I would like to be able to restrict access to a master file based on the Groups a user is associated with. Does anyone know if the DBA Security has been improved in WF8008 to allow restrictions based on a users group? Or is the only way to achieve this by querying the group table and writing a view to deal with the recursive join?

Thanks!

This message has been edited. Last edited by: eric.woerle,

I'm not exactly sure as to how it's done. But, you can use the WebFOCUS 8 Security, or DBA security, to limit access down to field values. Access to the masters isre normaly done via Domain level security (If you have access to the domain, then you have access to the app folders associated with that/those domain(s)...

Doug,

I am looking to restrict fields / segments based on the group someone belongs in. For instance I want people who are not in the Finance group to be restricted from seeing the payment segment of my financial metadata, but they should be able to see the invoice segment of the financial metadata. I can only do this if I know what group each person belongs in. I thought WF8 had made improvements of which groups could be used for these types of restrictions, but I have been unable to find any documentation on it.

One way that I could do it is by querying the user groups table in Oracle, but this table is a recursive table. I'm not sure if there is some system metadata that would allow me to query the groups that someone belongs to and recognize all of the parent groups of that person or not. Ultimately thats what I am looking to do. For instance I might want to show a few fields on a master file to only tenant A. Unfortunately no one is assigned directly to tenant A. They are a part of the EXT_ADMISSIONS group. Which has a full path of Tenant A / Basic Users / Admissions / External Admissions. It is 4 levels removed from how I need to restrict access to the field.

I want to somehow say in the DBA security, anyone with access to Tenant A can access these fields. Anyone from other tenants is restricted from these fields.

I did exactly that. With some help from our IBI guy, we created a little fex that looks at the group table, and sets PERMPASS to a value based on the group. Then, in the master file definitions, you use the PERMPASS value to control who sees what. By the way, the little fex that you write, you then put it in to the site profile so it automatically gets executed whenever someone logs on or opens any kind of object in managed reporting. Works great.

Mike,

Currently in my metadata I use MFD profiles and DBA files to handle my restrictions. I am looking to improve the logic in my MFD profiles to also consider a persons group. Is this what you did too? Or are you just refering to the MFD profile piece (which you used permpass on the RS instead of a procedure run before each masterfile). I'm looking for an efficient way to access the group security table.

BTW this is specifically in WF 8.0.08, I see that you are still in WF 7.7.03. The security tables i'm refering to don't exist in WF 7. They are a new enhancement in WF 8.

I sent you a PM

So since I wasn't seeing anything in the documentation about extracting a user's groups I decided to write a view off of the UOA tables and put together this query which will tell me each user, the group they are assigned to, and associate them with all of the parents of that group.

 
select x.id
      ,x.parentid
      ,x.name
      ,t2.groupid
      ,t2.userid
      ,t3.name
from (select t1.id
	    ,t1.name
	from uoa_groups t1
	start with t1.id in (select groupid
				from uoa_groupsusers gu
				group by groupid) x
	,uoa_groupsusers t2
	,uoa_users t3
where x.id = t2.groupid
  and t2.userid = t3.id
order by t3.name, x.id, x.name
group by t3.name, x.id, x.name

it works great except for one problem.... none of the users added to a group through their LDAP group is included in the list. Those users are in the UOA_USERS table, but if they were added to a group through the external process, that relationship isn't stored in the UOA_GROUPSUSERS table. This unfortunately puts me back to square one with trying to find a system masterfile or something along those lines to query.

Has anyone gotten past this yet?

Thanks!

I opened a case regarding this, but if anyone has any ideas or has done this already, your suggestions would be greatly appreciated.

Thanks!

I spoke with IBI regarding this, and the answer was so simple its embarassing...

There is a variable, IBIMR_memberof, that contains all of the groups that a user is a part of in a ';' delimited string. Just need to add

 
<set> IBIMR_memberof(pass)  

to your site.wfs and your rocking and rolling. I don't believe this is visible to the Reporting Server (still need to test it out), but I'll probably throw it to a Global Variable so that I can use it in my MFD_PROFILE. Then I can parse it out and assign DBA Passwords accordingly.