Focal Point Banner
Community Center Education Summit Technical Support User Groups
Let's Get Social!

Facebook Twitter LinkedIn YouTube
Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [CLOSED] WF 8.0.08 Change Management Export/Import and Security Center - Loophole?
Go
New
Search
Notify
Tools
Reply
  
[CLOSED] WF 8.0.08 Change Management Export/Import and Security Center - Loophole?
 Login/Join
 
Expert
posted
This is a test. this is a test.

I created a new group with three users in the group. I added security to one fex - only this group can run the fex.

I created a Change Management Export package for the fex, checking "With Rules".

I imported the Change Management package in the target environment. In Security Center of the target environment, the group was successfully created, but with no users.

Is this a loophole in the process?

This message has been edited. Last edited by: FP Mod Chuck,


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Platinum Member
posted Hide Post
I haven't done this - but......

When you "Import Package", in 8009, there's a "Security Resources" that has checkboxes for the Roles, Groups and Users. Did you try checking the Users Box and toggling the "Add/Replace" radio button?


webFOCUS 8203
WindowsServer 2012 R2,
Excel, PDF, HTML, ActiveReports
 
Posts: 124 | Location: Minnesota | Registered: August 26, 2013Reply With QuoteReport This Post
Expert
posted Hide Post
Yes, I should have mentioned that I did have all the radio buttons set to Add/Replace.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Platinum Member
posted Hide Post
So much for the easy fix :-).

I know if one of my guys creates a new application - but doesn't tell me - when I import from dev to test - the code moves - but it doesn't work until I create the new application in test - then re-import the package.

I wonder what would happen if you try and create the user in new "new" environment - but not the permission - then import the package and see if it then adds the permission properly.


webFOCUS 8203
WindowsServer 2012 R2,
Excel, PDF, HTML, ActiveReports
 
Posts: 124 | Location: Minnesota | Registered: August 26, 2013Reply With QuoteReport This Post
Gold member
posted Hide Post
I wouldn't expect to be able to move users as generally you're moving from dev to qa to prod...


WebFOCUS 8.0.07 and 8.2.01M
UNIX, WINDOWS, ORACLE
PDF, CSV, Excel, TXT, XML, HTML
 
Posts: 65 | Location: Maryland | Registered: January 17, 2012Reply With QuoteReport This Post
Expert
posted Hide Post
I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Master
posted Hide Post
Francis,

quote:
I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.


Just because a user exists in your AD, that doesn't mean that they exist in WebFOCUS. I have mine setup to Auto Add users. So a User will only exist in my production environment, if they have logged into my production environment. I don't know what this would mean for rules about specific users or users that are contained within a group.

Can you clarify what you mean by,
quote:

I created a new group with three users in the group.


Do you mean you manually added these 3 users to the group in WebFOCUS? Or did you add them to the group in AD? If you added them to the group in AD then there is no issue, because onces these users log in after these rules have been moved, then WF will automatically add them to the respective group. Until these users log in, WF will not update their rules as to what groups they belong to. At least thats how I understand it. If this is what you did, I would validate that the external group linkage moved with the group.

quote:
I imported the Change Management package in the target environment. In Security Center of the target environment, the group was successfully created, but with no users.


To my understanding, this will only import the rules for the resource. So if you had rules specifically on a user, it should import the rule that User A has rights to run the report (I'm unaware of what if would do if User A does not exist yet). I believe what you are importing, when you select the fex is "Rule 1 States that Group X has run permission, Run Permission Denied to all other groups" If you are expecting to import that Group X contains users A, B, and C, then I think you would need to export that group as well as the fex. In how I read your example. the Rule required that a certain group exists, so it created that group. It does not say what that group needs to include (although I would assume that any external group association would be carried with it, I would validate that this is the case). Whenever I create a new group, I explicitly move that group between environments so that I know I have the group setup the way I want it.


