WebFOCUS 8: Technical Overview
Jim Thorstad
Technical Director, WebFOCUS
Product Management
1
Agenda
 WebFOCUS 8 Architecture
 Security Model
 Enhancement Highlights
 Demo
2
WebFOCUS 8 Architecture
3
What is WebFOCUS 8?
Understanding Middle-tier vs. Server-tier Components
WebFOCUS 8 Updates the Middle-tier
WebFOCUS Client
Managed Reporting
WebFOCUS
Report
Server
ReportCaster
Users
BI Portal/Dashboard
Data
+ Report Server 7.7.04
WebFOCUS 8.0
WebFOCUS 8.0.01 + Report Server 8.0.01
4
WebFOCUS 8 Architecture
Integrated Repository
WebFOCUS Client
Managed Reporting
WebFOCUS
Report Server
BI Portal
ReportCaster
Reports
Schedules
Content
Users
Groups
Security
WebFOCUS 8
Repository
Metadata
Uploaded Data
Application
Directories
5
Information Builders File System
WebFOCUS 8 Architecture Is Built Around IBFS
 IBFS Service Layer – Internal Subsystem
 IBFS Path – an Object Addressing Scheme
IBFS paths used in drill-down links,
schedules, security rules
For backward compatibility, migrated
content can still be accessed via HREF
properties
6
Information Builders File System
IBFS is All-Encompassing
 IBFS Used to Reference
 Reports, portal pages
 Schedules, output
IBFS governs access
 Users, groups
to everything
 Report Servers
 IBFS is Hierarchical and Enables
 Security policy inheritance
 Group nesting
 Full control over content
organization
7
Information Builders File System
IBFS Enables Full Control of Content Organization
Mandatory folders
in 7x are
migrated “as is”
… but are no longer
required in 8.0
Reports, reporting
objects, and library
output can be
deployed in the
same folder
Folder depth not limited to
one sub-folder
8
WebFOCUS 8 Architecture
HTTP Service
All Content is Accessed via the IBFS Service Layer
Core WF
MR/BIP/RC
RC Distribution
Server
IBFS Service
Layer
ReportCaster uses an
IBFS Service API to
access report
procedures in the
repository
WebFOCUS 8
Repository
Eliminates problematic
HTTP requests to the
web tier
9
WebFOCUS 8 High-level Architecture
Running Report Requests
HTTP Service
WebFOCUS runs interactive requests through IBFS
Core WF
MR/BIP/RC
IBFS Service
Layer
User ID and Groups can be
passed to the Server:
• Connection=Trusted/IBIMR_user
• IBI_WFRS_Passthrough_Groups=ALL
u=jim, g=Tenant22
Web
Requests
WebFOCUS 8
Repository
WebFOCUS
Report Server
1
WebFOCUS 8 Security Model
11
Why a New Security Model?
Customer Feedback Related to WebFOCUS 7x
 Managed Reporting Role Security was Limiting
 Only 5 base roles and 9 permissions
 One role for all Domains
 Domain Security Model was Limiting
 Couldn’t customize security on sub-folders
 Content Sharing was Limiting
 Couldn’t share with specific people
 Challenging for Multi-tenancy SaaS Deployments
 Couldn’t allow sharing in a common Domain—user’s would
see content from other tenants
 Dilemma: abandon common domain or drop sharing?
WebFOCUS 8 Addresses These Challenges!
12
WebFOCUS 8 Security Model
Basic Security Concepts
 Security Rules Connect…
 Subjects – groups/users to authorize
 Roles – collection of privileges
 Resources – objects to secure
 Access – type of rule: permit, deny, ...
 Apply To – scope of rule: folder, folder & children, ...
