User+Management v3

User Management SpagoBI 3
Davide Zerbetto
2012/02/13 11:37
spagobi_server - User Management SpagoBI 3
Table of Contents
1
2
3
4
5
ISecurityInfoProvider ..........................................................................................................................................................
ISecurityServiceSupplier .....................................................................................................................................................
How configure this connectors ...........................................................................................................................................
The Role management ........................................................................................................................................................
Connectors ...........................................................................................................................................................................
5.1 Internal Connector (default ) .........................................................................................................................................
5.2 LDAP based ...................................................................................................................................................................
5.3 eXo .................................................................................................................................................................................
5.4 liferay .............................................................................................................................................................................
5.5 Role based access rights ................................................................................................................................................
6 Change Password module ...................................................................................................................................................
6.1 Roles ..............................................................................................................................................................................
Page 2 - last modified by Davide Zerbetto on 2012/02/13 11:37
3
3
4
4
4
4
5
7
7
7
7
8
Users management SpagoBI 3
1 ISecurityInfoProvider
2 ISecurityServiceSupplier
3 How configure this connectors
4 The Role management
5 Connectors
5.1 Internal Connector (default )
5.2 LDAP based
5.3 eXo
5.4 liferay
5.5 Role based access rights
6 Change Password module
6.1 Roles
IN SpagoBI 3.0 you can directly manage users inside DBMS (it uses an InternalConnector), while with earlier versions it
stores only roles information to allow the administrator to set up the behavioral model. To retrive this infomations SpagoBI
uses 2 connectors to read:
Role and Attributes name.
User Profile in session.
1 ISecurityInfoProvider
This interface retrives all roles and user attrvibutes.
public
interface ISecurityInfoProvider {
public List getRoles();
public List getAllProfileAttributesNames ();

}
SpagoBI invokes these methods in order to read the user's roles and attributes from the external system. The roles name and
description are inserted in SBI_EXT_ROLES table. The User attributes are displayed when the administrator displays the
attributes list. It's important to know that all the roles are handled by SpagoBI, not only the roles of a specific user. The roles
are filtered with a regular expression stored in SPAGOBI.SECURITY.ROLE-NAME-PATTERN-FILTER property
configuration ( you can change this using the funtion Tools->Manage Configuration).
2 ISecurityServiceSupplier
SpagoBI invokes these methods at the user login in order to read the user information: roles and attributes. The roles and
attributes are specifically related to the users. The checkAuthentication and checkAuthenticationWithToken methods are
used if SSO is disabled.
public
interface ISecurityServiceSupplier {
SpagoBIUserProfile createUserProfile(
String userId);
SpagoBIUserProfile checkAuthentication(
String userId,
String psw);
SpagoBIUserProfile checkAuthenticationWithToken(
String userId,
String token);
}
3 How configure this connectors

You can set up this connetors changing some properties ( you can change thiese using the funtion Tools->Manage
Configuration), for example:
SPAGOBI.SECURITY.PORTAL-SECURITYCLASS.className=it.eng.spagobi.security.InternalSecurityInfoProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.InternalSecurityServiceSupplierImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.InternalSecurityInitializer
You can configure the defualt mapping used to assigne the default type to the imported rols.
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.DEV_ROLE-PATTERN=/spagobi/dev
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.TEST_ROLE-PATTERN=/spagobi/test
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.MODEL_ADMIN-PATTERN=/spagobi/modeladmin
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.ADMIN-PATTERN=/spagobi/dev
In SpagoBI each role has a TYPE, each role type is used to authorize the functionality. The role types are:
ADMIN: SpagoBI administrator

MODEL_ADMIN: Behavioural model administrator
DEV_ROLE: developer
TEST_ROLE: tester
USER: the final user
The Role-Type-Patterns is usefull to set the default type to the new role. The administrator is able to change this with the
graphical user interface.
4 The Role management

There is a GUI (Profile Management -> roles management) where the administrator is able to:
Start the synchronization of roles
Change the Role Type
Assign some features to display
5 Connectors
If you have to write a new connetcor you must implement the previous Java Interface, create a JAR with implementation
class ad configure these properties:
SpagoBI includes these connectors:
5.1 Internal Connector (default )

If you want to use internal user (defined in SpagoBI metadata db):
5.2 LDAP based

