user_managment

Users management

From version 2.5 can directly manage users in its DBMS (it uses an InternalConnector), while with earlier versions it stores only roles information to allow the administrator to set up the behavioral model. To retrive this infomations SpagoBI uses 2 connectors to read:

  • Role and Attributes name.
  • User Profile in session.

1 ISecurityInfoProvider

This interface retrives all roles and user attrvibutes.

public interface ISecurityInfoProvider {
			public List getRoles();
			public List getAllProfileAttributesNames ();
}

SpagoBI invokes these methods in order to read the user's roles and attributes from the external system. The roles name and description are inserted in SBI_EXT_ROLES table. The User attributes are displayed when the administrator displays the attributes list. It's important to know that all the roles are handled by SpagoBI, not only the roles of a specific user. The roles are filtered with a regular expression in file spagobi.xml

<ROLE-NAME-PATTERN-FILTER>.*</ROLE-NAME-PATTERN-FILTER>

2 ISecurityServiceSupplier

SpagoBI invokes these methods at the user login in order to read the user information: roles and attributes. The roles and attributes are specifically related to the users. The checkAuthentication and checkAuthenticationWithToken methods are used if SSO is disabled.

public interface ISecurityServiceSupplier {
	SpagoBIUserProfile createUserProfile(String userId);	
        SpagoBIUserProfile checkAuthentication(String userId,String psw);
        SpagoBIUserProfile checkAuthenticationWithToken(String userId,String token);
}

3 How configure this connectors

You can set up this connetors in spagobi.xml, for example:

<SECURITY>
<PORTAL-SECURITY-INIT-CLASS>it.eng.spagobi.security.init.XmlSecurityProviderInit
</PORTAL-SECURITY-INIT-CLASS>
<PORTAL-SECURITY-CLASS className="it.eng.spagobi.security.XmlSecurityInfoProviderImpl">
			<CONFIG />
</PORTAL-SECURITY-CLASS>
<USER-PROFILE-FACTORY-CLASS className="it.eng.spagobi.security.XmlSecurityServiceSupplierImpl" />
<ROLE-NAME-PATTERN-FILTER>.*</ROLE-NAME-PATTERN-FILTER>
<ROLE-TYPE-PATTERNS>
	    	<ADMIN-PATTERN>/spagobi/admin</ADMIN-PATTERN>
	    	<DEV_ROLE-PATTERN>/spagobi/dev</DEV_ROLE-PATTERN>
	    	<TEST_ROLE-PATTERN>/spagobi/test</TEST_ROLE-PATTERN>
	    	<MODEL_ADMIN-PATTERN>/spagobi/modeladmin</MODEL_ADMIN-PATTERN>
</ROLE-TYPE-PATTERNS>
</SECURITY>

In SpagoBI each role has a TYPE, each role type is used to authorize the functionality. The role types are:

  • ADMIN: SpagoBI administrator
  • MODEL_ADMIN: Behavioural model administrator
  • DEV_ROLE: developer
  • TEST_ROLE: tester
  • USER: the final user
The Role-Type-Patterns is usefull to set the default type to the new role. The administrator is able to change this with the graphical user interface.

4 The Role management

There is a GUI where the administrator is able to:

  • Start the synchronization of roles
  • Change the Role Type
  • Assign some features to display
roles.png

5 Connectors

If you have to write a new connetcor you must implement the previous Java Interface, create a JAR with implementation class ad configure spagobi.xml adding custom SECURITY TAG.

SpagoBI includes these connectors:

5.1 Internal Connector (available from SpagoBI 2.5)

If you want to use internal user (defined in SpagoBI metadata db), insert in spagobi.xml this xml:

<SECURITY>
   <PORTAL-SECURITY-INIT-CLASS>it.eng.spagobi.security.init.InternalSecurityInitializer</PORTAL-SECURITY-INIT-CLASS>
   <PORTAL-SECURITY-CLASS className="it.eng.spagobi.security.InternalSecurityInfoProviderImpl">
      <CONFIG />
   </PORTAL-SECURITY-CLASS>
   <USER-PROFILE-FACTORY-CLASS className="it.eng.spagobi.security.InternalSecurityServiceSupplierImpl" />
   <ROLE-NAME-PATTERN-FILTER>.*</ROLE-NAME-PATTERN-FILTER>
   <ROLE-TYPE-PATTERNS>
    	<ADMIN-PATTERN>/spagobi/admin</ADMIN-PATTERN>
    	<DEV_ROLE-PATTERN>/spagobi/dev</DEV_ROLE-PATTERN>
    	<TEST_ROLE-PATTERN>/spagobi/test</TEST_ROLE-PATTERN>
    	<MODEL_ADMIN-PATTERN>/spagobi/modeladmin</MODEL_ADMIN-PATTERN>
   </ROLE-TYPE-PATTERNS>
</SECURITY>

5.2 XML file based

XML file is usefull to the purpose of demo or development environment. This is the default configuration.