 Security Policy – Collection of Security Rules
 Effective Policy – Evaluation of the Security Policy
 Bob has privileges A, B, C on resource X
 Takes into account rule inheritance, rule conflicts, group
membership, user-specific rules (if any)
The Security Model in WebFOCUS 8
Provides Complete Control of Your Security Policies
13
WebFOCUS 8 Security Model
Understanding Group Membership
 Policy Evaluation Includes Processing of a User’s:
 Explicitly assigned groups
 Implicit groups
• Bob is assigned to the
Sales Basic Users group
• Sales Basic Users
belongs to Sales Group
• Therefore Bob implicitly
belongs to Sales…
• And the rules associated
with both groups apply
implicit
Bob
explicit
14
WebFOCUS 8 Security Model
WebFOCUS 8 Security Center – Users & Groups Tab
15
WebFOCUS 8 Security Model
WebFOCUS 8 Security Center – Roles Tab
16
WebFOCUS 8 Security Model
WebFOCUS 8 Security Center – Role Customization
Select all or a portion of the
privileges within each category
Choose whether users select a Master
File or Reporting Object with InfoAssist
Choose whether users can upload a
spreadsheet to the Reporting Server
17
WebFOCUS 8 Security Model
Creating Security Rules
Select any IBFS resource …
and then Security > Rules…
18
WebFOCUS 8 Security Model
Creating Security Rules – Security Rules Dialog
The resource
You select a
subject…
…role, type, and
scope
Click OK to
create rule(s)
19
WebFOCUS 8 Security Model
Managing Your Security Policies
Rules on this Resource answers:
“Who can access this?”
20
WebFOCUS 8 Security Model
Managing Your Security Policies
Rules for this Group answers:
“What does this group have access to?”
21
WebFOCUS 8 Security Model
Understanding the Built-in Global Groups
 Consider Using Global Groups Carefully
Global groups have
access to all content
through inheritance
22
WebFOCUS 8 Security Model
Benefits
 Flexible Security Model
 Over 150 assignable privileges
 You can develop custom roles
 Sub-Groups and Inheritance Simplify Policy Creation
 Tools simplify Creation and Management of Policies
 Possible to Address Enterprise and SaaS Markets
 Possible to Address Each Customer’s Unique Needs
23
WebFOCUS 8 Enhancement Highlights
24
WebFOCUS 8 Enhancement Highlights
 Resource Templates
 Private Content, Publishing, and Content Sharing
 Localization
 Licensing
 Authorization Mapping
25
Resource Templates
The Deployment Challenges Facing Administrators
 What are our security requirements?
 How do I design and implement a security policy?
 How long will it take to create security rules?
 What best practices should I be aware of?
 Where do I start?
26
Resource Templates
Simplifying the Creation of Security Policies
 Resource Templates Automate the Creation of
 Folders, portals, groups, roles, security rules
 WebFOCUS 8.0.01 Includes Two Resource Templates:
 Enterprise Domain template
 SaaS Tenant Domain template
27
Resource Templates
Simplifying the Creation of Security Policies
 The Enterprise Domain Template Creates:
 1 Domain-specific Folder,
Portal, and Group
 4 Sub-groups
 21 Domain-specific Rules
 8 Configurable Roles
28
Resource Templates
Simplifying the Creation of Security Policies
 The SaaS Tenant Template
Creates the Same Things Plus
 A Common folder
 The EVERYONE group is hidden
29
Resource Templates
Simplifying the Creation of Security Policies
 The template also creates the required security rules
30
Resource Templates
Support Site and Roadmap
 Latest Information on Templates:
https://techsupport.informationbuilders.com/tech
/wbf/v8templates/wbf_8_resource_templates.html
 Download the Policy Design Worksheet
 Use this to plan your custom deployment
 Roadmap: Create Your Own Templates
31
Private Content, Publishing, and Sharing
Private Content
 All Content Initially Created as Private
 Visible only to owner
 Doesn’t inherit security
 Administrators with Manage Private Resources can access
private content
 Authority to Create Private Items Outside of a My
Content Folder Can be Assigned
In 8.0.01 private content is
indicated with a grayscale overlay
on the icon
32
Private Content, Publishing, and Sharing
Publishing Private Content
 Authorized Users Can Publish a Private Resource
