ReportCaster |
Library_privilege |
PERMIT WF_Privilege_Library PERMIT List |
IBFS:/WFC/Repository/Library_Content IBFS:/WFC/Repository/Library_Content |
DataServer_privilege |
PERMIT SystemFullControl |
IBFS:/EDA |
Note: Rules are created for these Groups, for /WFC/Repository.
The built-in UDRs that exist in Version 8.x are similar to the legacy Version 7.x roles and privileges.
Roles
WF_Role_AnalyticalUser
WF_Role_ContentManager (not used for migration)
WF_Role_Developer
WF_Role_MRAdmin
WF_Role_MRGrpAuthMgr
WF_Role_MRNoPrivs
WF_Role_MRSecObjMgr
WF_Role_PowerUser (not used for migration)
WF_Role_RunOnlyUser (not used for migration)
WF_Role_User
Privileges
WF_Privilege_Advanced
WF_Privilege_DataServer
WF_Privilege_Library
WF_Privilege_ParmReport
WF_Privilege_RCadmin_utilities
WF_Privilege_RCadminGroup
WF_Privilege_SaveMyContent
WF_Privilege_Schedule
WF_Privilege_Share
During the migration process, the following takes place:
The following is an example of the types of rules that are created for the Sales Group to allow access to the Stores and Vendors folder in Version 8.x.
Rules Created for the Sales Group
# |
Group |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Stores |
FOLDER_ONLY |
2 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
3 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Vendors |
FOLDER_ONLY |
4 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Vendors |
FOLDER_AND_CHILDREN |
This is an example of a Version 7.x user given a Developer Role, assigned to the Sales Group, and only allowed to be a Developer in a single Domain.
In Version 7.x, the user was:
After migration to Version 8.x, the user is:
These rules are shown below:
Group Rules
# |
Group |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Stores |
FOLDER_ONLY |
2 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
3 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/Vendors |
FOLDER_ONLY |
4 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/Vendors |
FOLDER_AND_CHILDREN |
5 |
Sales |
DENY |
UpdateResource |
/WFC/Repository/HR |
FOLDER_ONLY |
6 |
Sales |
PERMIT |
SystemUserDefaultRole |
/WFC/Repository/HR |
FOLDER_AND_CHILDREN |
User Rules
# |
User |
Verb |
Role |
Resource |
Apply_To |
---|---|---|---|---|---|
1 |
User |
PERMIT |
WF_Role_Developer |
/WFC/Repository/Stores |
FOLDER_AND_CHILDREN |
After migrating an environment, you can enable the display of the User Default Role tab from the Administration Console.
The Administration Console opens.
The Application Settings - Other page opens, as shown in the following image.
When you create a new user, the Default Role tab, which displays Roles, will be enabled, as shown in the following image.
The Default Role tab will also be available when you edit a user.
WebFOCUS |