<SECURITY>
  		<PORTAL-SECURITY-INIT-CLASS>it.eng.spagobi.security.init.XmlSecurityProviderInit
         </PORTAL-SECURITY-INIT-CLASS>
		<PORTAL-SECURITY-CLASS className="it.eng.spagobi.security.XmlSecurityInfoProviderImpl">
			<CONFIG />
		</PORTAL-SECURITY-CLASS>
		<USER-PROFILE-FACTORY-CLASS className="it.eng.spagobi.security.XmlSecurityServiceSupplierImpl" />
    	<ROLE-NAME-PATTERN-FILTER>.*</ROLE-NAME-PATTERN-FILTER>
    	<ROLE-TYPE-PATTERNS>
	    	<ADMIN-PATTERN>/spagobi/admin</ADMIN-PATTERN>
	    	<DEV_ROLE-PATTERN>/spagobi/dev</DEV_ROLE-PATTERN>
	    	<TEST_ROLE-PATTERN>/spagobi/test</TEST_ROLE-PATTERN>
	    	<MODEL_ADMIN-PATTERN>/spagobi/modeladmin</MODEL_ADMIN-PATTERN>
    	</ROLE-TYPE-PATTERNS>
	 </SECURITY>

If you have to change user,roles,attributes you can edit this file:

TOMCAT_HOME/webapps/SpagoBI/WEB-INF/conf/webapp/authorizations.xml

In this file you can

  • Add user
  • Add role
  • Add profile attribute
  • Assign a role to a user
<ATTRIBUTES>
			<ATTRIBUTE name="month" />
			<ATTRIBUTE name="email"  />
			<ATTRIBUTE name="name"  />
		</ATTRIBUTES>

<USERS>
   <USER userID="biadmin" password="biadmin" month="03" name="SpagoAdmin" email="spagobi@eng.it"/>
   <USER userID="biuser" password="biuser" month="04" name="SpagoUser" email="spagobi@eng.it"/>
   <USER userID="bidev" password="bidev" />
   <USER userID="chiron" password="chiron" />
</USERS>

<ROLES>
<ROLE roleName="/spagobi/dev" description="/spagobi/dev" />
<ROLE roleName="/spagobi/user" description="/spagobi/user" />
<ROLE roleName="/spagobi/admin" description="/spagobi/admin" />
<ROLE roleName="/spagobi/moni" description="/spagobi/moni" />
</ROLES>

<BEHAVIOURS>
			<BEHAVIOUR userID="biuser" roleName="/spagobi/user" />
			<BEHAVIOUR userID="biadmin" roleName="/spagobi/admin" />
			<BEHAVIOUR userID="bidev" roleName="/spagobi/dev" />
			<BEHAVIOUR userID="chiron" roleName="/spagobi/admin" />
		</BEHAVIOURS>

Note: check if the sbi.security.xml-2.1.0.jar is present in /SpagoBI/WEB-INF/lib

5.3 LDAP based

If you want to use LDAP insert in spagobi.xml this xml:

<SECURITY>
<PORTAL-SECURITY-INIT-CLASS>it.eng.spagobi.security.init.LdapSecurityProviderInit
</PORTAL-SECURITY-INIT-CLASS>
<PORTAL-SECURITY-CLASS className="it.eng.spagobi.security.LdapSecurityProviderImpl">
   <CONFIG />
</PORTAL-SECURITY-CLASS>
<USER-PROFILE-FACTORY-CLASS className="it.eng.spagobi.security.LdapUserProfileFactoryImpl" />
<ROLE-NAME-PATTERN-FILTER>.*</ROLE-NAME-PATTERN-FILTER>
<ROLE-TYPE-PATTERNS>
	    	<ADMIN-PATTERN>/spagobi/admin</ADMIN-PATTERN>
	    	<DEV_ROLE-PATTERN>/spagobi/dev</DEV_ROLE-PATTERN>
	    	<TEST_ROLE-PATTERN>/spagobi/test</TEST_ROLE-PATTERN>
	    	<MODEL_ADMIN-PATTERN>/spagobi/modeladmin</MODEL_ADMIN-PATTERN>
</ROLE-TYPE-PATTERNS>
</SECURITY>