 Published resources inherit security rules from parent
 Create, Publish & Un-Publish are separately assignable
 Contrast with Formal Change Control Model
 Isolated DEV/TEST/PROD environments
 Developers don’t have write access to TEST/PROD
 But a Useful Alternative in SaaS Deployments
 SaaS tenant developers only interact with PROD
 Tenant developers can work out of view from users
 Publishing completed reports is simple
 IBFS paths don’t change
 Consider Developing In-Place with Private Content
33
Private Content, Publishing, and Sharing
My Content Folders
 End-Users Need to Create Resources in Production
 This is facilitated by special My Content folders
 A Folder Property Enables Support for My Content
 Assignable Privilege Determines Who Gets One
Private content, created
and saved by a user to
their My Content folder
34
Private Content, Publishing, and Sharing
Content Sharing
 Complete Control Over Content Sharing
 Share – simple sharing determined by WebFOCUS
 Share with – user determines who to share with
 Configurable Policy Determines Available Users/Groups
 Enhanced Shared Content View
 Only Users Sharing Content are Shown
Shared
content
Assignable
sharing
options
35
Authorization Mapping
Key Requirement for Enterprise & SaaS Deployments
 What if you Manage Authorizations in LDAP/AD via…
 The user’s group memberships
 A custom attribute on the user entry
 Authorization Mapping is Built-in to WebFOCUS 8
Groups in AD/LDAP
User Attribute in
Oracle LDAP
36
Authorization Mapping
Key Requirement for Enterprise & SaaS Deployments
 Administrator Maps the Value to a WebFOCUS Group
 Resource Templates Can Configure the Mapping
Group DN or user
attribute value is
mapped to WF group
37
LDAP Authorization Mapping
Key Requirement for Enterprise & SaaS Deployments
Mapped WebFOCUS
groups have a link icon
User accounts are
automatically
created during
sign-on
38
Other Security Enhancements
Password Policies, Auditing
 For Customers Using Internal Authentication
 Strong encryption for password hashes
 Configurable password policies
 Built-in Protection from Web Vulnerabilities
 Built-in User and Administrative Activity Auditing
This
user
Used
this API
To move
this user
[2012-05-30 08:30:13,267] INFO groups ed214e45667f0f1
thoja13 addUserToGroup SUCCESS user:smija03 (314568704)
group:IBFS:/SSYS/GROUPS/Retail/Developers (614187006)
Into this group
39
Localizable Content Titles
A Complete Solution for Localized Applications
Repository data
can be localized
User sees label
based on their
language
preference
40
WebFOCUS 8 Client License
New for WebFOCUS 8
 Enforces Licensed Options
 Features: BI Portal, InfoAssist, ReportCaster, etc.
 Managed Reporting user count
 InfoAssist user count (future release)
 Work with Customer Support/Account Team
 Make sure your site code (XXXX.nn) reflects your products
41
Migrating to WebFOCUS 8
42
Migrating to WebFOCUS 8
Built-in Utilities to Simplify the Process
 Utility Migrates 7x Content
 ReportCaster Content
 Managed Reporting Content
 Dashboards
 Dashboard Conversion to BI Portals
 Not Automatic
 User Experience and Policies Preserved
 Identical folder structure
 Identical security policy
43
Understanding a Migrated Policy
MR7x to WF8
 MR 7x users had only a single role and optionally a
few extra privileges
 The role was defined on the user
 Migration creates a policy with this same behavior
 Requires the User Default Role (UDR) Setting
44
Understanding a Migrated Policy
MR7x to WF8
 Sets special system Roles between migrated Groups
and Domain folders
45
Understanding a Migrated Policy
MR7x to WF8
 Enables Default Role tab on the user account
 Here the user’s 7x “role” and “privileges” are defined
 They apply to all Domain folders
46
Summary
47
WebFOCUS 8 Technical Overview
Summary
 Rich Portal and Tool Interfaces
 Replace BI Dashboard and Java Applet UIs
 Integrated Repository Based on IBFS
 Unified, fully localizable repository for MR, BIP, RC
 Full control of content organization and security policy
 Resource Templates simplify security policy creation
 Enhanced Content Publishing and Sharing
 External Authorization Built-in
 Migration Utilities Streamline Upgrade
 WebFOCUS 8.0.01 requires 8.0.01 Report Server
48
49