Migration Functionality and User Default Roles (UDR)

How to:

In WebFOCUS 7.x, users are assigned a specific role and placed in a Group or multiple Groups. These Groups are assigned to a Domain or multiple Domains. The effect of this feature is that users created in WebFOCUS 7.x have a single role throughout the entire repository and all the Domains to which they have access.

One exception to this feature in WebFOCUS 7.x is when a user is given a Developer Role, deselects Developer in all assigned Domains, and selects a specific Domain or Domains in which to be a Developer. This user is automatically assigned an Analytical User Role for all the Domains assigned, and a Developer Role in the specified Developer Domains.

The mapping of a WebFOCUS 7.x User Role to WebFOCUS 8 is done through the migration process, by implementing a User Default Role, or UDR for each user. Also, additional rules are created, associated with the Groups and Domains to which the user has access. It is important to understand this concept and how it works, to effectively support and administer a migrated WebFOCUS 8 environment.

In WebFOCUS 7.x, roles are assigned a base MRFLAG. Usually, there is a single mapping of a role, to a base MRFLAG. However, the Power User and Run Only User are based on the Analytical User Role and all map to the same base MRFLAG of auser. The Content Manager is based on the Developer Role and maps to the domadmin MRFLAG. If a Developer is assigned to administer certain Domains, the MRFLAG of dadomains=domainhref is assigned, and the Developer is considered an Analytical User Role, in all the other Domains to which they are assigned. These Developers could also be selected as Group Administrators, and are then assigned the additional flag of gagroups=#grouphref.

During the migration process from WebFOCUS 7.x to WebFOCUS 8, each user is assigned a User Default Role (UDR), based on the prior user WebFOCUS 7.x role and optional privileges. These UDRs map to the base privileges created. For example, all Run Only Users and Power Users now migrate to the UDR of WF_Role_AnalyticalUser, with additional privileges either selected or deselected.

WebFOCUS 7.x Role

WebFOCUS 8 UDR

User

WF_Role_User

Run Only User

WF_Role_AnalyticalUser

Analytical User

WF_Role_AnayticalUser, WF_Privilege_SaveMyContent

Power User

WF_Role_AnalyticalUser, WF_Privilege_SaveMyContent, WF_Privilege_Advanced, WF_Privilege_Share

Developer

WF_Role_Developer, WF_Privilege_SaveMyContent

Content Manager

WF_Role_Developer, WF_Privilege_SaveMyContent, WF_Privilege_DataServer, WF_Privilege_Share, WF_Privilege_Advanced

Managed Reporting Administrator

WF_Role_MRAdmin

Library Only User

WF_Privilege_Library

During the migration process, two different types of Groups are created with rules associated with them.

Name

Rules

Migrated Folder

MRAdmin_privilege

PERMIT SystemUserDefaultRole

PERMIT SystemUserDefaultRole

PERMIT SystemFullControl

IBFS:/WFC

IBFS:/SSYS

IBFS:/EDA

RCAdmin_privilege

PERMIT WF_Privilege_RCadmin_utilities

PERMIT WF_Privilege_RCadminGroup

IBFS:/WFC/Repository

IBFS:/SSYS/GROUPS

Schedule_privilege

PERMIT WF_Privilege_Schedule

PERMIT List

IBFS:/WFC/Repository/ReportCaster

IBFS:/WFC/Repository/ReportCaster

Library_privilege

PERMIT WF_Privilege_Library

PERMIT List

IBFS:/WFC/Repository/Library_Content

IBFS:/WFC/Repository/Library_Content

DataServer_privilege

PERMIT SystemFullControl

IBFS:/EDA

Note: Rules are created for these Groups, for /WFC/Repository.

The built-in UDRs that exist in WebFOCUS 8 are similar to the legacy WebFOCUS 7.x roles and privileges.

Roles

WF_Role_AnalyticalUser

WF_Role_ContentManager (not used for migration)

WF_Role_Developer

WF_Role_MRAdmin

WF_Role_MRGrpAuthMgr

WF_Role_MRNoPrivs

WF_Role_MRSecObjMgr

WF_Role_PowerUser (not used for migration)

WF_Role_RunOnlyUser (not used for migration)

WF_Role_User

Privileges

WF_Privilege_Advanced

WF_Privilege_DataServer

WF_Privilege_Library

WF_Privilege_ParmReport

WF_Privilege_RCadmin_utilities

WF_Privilege_RCadminGroup

WF_Privilege_SaveMyContent

WF_Privilege_Schedule

WF_Privilege_Share

During the migration process, the following takes place:

The following is an example of the types of rules that are created for the Sales Group to allow access to the Stores and Vendors folder in WebFOCUS 8.

Rules Created for the Sales Group

#

Group

Verb

Role

Resource

Apply_To

1

Sales

DENY

UpdateResource

/WFC/Repository/Stores

FOLDER_ONLY

2

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Stores

FOLDER_AND_CHILDREN

3

Sales

DENY

UpdateResource

/WFC/Repository/Vendors

FOLDER_ONLY

4

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Vendors

FOLDER_AND_CHILDREN

This is an example of a WebFOCUS 7.x user given a Developer Role, assigned to the Sales Group, and only allowed to be a Developer in a single Domain.

In WebFOCUS 7.x, the user was:

After migration to WebFOCUS 8, the user is:

These rules are shown below:

Group Rules

#

Group

Verb

Role

Resource

Apply_To

1

Sales

DENY

UpdateResource

/WFC/Repository/Stores

FOLDER_ONLY

2

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Stores

FOLDER_AND_CHILDREN

3

Sales

DENY

UpdateResource

/WFC/Repository/Vendors

FOLDER_ONLY

4

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/Vendors

FOLDER_AND_CHILDREN

5

Sales

DENY

UpdateResource

/WFC/Repository/HR

FOLDER_ONLY

6

Sales

PERMIT

SystemUserDefaultRole

/WFC/Repository/HR

FOLDER_AND_CHILDREN

User Rules

#

User

Verb

Role

Resource

Apply_To

1

User

PERMIT

WF_Role_Developer

/WFC/Repository/Stores

FOLDER_AND_CHILDREN



x
Procedure: How to Enable Display of the User Default Role Tab

After migrating an environment, you can enable the display of the User Default Role tab from the Administration Console.

  1. From the menu bar, select Administration, and then Administration Console.

    The Administration Console opens.

  2. Select Configuration, and then Other under Application Settings.

    The Application Settings - Other page opens, as shown in the following image.

  3. Select the TRUE radio button for the IBI_Enable_UDR parameter.
  4. Click Save.

When you create a new user, the Default Role tab, which displays Roles, will be enabled, as shown in the following image.

The Default Role tab will also be available when you edit a user.


WebFOCUS