This connector uses ldap.jar library and ldap_authorizations.xml to configure connection and some specific parameters. You MUST set up how connector retrive informations in LDAP in ldap_authorizations.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>
<LDAP_AUTHORIZATIONS default="FALSE">
	<CONFIG>
		<USER_DN>cn=*,ou=People,dc=spagobi,dc=com</USER_DN>
		<ADMIN_USER>cn=Manager,dc=spagobi,dc=com</ADMIN_USER>
		<ADMIN_PSW>6ddbcdd70d086e75bdc121b16bd23f03</ADMIN_PSW>
		<ATTRIBUTES_ID name="nome">description</ATTRIBUTES_ID>
		<ATTRIBUTES_ID name="cognome">sn</ATTRIBUTES_ID>
		<ATTRIBUTES_ID name="userId">cn</ATTRIBUTES_ID>										
		<HOST>localhost</HOST>
		<PORT>389</PORT>	
		<OBJECTCLASS>person</OBJECTCLASS>
		<SEARCH_ROOT>ou=People,dc=spagobi,dc=com</SEARCH_ROOT>
		<OU_ATTRIBUTE>ou</OU_ATTRIBUTE>
		<SEARCH_ROOT_GROUP>ou=Group,dc=spagobi,dc=com</SEARCH_ROOT_GROUP>
		<OBJECTCLASS_GROUP>organizationalUnit</OBJECTCLASS_GROUP>
		<ATTRIBUTES_ID_GROUP>description</ATTRIBUTES_ID_GROUP>
		<ATTRIBUTES_ID_GROUP>OU</ATTRIBUTES_ID_GROUP>		
	</CONFIG>
</LDAP_AUTHORIZATIONS>

By default this connector expects spagobi.ldif schema If you have your LDAP schema check the ldap_authorizations.xml and configure this. The ADMIN_PSW value must be encrypted, using this simple code. For examles:"secret" == 6ddbcdd70d086e75bdc121b16bd23f03

DefaultCipher defaultCipher = new DefaultCipher();
defaultCipher.encrypt ()....

Note: check if the sbi.security.ldap-2.1.0.jar is present in /SpagoBI/WEB-INF/lib

5.4 eXo

If you install SpagoBI in eXo you must configure spagobi.xml with this xml:

<SECURITY>
   <PORTAL-SECURITY-INIT-CLASS>it.eng.spagobi.security.init.ExoPortalSecurityProviderInit</PORTAL-SECURITY-INIT-CLASS>
   <PORTAL-SECURITY-CLASS className="it.eng.spagobi.security.ExoSecurityProviderImpl">
      <CONFIG>
         <NAME_PORTAL_APPLICATION>portal</NAME_PORTAL_APPLICATION>
      </CONFIG>
   </PORTAL-SECURITY-CLASS>
   <USER-PROFILE-FACTORY-CLASS className="it.eng.spagobi.security.ExoUserProfileImpl">
   </USER-PROFILE-FACTORY-CLASS>
   <ROLE-NAME-PATTERN-FILTER>/spagobi/.*</ROLE-NAME-PATTERN-FILTER>
   <ROLE-TYPE-PATTERNS>
      <ADMIN-PATTERN>/spagobi/admin</ADMIN-PATTERN>
      <DEV_ROLE-PATTERN>/spagobi/dev</DEV_ROLE-PATTERN>
      <TEST_ROLE-PATTERN>/spagobi/test</TEST_ROLE-PATTERN>
      <MODEL_ADMIN-PATTERN>/spagobi/modeladmin</MODEL_ADMIN-PATTERN>
   </ROLE-TYPE-PATTERNS>
</SECURITY>

Note: check if the sbi.security.exo-2.1.0.jar is present in /SpagoBI/WEB-INF/lib

5.5 liferay

… to do...

5.6 Role based access rights

All SpagoBI functions check if the user can or can't execute it, this is done from Spago Application Framework. At the login, SpagoBI inserts all the functionalities in User Profile and use it to check the authorization. Each SpagoBI role has some functionlities, the administrator can configure this association in SpagoBI metadata DB.

6 Change Password module

From 2.5 SpagoBI version is possible change the user password (using CAS environment too). It's useful when you use the Internal Connector of SpagoBI.

Then, you should view a new link in login page :

login.bmp

When you click on this link a change password page is opened:

changePwd.bmp

With this management is possible add several controls on the new password and on the time when its necessary to change it. SpagoBI has a new table with all this roles (the SBI_CONFIG) where there are insert all roles that SpagoBI manage. Pay attention that the administrator is excluded from these controls.

6.1 Roles

The roles available today are:

  • len_min: defines a minimum lenght; it can be useful to check the minimum length of the password when the user change it.
  • special_char: defines a set of special chars. If it's active the system check that almost one of them is presents in the new password.
  • upper_char: checks that at least one character must been in upper case.
  • lower_char: check that at least one character must been in lower case.
  • number: defines that at least one character must been a number.
  • alphabetical: defines that at least one character must been a letter.
  • change_first: when this role is active the system forces a change password at the first login.
  • disactivation_time: defines a number of months after which the password become disbled (for unused).
  • expired_time: defines a number of days after whitch the change password is necessary.
If you desire to apply some of this roles you should setting the relative ACTIVE value to true (1) in SBI_CONFIG table (apart from individual configurations).

Tags:
Created by bernabei on 2009/04/16 09:35
Last modified by Alessandro Taurelli on 2010/06/15 11:53

This wiki is licensed under a Creative Commons 2.0 license
XWiki Enterprise 2.7.33694 - Documentation