WebFOCUS Version 8 addresses the security limitations of WebFOCUS Version 7. For more information about the benefits of the new security model, see the WebFOCUS Security and Administration documentation.

For reference purposes, the following examples are included:

• In WebFOCUS Version 7, if a user had the Schedule capability, then this capability was applicable for all domains that the user had access. The only exception to this was for MR developers. In WebFOCUS Version 7, a MR developer could optionally have their development rights dropped for one or more domains. In this case, a MR developer was an analytical user for those domains. This was a popular feature in WebFOCUS Version 7, and was the impetus for realizing that a more flexible security model was required.
• In WebFOCUS Version 7, if users from different tenant organizations have access to a common domain and were able to use InfoAssist, then they could create and store reports in the My Content folder of this common domain. If the users were allowed to share reports, then they could share these reports and users from other tenant organizations would be able to see each other. This was an issue for SaaS providers. This led to an even larger issue where a SaaS provider would copy common reports required by all users into every tenant domain of the user. As a result, if you had to deploy a new common report or change an existing report, you had to go to every single tenant domain to make this change.

  In WebFOCUS Version 8, the resource templates create a rule on the parent group for the domain governing that domain users can share with domain users. This new capability of the security model allows SaaS providers to use a common domain before reports that all users need to view. As a result, SaaS providers can still allow users to have a My Content folder in this common domain and share reports from this folder without the issues that were present in WebFOCUS Version 7.

• Resource templates have the group administrator subgroup. These users can create simple rules onto the domain folder. For example, these users can create a rule, which specifies that their basic users are denied access to a subfolder under the domain (for example, where management reports are stored). Fine-tuning the excess policy under a domain was not possible in WebFOCUS Version 7. However, in WebFOCUS Version 8, this fine-tuning can be delegated to domain group administrators, which are created by the template.

Modernizing security on migrated domains consists of the following steps. Two new folders called ReportCaster and Library Content are created after the migration. These should not be modernized since they are specific to ReportCaster. The migrated rules on these two folders are limited to scheduling and library privileges. If you do want to modernize later on, Information Builders can work with you to provide additional guidelines.

• Enabling User Default Roles (UDRs).
• Create the WebFOCUS Version 8 security authorization framework.
• Enabling the Legacy Privileges to the New Roles Created By the Resource Templates.
• Disabling the SystemDefaultUserRole.
• Assigning Users to the New Resource Template Groups.
• Validating the Modernization Security.

1. Enable User Default Roles (UDRs).

   After migration to WebFOCUS Version 8, the user role in WebFOCUS Version 7 is mapped in WebFOCUS Version 8 to what is referred to as a SystemDefaultUserRole. The SystemDefaultUserRole is a collection of one or more UDRs. To view a UDR for a user, you first have to enable it from the WebFOCUS Administration Console. When it is enabled, a user with privileges to access the Security Center can manage the UDR for a user. The WebFOCUS Migration manual has information on how to enable the UDR from the WebFOCUS Administration Console.

2. Create the WebFOCUS Version 8 security authorization framework.

   This step uses the Resource Templates to create the WebFOCUS Version 8 security authorization framework. When you run the Resource Templates, you have to provide a name and description. For more information on Resource Templates, see the WebFOCUS Security and Administration manual.

   1. Right-click the migrated folder.

      Note the Name property value, as shown in the following image.

      

      This value will be used as input for the Resource Templates. You must specify the Name property value exactly as it is displayed.

   2. Right-click the Content node on the Resources tree and select New, as shown in the following image.

      

      You can choose any of the Resource Templates packaged with WebFOCUS Version 8, but this document uses the Enterprise Domain Template in all examples.

   3. Enter the name of the Resource Template using the name property value from step 3b and click OK.
      • A new folder is created and given a name that matches the name you entered and a title that matches the description entered. The following two subfolders are also created under the new folder.
        • My Content
        • Hidden Content
      • A BI Portal is created with a name that matches the name entered and a title that matches the description entered.
      • A top-level group is created with the name you entered and a description that matches the description entered.
      • A standard set of four subgroups are created with standard names and standard descriptions.
      • A standard set of roles are created with standard names and standard descriptions.
      • A standard set of security rules are created to control access to the new folder.

      Since the migrated folder already exists with this name, the Resource Template will continue to create the top-level groups, subgroups, and security rules. You want the security rules to be created on the migrated folder resource, so you must enter the name of the migrated folder. If you enter a different name, then a new folder will be created, defeating the goal of modernizing security on migrated content.

      

3. Enable the Legacy Privileges to the New Roles Created By the Resource Templates.

   Legacy Privileges are used for features like the Business Intelligence Dashboard and the ReportCaster Back to Managed Reporting distribution method. The Resource Templates do not enable the legacy privileges, by default. If you plan to use Business Intelligence Dashboards from WebFOCUS Version 7, then you need to enable them as part of the modernization process to consolidate privileges within the new roles created by the Resource Templates. The goal is to minimize the use of the UDRs, where possible. There are three legacy privileges:

   • Access Dashboards. This is considered legacy because it is replaced by the Business Intelligence Portal. You may want to consider this as part of the modernization, recreating the Business Intelligence Dashboards with Business Intelligence Portals.
   • Distribute to Managed Reporting. This is considered legacy because in WebFOCUS Version 8, all ReportCaster content is stored in the Resources tree. You should review this to see if this is still a capability that you need.
   • InfoAssist Personal. This is considered legacy because it is replaced by InfoAssist Basic.

     

     As you modernize more and more of your migrated content, you will have less of a need for legacy features. Eventually, you will be able to cleanse the migrated content and security authorization information to the degree where you can delete all or most of it.

4. Disable the SystemDefaultUserRole.

   After the migration, security rules are created on each migrated folder using the user SystemDefaultUserRole.

   For each migrated folder to be modernized for security, you will need to disable the SystemUserDefaultRole. By disabling the SystemDefaultUserRole UDRs for migrated folders, you will be able to determine how the security granularity of WebFOCUS Version 8 can meet your needs. The goal is to replace the privileges served by the UDRs with those of the new Resource Template roles, by assigning the users to the new Resource Template groups created by the Resource Templates.

   When you disable the SystemDefaultUserRole, the migrated security rules on the migrated folder will no longer be in effect. Once they have been reassigned to the new group created by the Resource Templates, you will be able to see what access users now have to migrated content with the new roles created by the Resource Templates. You can now modernize the migrated security rules according to your requirements.

5. Assign Users to the New Resource Template Groups.

   Assign users to the new groups created by the Resource Templates. Do not remove the user from migrated groups as yet, since there are dependencies with:

   • ReportCaster
   • Group Blackout Dates
   • Distribution Lists
   • Access Lists
   • Library Content
   • ReportCaster Schedules
   • Business Intelligence Dashboard Group and Personal Views

   You will be able to phase out the migrated security information after you have decided how you want to handle these dependencies.

6. Validate the Modernization Process.

   Once you have a clear understanding of your security requirements, you can reassign all users to the new groups created by the Resource Templates to test the security modernization.