As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
I would like to be able to restrict access to a master file based on the Groups a user is associated with. Does anyone know if the DBA Security has been improved in WF8008 to allow restrictions based on a users group? Or is the only way to achieve this by querying the group table and writing a view to deal with the recursive join?
Thanks!This message has been edited. Last edited by: eric.woerle,
Eric Woerle 8.1.05M Gen 913- Reporting Server Unix 8.1.05 Client Unix Oracle 11.2.0.2
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013
I'm not exactly sure as to how it's done. But, you can use the WebFOCUS 8 Security, or DBA security, to limit access down to field values. Access to the masters isre normaly done via Domain level security (If you have access to the domain, then you have access to the app folders associated with that/those domain(s)...
Posts: 3132 | Location: Tennessee, Nashville area | Registered: February 23, 2005
I am looking to restrict fields / segments based on the group someone belongs in. For instance I want people who are not in the Finance group to be restricted from seeing the payment segment of my financial metadata, but they should be able to see the invoice segment of the financial metadata. I can only do this if I know what group each person belongs in. I thought WF8 had made improvements of which groups could be used for these types of restrictions, but I have been unable to find any documentation on it.
One way that I could do it is by querying the user groups table in Oracle, but this table is a recursive table. I'm not sure if there is some system metadata that would allow me to query the groups that someone belongs to and recognize all of the parent groups of that person or not. Ultimately thats what I am looking to do. For instance I might want to show a few fields on a master file to only tenant A. Unfortunately no one is assigned directly to tenant A. They are a part of the EXT_ADMISSIONS group. Which has a full path of Tenant A / Basic Users / Admissions / External Admissions. It is 4 levels removed from how I need to restrict access to the field.
I want to somehow say in the DBA security, anyone with access to Tenant A can access these fields. Anyone from other tenants is restricted from these fields.
Eric Woerle 8.1.05M Gen 913- Reporting Server Unix 8.1.05 Client Unix Oracle 11.2.0.2
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013
I did exactly that. With some help from our IBI guy, we created a little fex that looks at the group table, and sets PERMPASS to a value based on the group. Then, in the master file definitions, you use the PERMPASS value to control who sees what. By the way, the little fex that you write, you then put it in to the site profile so it automatically gets executed whenever someone logs on or opens any kind of object in managed reporting. Works great.
Currently in my metadata I use MFD profiles and DBA files to handle my restrictions. I am looking to improve the logic in my MFD profiles to also consider a persons group. Is this what you did too? Or are you just refering to the MFD profile piece (which you used permpass on the RS instead of a procedure run before each masterfile). I'm looking for an efficient way to access the group security table.
BTW this is specifically in WF 8.0.08, I see that you are still in WF 7.7.03. The security tables i'm refering to don't exist in WF 7. They are a new enhancement in WF 8.
Eric Woerle 8.1.05M Gen 913- Reporting Server Unix 8.1.05 Client Unix Oracle 11.2.0.2
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013
So since I wasn't seeing anything in the documentation about extracting a user's groups I decided to write a view off of the UOA tables and put together this query which will tell me each user, the group they are assigned to, and associate them with all of the parents of that group.
select x.id
,x.parentid
,x.name
,t2.groupid
,t2.userid
,t3.name
from (select t1.id
,t1.name
from uoa_groups t1
start with t1.id in (select groupid
from uoa_groupsusers gu
group by groupid) x
,uoa_groupsusers t2
,uoa_users t3
where x.id = t2.groupid
and t2.userid = t3.id
order by t3.name, x.id, x.name
group by t3.name, x.id, x.name
it works great except for one problem.... none of the users added to a group through their LDAP group is included in the list. Those users are in the UOA_USERS table, but if they were added to a group through the external process, that relationship isn't stored in the UOA_GROUPSUSERS table. This unfortunately puts me back to square one with trying to find a system masterfile or something along those lines to query.
Has anyone gotten past this yet?
Thanks!
Eric Woerle 8.1.05M Gen 913- Reporting Server Unix 8.1.05 Client Unix Oracle 11.2.0.2
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013
I spoke with IBI regarding this, and the answer was so simple its embarassing...
There is a variable, IBIMR_memberof, that contains all of the groups that a user is a part of in a ';' delimited string. Just need to add
<set> IBIMR_memberof(pass)
to your site.wfs and your rocking and rolling. I don't believe this is visible to the Reporting Server (still need to test it out), but I'll probably throw it to a Global Variable so that I can use it in my MFD_PROFILE. Then I can parse it out and assign DBA Passwords accordingly.
Eric Woerle 8.1.05M Gen 913- Reporting Server Unix 8.1.05 Client Unix Oracle 11.2.0.2
Posts: 750 | Location: Warrenville, IL | Registered: January 08, 2013