Dear FocalPoint
I have issue in the user management concept: the following is my scenario:-
We create 2 groups in the MRE environment and we assign users for each group. Once the specified user Logon he redirects to his authorized group [directly] that contains set of reports. I create User has authorization for both groups. Once he logged on he redirect to the page has list of group in our case 2 list of group.
[Cuz I edit the BID-config.xml i set the request-context="login-success" to use performance management framework single view].

My question is:-
Is it possible for users to access one group that has list of reports, and the report will be run according to the user credential? If user does not have authority to access the report Message will appear let say un authorized access?

That’s mean I want the security policy on the Reports Level. If that possible kindly can you guide me how to do it.


I appreciate your Help

I do recognize your problem.
I'm working on that too.
What I want to do is create a database set with

TABLE1: userID and name
TABLE2: projectcode
TABLE3: userID and Projectcode

Create a fex that tests if the loged on user has a record in table3 for that specific report, if not goto the end and give a message else run the report.

It's is not finished so I do not have all the details worked out. I hope however this will work at the end of the week and than I shall have to build it in to all the reports or at least to all the sensitive reports.

Suggestions will be welcome.

Frank

I only use self service, not MRE, but do have exactly the same issues. In our system, rather than projects there is the concept of security levels, users can only see the data the are entitled to.

When a fex is run, the security level of the user is always passed to the program, along with other information. Each fex has declared security levels and an INCLUDE that redirects the user if the security levels are wrong or sets up reporting filters to get the correct data, for example one fex may be accessible by everyone, but the data returned depends on who they are, another should only be accessed by a certain security level. So rather than checking a db on every fex call, the information is readily available to use having been obtained when they log in.

Not sure how this works for MRE, but in self service, a fex is only a URL away (it doesn't take a genius to read the html code and work out a legal URL), so we have to ensure that a program is accessed in a 'legal' way with the correct credentials, if not a user is thrown back out of the system. It was not as straight forward as I would have liked though, and some techniques took a little bit of working out, particulary where data maintenance with Maintain and UA were concerned.

Another system I worked on did work roughly the same way as you propose, the only difference was that the user was checked with a GETUSER before checking their access rights.

Dear Frank
Thanks for your reply. i try to apply your idea but i stuck on this point how to got the user parameter once he logged in. cuz i understand from your way is to create pre procedure that check if the logged user is valid for the next procedure OK continue in your sequence if not Go To the Exit label.


I appreciate your Comment

I have a small script that reads the database table tblUsers.
It uses the amper varibale '&MY_user' that holds the login ID of a user.

DEFINE FILE TBLUSERS
UCODE/A6=UPCASE(6,'&MY_user', UCODE);
END
TABLE FILE TBLUSERS
PRINT
     USERCODE
     USERNAAM
     DEPCODE
     LEVEL
     MANAGER
WHERE ( USERCODE EQ UCODE );
ON TABLE HOLD AS TMPUSER FORMAT ALPHA
END
-RUN
-READ TMPUSER &U_code.A6. &U_naam.A50. &MY_pass.A6. &U_level.A1 &U_manager.A6
-RUN
SET PASS=&MY_pass
-SET &ACCMAN=IF &U_actief EQ 4 THEN EDIT(&U_chef,'999') ELSE '$*' ;

As you see I give the PASS value the department code.
In some masters I have set this security to be dependant to that department code.

I also can use the name of the user in the report and other fields to give other securite restrictions.
For example if the field "LEVEL" is "8" the user can see every sales from CAR that is less than 8000...

This was however setup against only one database.
in feact you should look at every application for the specific security requirments and what I would like to be the best is relay on the security settings of each system. That was untill now however not so easy to be done.

Frank

You can also grab the values of &IBIC_user and &IBIMR_user. We use this within MRE and in self-service to populate various drop-down lists based on user security. They could also be used to determine whether or not a user could even run a procedure, but that information would have to exists in a file or table somewhere.

I would like to know more on that Darin.
Can you please explain what you do and how that is worked out.
We looking on something like that.

Frank

To Use &IBIC_user or &IBIMR_user in your application you have to customize the "site.wfs" file via the WF Client Console in the Configurations --> Custom Settings menu choice.
To use pass you user Login ID as &IBIC_user (and &IBIC_pass for that matter) add

Your_USER_ID = &IBIC_user
Your_USER_ID(PASS)
Your_USER_password = &IBIC_pass
Your_USER_password(PASS)

To just use the Amper Variables:

&IBIC_user(PASS)
&IBIC_pass(PASS)
&IBIMR_user(PASS)

You can then use these in any way you need to to in your fexes.

All, I have worked on a customer's site to help them with there security for a self-service application. They use DOT NET NUKE as there portal and all users a required to login. This creates a GUID as a cookie for there domain "Example *.ibi.com" so that it is passed to all *.ibi.com sites. Then it is captured by WebFOCUS running on a different url same domain and passed to the Reporting Server. Where each focexec that needs to be secured has 3 variable and a -INCLUDE to check to see if the user is allowed to access that report for the Requested facility.

  
-SET &&userid = &guid;
-SET &&fac_no = &fac_no;
-SET &&reportid = n;
-* Where n is the number assigned to this report.
-INCLDUE SECMOD01
-* in the security it querys the tables to see if the users is authirized for that info.

WHERE GUID EQ &&guid;
WHERE RPTID EQ &&reportid;
WHERE FAC_NO EQ &&fac_no;

and hold the data, 

then using dialog manager code

-IF &LINE GT 0 THEN GOTO :ENDSECMOD ELSE GOTO :NOALLOWED
-:NOTALLOWED
-HTMLFORM BEGIN
<html>
<body>
<center>You are not authorized for that information</center>
</body>
</html>
-HTMLFORM END
-RUN
-EXIT
-* if you get here the above message is displayed and control is not returned to the original focexec.

-:ENDSECMOD
-* this is then end of the security module if you get here control returns to the original focexec.

this is only an option. When every possible you should really use MRE/UAS/CUS/Dashboard to control access the Domains and Reports this way security is controled by an IBI recommended, approved and proven method.

Scott