User Management

This section describes user management in SpagoBI 3 or later. Earlier versions only store role information for the purpose of setting up the behavioral model.

1 Role-based access

SpagoBI behavioral model is based on users, roles and attributes. Users can have more than one roles, those roles determine visibility over analytical documents and behaviour of analytical drivers. Users attributes are a map (key-value) of descriptive features (for example: sales region for a sales manager user, department within the company, ...) related to users: they can be used in order to define visility over the data (different users being able to analyze different portions of the data using the same analytical document).

Each role has a TYPE, which determines the type of permissions associated to each user with that role. Role types are:

  • ADMIN: SpagoBI administrator
  • MODEL_ADMIN: Behavioural model administrator
  • DEV_ROLE: developer
  • TEST_ROLE: tester
  • USER: the final user
Whenever a new role is created or imported, the Role-Type-Patterns (defined by admin user in Tools --> Configuration --> SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.ADMIN-PATTERN and other configurations) is useful to associate the default type to the new role.

At login, SpagoBI retrieves all permissions (functionalities) associated to the role of the current user and uses this information during the session to check whether the user is allowed to perform an action.

1.1 Role Management GUI

The administrator is allowed to manage users and roles via a graphical user interface, accessible via Profile Management -> Roles management In particular, the following operations are available:

  • start the synchronization of roles;
  • change the role type;
  • enable functionalities to roles.

2 Connectors

Connectors are Java classes that are in charge of retrieving informations for users, roles and attributes, according to well-defined interfaces. The default connector is called "InternalConnector", since it was developed in order to manage the SpagoBI internal users repository (starting from SpagoBI 3.x).
Actually you are not obligated to use the SpagoBI internal repository, you can use your users repository (LDAP, database, identity manager system, ...) but you need to develop a valid connector for that repository to retrieve infomation about:

  • all roles and attributes name;
  • information about the logged-in user (roles and attributes), give his user identifier.

2.1 ISecurityInfoProvider

This interface retrieves all roles and user attributes that must be considered by SpagoBI.

public interface ISecurityInfoProvider {

			public List getRoles();

			public List getAllProfileAttributesNames ();

SpagoBI invokes these methods to retrieve the user roles and attributes from the external system, for all tenants. Roles name and description are inserted in the SBI_EXT_ROLES table. User attributes are displayed when the administrator displays the attributes list. Note that the Java class implementing this interface has to retrieve all the roles and all the attributes that must be considered by SpagoBI, not only the roles defined for a specific user or the roles belonging to a particular tenant.
Roles can be filtered with a regular expression stored in SPAGOBI.SECURITY.ROLE-NAME-PATTERN-FILTER property configuration (you can change this setting via Tools->Manage Configuration).

2.2 ISecurityServiceSupplier

SpagoBI invokes these methods mainly when an user enters SpagoBI: the SpagoBIUserProfile is a simple object that must store the roles and attributes associated to the user, identified by the input userId; the SpagoBIUserProfile object should also contain the tenant the users belongs to (specified within the organization attribute). The isSuperAdmin flag is used in order to distinguish between normal tenants' administrators and the super administrator users, who can create and delete tenants.
Note that the checkAuthentication and checkAuthenticationWithToken methods are used only in case the SSO is disabled.

public interface ISecurityServiceSupplier {

	SpagoBIUserProfile createUserProfile(String userId);	

        SpagoBIUserProfile checkAuthentication(String userId,String psw);

        SpagoBIUserProfile checkAuthenticationWithToken(String userId,String token);


2.3 InitializerIFace

The it.eng.spago.init.InitializerIFace interface is defined by Spago framework and it is used for operations that must be performed at startup (have a look to Spago framework documentation). In case you don't need any particular operation, leave the default value, that is

3 Implementation of new connectors

In case the existing connectors do not fit your needs, you must implement the previous Java interfaces, create a JAR file with their implementation classes, put it in SpagoBI/WEB-INF/lib ad configure the properties using the web view, via Tools --> Manage Configuration (as super admin):


4 Roles type patterns

You can change the default mapping used to assign the default type to imported roles via Tools --> Manage Configuration (as super admin):


SpagoBI includes these connectors:

4.1 Internal Connector (default )

If you want to use internal user (defined in SpagoBI metadata db):


4.2 LDAP based

If you want to use LDAP :

This connector uses ldap.jar library and ldap_authorizations.xml to configure connection and some specific parameters. You MUST set up how connector retrive informations in LDAP in ldap_authorizations.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>
		<ATTRIBUTES&#95;ID name="nome">description</ATTRIBUTES&#95;ID>
		<ATTRIBUTES&#95;ID name="cognome">sn</ATTRIBUTES&#95;ID>
		<ATTRIBUTES&#95;ID name="userId">cn</ATTRIBUTES&#95;ID>										

By default this connector expects spagobi.ldif schema If you have your LDAP schema check the ldap_authorizations.xml and configure this. The ADMIN_PSW value must be encrypted: in order to do this, open a DOS/UNIX sheel and type

cd <your Tomcat home>/webapps/SpagoBI/WEB-INF/lib

and then

java -cp commons-codec-1.3.jar;spago-core-2.2.0.jar encrypt <your password>

on Windows systems and

java -cp commons-codec-1.3.jar:spago-core-2.2.0.jar encrypt <your password>

on UNIX/Linux systems.

For examles:"secret" == 6ddbcdd70d086e75bdc121b16bd23f03.

Note: check if the is present in /SpagoBI/WEB-INF/lib

4.3 eXo

If you install SpagoBI in eXo you must configure :

Note: check if the* is present in /SpagoBI/WEB-INF/lib

4.4 Role based access rights

5 Change User Password

It is possible change the user password (using CAS environment too). It's useful when you use the Internal Connector of SpagoBI.

Then, you should view a new link in login page :


When you click on this link a change password page is opened:


SpagoBI provides several rules that can be enforced to check password compliance. For example, it is possible to check if a password has a minimum length or contains special characters.

SpagoBI stores these rules in a dedicated table (SBI_CONFIG), where all . Note that the administrator does not control the enforcement of such rules.

5.1 Password checking rules

Below you can find all available rules for password checking:

  • len_min: defines a minimum lenght; it can be useful to check the minimum length of the password when the user change it.
  • special_char: defines a set of special chars. If it's active the system check that almost one of them is presents in the new password.
  • upper_char: checks that at least one character must been in upper case.
  • lower_char: check that at least one character must been in lower case.
  • number: defines that at least one character must been a number.
  • alphabetical: defines that at least one character must been a letter.
  • change_first: when this role is active the system forces a change password at the first login.
  • disactivation_time: defines a number of months after which the password become disbled (for unused).
  • expired_time: defines a number of days after whitch the change password is necessary.
If you desire to apply some of this roles you should setting the relative ACTIVE value to true (1) in SBI_CONFIG table (apart from individual configurations).

6 Public user

Created by Angelo Bernabei on 2011/06/16 17:39
Last modified by Davide Zerbetto on 2016/01/12 15:37

This wiki is licensed under a Creative Commons 2.0 license
XWiki Enterprise 2.7.33694 - Documentation