As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
Dear FocalPoint I have issue in the user management concept: the following is my scenario:- We create 2 groups in the MRE environment and we assign users for each group. Once the specified user Logon he redirects to his authorized group [directly] that contains set of reports. I create User has authorization for both groups. Once he logged on he redirect to the page has list of group in our case 2 list of group. [Cuz I edit the BID-config.xml i set the request-context="login-success" to use performance management framework single view].
My question is:- Is it possible for users to access one group that has list of reports, and the report will be run according to the user credential? If user does not have authority to access the report Message will appear let say un authorized access?
That’s mean I want the security policy on the Reports Level. If that possible kindly can you guide me how to do it.
I do recognize your problem. I'm working on that too. What I want to do is create a database set with
TABLE1: userID and name TABLE2: projectcode TABLE3: userID and Projectcode
Create a fex that tests if the loged on user has a record in table3 for that specific report, if not goto the end and give a message else run the report.
It's is not finished so I do not have all the details worked out. I hope however this will work at the end of the week and than I shall have to build it in to all the reports or at least to all the sensitive reports.
Suggestions will be welcome.
Frank
prod: WF 7.6.10 platform Windows, databases: msSQL2000, msSQL2005, RMS, Oracle, Sybase,IE7 test: WF 7.6.10 on the same platform and databases,IE7
Posts: 2387 | Location: Amsterdam, the Netherlands | Registered: December 03, 2006
I only use self service, not MRE, but do have exactly the same issues. In our system, rather than projects there is the concept of security levels, users can only see the data the are entitled to.
When a fex is run, the security level of the user is always passed to the program, along with other information. Each fex has declared security levels and an INCLUDE that redirects the user if the security levels are wrong or sets up reporting filters to get the correct data, for example one fex may be accessible by everyone, but the data returned depends on who they are, another should only be accessed by a certain security level. So rather than checking a db on every fex call, the information is readily available to use having been obtained when they log in.
Not sure how this works for MRE, but in self service, a fex is only a URL away (it doesn't take a genius to read the html code and work out a legal URL), so we have to ensure that a program is accessed in a 'legal' way with the correct credentials, if not a user is thrown back out of the system. It was not as straight forward as I would have liked though, and some techniques took a little bit of working out, particulary where data maintenance with Maintain and UA were concerned.
Another system I worked on did work roughly the same way as you propose, the only difference was that the user was checked with a GETUSER before checking their access rights.
Alan. WF 7.705/8.007
Posts: 1451 | Location: Portugal | Registered: February 07, 2007
Dear Frank Thanks for your reply. i try to apply your idea but i stuck on this point how to got the user parameter once he logged in. cuz i understand from your way is to create pre procedure that check if the logged user is valid for the next procedure OK continue in your sequence if not Go To the Exit label.
I have a small script that reads the database table tblUsers. It uses the amper varibale '&MY_user' that holds the login ID of a user.
DEFINE FILE TBLUSERS
UCODE/A6=UPCASE(6,'&MY_user', UCODE);
END
TABLE FILE TBLUSERS
PRINT
USERCODE
USERNAAM
DEPCODE
LEVEL
MANAGER
WHERE ( USERCODE EQ UCODE );
ON TABLE HOLD AS TMPUSER FORMAT ALPHA
END
-RUN
-READ TMPUSER &U_code.A6. &U_naam.A50. &MY_pass.A6. &U_level.A1 &U_manager.A6
-RUN
SET PASS=&MY_pass
-SET &ACCMAN=IF &U_actief EQ 4 THEN EDIT(&U_chef,'999') ELSE '$*' ;
As you see I give the PASS value the department code. In some masters I have set this security to be dependant to that department code.
I also can use the name of the user in the report and other fields to give other securite restrictions. For example if the field "LEVEL" is "8" the user can see every sales from CAR that is less than 8000...
This was however setup against only one database. in feact you should look at every application for the specific security requirments and what I would like to be the best is relay on the security settings of each system. That was untill now however not so easy to be done.
Frank
Frank
prod: WF 7.6.10 platform Windows, databases: msSQL2000, msSQL2005, RMS, Oracle, Sybase,IE7 test: WF 7.6.10 on the same platform and databases,IE7
Posts: 2387 | Location: Amsterdam, the Netherlands | Registered: December 03, 2006
You can also grab the values of &IBIC_user and &IBIMR_user. We use this within MRE and in self-service to populate various drop-down lists based on user security. They could also be used to determine whether or not a user could even run a procedure, but that information would have to exists in a file or table somewhere.
Regards,
Darin
In FOCUS since 1991 WF Server: 7.7.04 on Linux and Z/OS, ReportCaster, Self-Service, MRE, Java, Flex Data: DB2/UDB, Adabas, SQL Server Output: HTML,PDF,EXL2K/07, PS, AHTML, Flex WF Client: 77 on Linux w/Tomcat
Posts: 2298 | Location: Salt Lake City, Utah | Registered: February 02, 2007
To Use &IBIC_user or &IBIMR_user in your application you have to customize the "site.wfs" file via the WF Client Console in the Configurations --> Custom Settings menu choice. To use pass you user Login ID as &IBIC_user (and &IBIC_pass for that matter) add
All, I have worked on a customer's site to help them with there security for a self-service application. They use DOT NET NUKE as there portal and all users a required to login. This creates a GUID as a cookie for there domain "Example *.ibi.com" so that it is passed to all *.ibi.com sites. Then it is captured by WebFOCUS running on a different url same domain and passed to the Reporting Server. Where each focexec that needs to be secured has 3 variable and a -INCLUDE to check to see if the user is allowed to access that report for the Requested facility.
-SET &&userid = &guid;
-SET &&fac_no = &fac_no;
-SET &&reportid = n;
-* Where n is the number assigned to this report.
-INCLDUE SECMOD01
-* in the security it querys the tables to see if the users is authirized for that info.
WHERE GUID EQ &&guid;
WHERE RPTID EQ &&reportid;
WHERE FAC_NO EQ &&fac_no;
and hold the data,
then using dialog manager code
-IF &LINE GT 0 THEN GOTO :ENDSECMOD ELSE GOTO :NOALLOWED
-:NOTALLOWED
-HTMLFORM BEGIN
<html>
<body>
<center>You are not authorized for that information</center>
</body>
</html>
-HTMLFORM END
-RUN
-EXIT
-* if you get here the above message is displayed and control is not returned to the original focexec.
-:ENDSECMOD
-* this is then end of the security module if you get here control returns to the original focexec.
this is only an option. When every possible you should really use MRE/UAS/CUS/Dashboard to control access the Domains and Reports this way security is controled by an IBI recommended, approved and proven method.