If you want to use LDAP :
SPAGOBI.SECURITY.PORTAL-SECURITY-CLASS.className=it.eng.spagobi.security.LdapSecurityProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.LdapUserProfileFactoryImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.LdapSecurityProviderInit
This connector uses ldap.jar library and ldap_authorizations.xml to configure connection and some specific parameters.
You MUST set up how connector retrive informations in LDAP in ldap_authorizations.xml:
<?xml version=
"1.0" encoding=
"ISO-8859-1"?>
<LDAP_AUTHORIZATIONS default=
"FALSE">
<CONFIG>
<USER_DN>cn=*,ou=People,dc=spagobi,dc=com
</USER_DN>
<ADMIN_USER>cn=Manager,dc=spagobi,dc=com
</ADMIN_USER>
<ADMIN_PSW>6ddbcdd70d086e75bdc121b16bd23f03
</ADMIN_PSW>
<ATTRIBUTES_ID name=
"nome">
description
</ATTRIBUTES_ID>
"cognome">
sn
</ATTRIBUTES_ID>
"userId">
cn
</ATTRIBUTES_ID>
<HOST>localhost
</HOST>
<PORT>389
</PORT>
<OBJECTCLASS>person
</OBJECTCLASS>
<SEARCH_ROOT>ou=People,dc=spagobi,dc=com
</SEARCH_ROOT>
<OU_ATTRIBUTE>ou
</OU_ATTRIBUTE>
<SEARCH_ROOT_GROUP>ou=Group,dc=spagobi,dc=com
</SEARCH_ROOT_GROUP>
<OBJECTCLASS_GROUP>organizationalUnit
</OBJECTCLASS_GROUP>
<ATTRIBUTES_ID_GROUP>description
</ATTRIBUTES_ID_GROUP>
<ATTRIBUTES_ID_GROUP>OU
</ATTRIBUTES_ID_GROUP>
</CONFIG>
</LDAP_AUTHORIZATIONS>
By default this connector expects spagobi.ldif schema If you have your LDAP schema check the ldap_authorizations.xml
and configure this. The ADMIN_PSW value must be encrypted: in order to do this, open a DOS/UNIX sheel and type
cd <your Tomcat home>/webapps/SpagoBI/WEB-INF/lib
and then
java -cp commons-codec-1.3.jar;spago-core-2.2.0.jar it.eng.spago.security.DefaultCipher encrypt <your password>
on Windows systems and

java -cp commons-codec-1.3.jar:spago-core-2.2.0.jar it.eng.spago.security.DefaultCipher encrypt <your password>
on UNIX/Linux systems.
For examles:"secret" == 6ddbcdd70d086e75bdc121b16bd23f03.
Note: check if the sbi.security.ldap-2.1.0.jar is present in /SpagoBI/WEB-INF/lib
5.3 eXo
If you install SpagoBI in eXo you must configure :
SPAGOBI.SECURITY.PORTAL-SECURITY-CLASS.className=it.eng.spagobi.security.ExoSecurityProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.ExoUserProfileImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.ExoPortalSecurityProviderInit
Note: check if the sbi.security.exo-. ..jar* is present in /SpagoBI/WEB-INF/lib
5.4 liferay
to do...
5.5 Role based access rights

All SpagoBI functions check if the user can or can't execute it, this is done from Spago Application Framework. At the login,
SpagoBI inserts all the functionalities in User Profile and use it to check the authorization. Each SpagoBI role has some
functionlities, the administrator can configure this association in SpagoBI metadata DB.
6 Change Password module

It is possible change the user password (using CAS environment too). It's useful when you use the Internal Connector of
SpagoBI.
Then, you should view a new link in login page :
When you click on this link a change password page is opened:
With this management is possible add several controls on the new password and on the time when its necessary to change
it. SpagoBI has a new table with all this roles (the SBI_CONFIG) where there are insert all roles that SpagoBI manage. Pay
attention that the administrator is excluded from these controls.
6.1 Roles
The roles available today are:
len_min: defines a minimum lenght; it can be useful to check the minimum length of the password when the user
change it.
special_char: defines a set of special chars. If it's active the system check that almost one of them is presents in the
new password.
upper_char: checks that at least one character must been in upper case.
lower_char: check that at least one character must been in lower case.
number: defines that at least one character must been a number.
alphabetical: defines that at least one character must been a letter.
change_first: when this role is active the system forces a change password at the first login.
disactivation_time: defines a number of months after which the password become disbled (for unused).
expired_time: defines a number of days after whitch the change password is necessary.
If you desire to apply some of this roles you should setting the relative ACTIVE value to true (1) in SBI_CONFIG table
(apart from individual configurations).

User+Management v3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User+Management v3

Uploaded by

Copyright:

Available Formats

User Management SpagoBI 3

spagobi_server - User Management SpagoBI 3

Page 2 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

Users management SpagoBI 3

public List getRoles();

public List getAllProfileAttributesNames ();

Page 3 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

3 How configure this connectors

ADMIN: SpagoBI administrator

4 The Role management

5.1 Internal Connector (default )

Page 4 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

5.2 LDAP based

Page 5 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

on Windows systems and

Page 6 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

5.5 Role based access rights

6 Change Password module

When you click on this link a change password page is opened:

Page 7 - last modified by Davide Zerbetto on 2012/02/13 11:37

spagobi_server - User Management SpagoBI 3

Page 8 - last modified by Davide Zerbetto on 2012/02/13 11:37

You might also like