Eric Woerle
8.1.05M Gen 913- Reporting Server Unix
8.1.05 Client Unix
Oracle 11.2.0.2
 
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013Reply With QuoteReport This Post
Platinum Member
posted Hide Post
Hi
I have a same issue that Francis had...
I exported a Group with all options clicked (Replace it or Create New One)
Above was an attempt to replicate what I did in one environment and NOT do it again manually in another environment.. I decided to use the CM tool.
CM package did transfer the Group but no members in it (I do have the same members in the target environment, as well)
Then I decided to check the permissions on this Group and those are not found...

If there is any update or if anyone knows how this can accomplished...would appreciate it.. if you creating GROUPS, ROLEs, permissions etc for a Group, Do we need to repeat the process of creating these Groups etc.. manually in the other environment or it can be done via the Change Management Tool

Thanks in advance for your help..


Prod/Dev/Test: WF 8.1.5 on (Windows Server 2012 R2 )
SandBox: WebFocus Server 8.1.5 on Windows Server 2008 R2
WebFOCUS App Studio 8.1.5 and Developer Studio 8.1.5 on Windows 7
 
Posts: 134 | Location: USA | Registered: August 21, 2008Reply With QuoteReport This Post
Expert
posted Hide Post
The Security Center is one of the grand new features of WF 8. So is the Change Management Tool. You're supposed to be able to use the Change Management Tool to deploy all WF resources from one environment to another.

Perhaps this is all working better (or as it's expected to) in WF 8.2.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Master
posted Hide Post
I personally like that user are not move from 1 environment to another as in development users have different permissions then qa or production.

If you are using external security such as AD those external groups do move.

An option that can add users and groups is the REST API. I have used it to AD Groups when the groups are different between environments.

This message has been edited. Last edited by: TexasStingray,




Scott

 
Posts: 865 | Registered: May 24, 2004Reply With QuoteReport This Post
Virtuoso
posted Hide Post
Francis

To expand upon what TexasStingray added if you are using LDAP/AD groups users will be auto added the first time they log in so no user administration is necessary.


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
 
Posts: 1876 | Location: Customer Support | Registered: April 12, 2005Reply With QuoteReport This Post
Expert
posted Hide Post
I'm not sure how this relates to my comment:
quote:
I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.
I'd like to deploy groups created in WebFOCUS Security Center. I assumed that in the source environment, the groups would be added to the CM package along with a reference to the users within the group, so that when the group is deployed to the target environment, the users would show up when viewing the group in WebFOCUS Security Center. I was seeing empty groups.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Virtuoso
posted Hide Post
Francis

Are the security settings using INTERNAL or LDAP/AD?


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
 
Posts: 1876 | Location: Customer Support | Registered: April 12, 2005Reply With QuoteReport This Post
Expert
posted Hide Post
Unfortunately, my original post was in 2015 - I no longer remember details and I don't work in that environment at the moment.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Virtuoso
posted Hide Post
Francis

OK.. I am going to check with product management and verify whether users should come across or not and will update the post when I get an answer.


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
 
Posts: 1876 | Location: Customer Support | Registered: April 12, 2005Reply With QuoteReport This Post
Expert
posted Hide Post
Chuck, thanks for your efforts on this and for your superb administration of the forum.

For this particular subject, I assumed that the information included in the CM export package would be the the WebFOCUS Security group and users selected to be in the group, not information the individual users. Then when the CM package is imported into the target environment, the group would be added/updated and the selected users would be added to the group. If the user does not exist in the target environment, then it doesn't get added. I don't see any security holes with this assumption.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Reply With QuoteReport This Post
Virtuoso
posted Hide Post
Hi Francis

Thanks for the kind words. I appreciate that!

The bad news is that the users do not come across with change management as it exists today, however there is a current active project to make that happen but not sure what the target release will be.

In the mean time, if the security settings are using EXTERNAL security the first time a user signs in that is a member of an LDAP/AD group that is registered to a WF Security group they will be autoadded and given the security permissions that are part of that group.

This message has been edited. Last edited by: FP Mod Chuck,


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
 
Posts: 1876 | Location: Customer Support | Registered: April 12, 2005Reply With QuoteReport This Post
  Powered by Social Strata  
 

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [CLOSED] WF 8.0.08 Change Management Export/Import and Security Center - Loophole?

Copyright © 1996-2018 Information Builders, leaders in enterprise business intelligence.