Hi there,

I'm a WebFOCUS newbie, building an ASP.NET application which will use WebFOCUS as the reporting subsystem. I need to authenticate users in ASP.NET (using Forms authentication and a SQL Server database table to check passwords and look up role information). Based on a user's role, I want them to be able to see different information in reports (ie, some users can see certain records, and other users can see other records). Some of my questions include:

* How can I pass user credentials from ASP.NET over to the WebFOCUS client?
* How can WebFOCUS check the user's credentials in the same SQL Server table that I'm using in ASP.NET?
* How do I restrict which specific database rows a user can see based on the user's roles?

I've looked through the WebFOCUS security documentation, which seems to imply that the WebFOCUS Client, WebFOCUS Server, and database have separate authentication configurations, and I can't tell whether they talk to each other.

In fact, I find the WebFOCUS documentation (and the application as a whole) to be one of the most confusing computing systems I've had to deal with in my 20 years of application development. So please accept my apologies if the answers to my questions are in the manuals -- maybe someone can at least tell me where to start?

Thanks a bunch in advance.

It's true that the WebFOCUS Server, MRE and Dashboard each have separate logons. But it's also completely possible to have all sign-ons, from server, to MRE, to dashboard, be done from a single set of credentials and on one single webpage or ASP. The security credentials can be operating system hosted or hosted in a DBMS or LDAP repository (you would access DBMS or LDAP hosted credentials via what we elegantly call "the WebFOCUS security exits").

There are actually articles on single-sign-on in the WebFOCUS Newsletter; you can find backissues on the support.ibi.com site.

Happy Hunting!

fgpotter, i do almost the same thing. i read an access database via an .asp file for my user credentials. then these values are passed along to webfocus as &vars, i.e. form parameters just like any other form parameters in any ordinary form that uses its 'action' to call the webfocus cgi. Once you pass the usercreds as parameters onward to a focexec, you can then program whatever you like. if you want to see a sample, PM me and ill be back in town in a week.
oh yeah and i totally agree with you about the manuals. and i'm a focus oldtimer!

fgpotter:

Check out the WebFOCUS Security and Administration manual. It deals with each of the topics you are asking about. Of course, that may be the doc that you have already read through.

Here are some specific responses to your questions, with lots of if's since many specifics weren't provided:

* How can I pass user credentials from ASP.NET over to the WebFOCUS client?
[IBI Sean] If both userid/passwd are available in your application then you can pass them in your call to the WFServlet. If the passwd is encrypted then you will need to add in the hashing algorithm onto the WebFOCUS Client via the scripting language (probably call the function in site.wfs).

Depending on which WebFOCUS features you are using (self-service reporting or MR) you will need to supply different credentials.

* How can WebFOCUS check the user's credentials in the same SQL Server table that I'm using in ASP.NET?
[IBI Sean] For what purpose? Is this to determine application authorizations or data access? If you are using MR and require authorizations then check out MR Security Exits (esp. MREXT5). The Sec&Admin manual describes what is possible with this exit. This exit is programmtically included at the WF Client/web tier.

If this is to determine data access rules then you probably want to lookup the rules on the Server side. You can do this through scripting logic in user/site profiles (see edasprof.prf). You can also write an exit on the server to securely do your lookups and business logic (see PVUIDXT/Pre-verify User Exit).

* How do I restrict which specific database rows a user can see based on the user's roles?
[IBI Sean] There are a number of places where to implement this security: Database, user profiles on Rptg Server, via DBA statements in Master Files, and through FILTERs. Of course, these rules could also be hard-coded into your reporting application but sites typically prefer the server-side options for maintainability.

I'd recommend reading up on each of these topics to decide how to best implement in your situation. The distributed web architecture of WebFOCUS makes it difficult to offer a one-size fits all security reference -- that's why we offer all the tools for doing so but not necessarily the specific answers.

On the Techsupport web site we have a Security link that does contain some best practices and recommended configurations for sites with specific needs. That may provide some additional research material for you.

Good luck!
Sean