As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
Trying to make a long story short, we are considering, as a security solution, creating a SQL server view that limits access to certain rows in a table based on user ID. That is, something like
SELECT * FROM base_table WHERE authorization_table.user_id = (dynamically-passed user-id) and top_secret_flag = ‘Y’ ;
Put another way, a “static” view contains a variable!
Is there any way that WebFOCUS can pass a Logon ID as a parameter to this kind of view? I’m doubtful.
The way I see it, the WF Master will not contain a logon ID (because it's not a column in the view), so there is no way that WF can pass the info to the SQL server. And, even if it was a column on the table, and visible via the Master, there is no way we could keep a user from hard coding an 'authorized' logon ID. Can anyone prove me wrong? (please!)
Jeff WebFOCUS 8.0.09, Unix-Win-z/OS FOCUS 7.3.1 on z/OS
Thanks for your interest, Sayed. Please note that the select statement is not being passed through WebFOCUS. It is the definition of the SQL server view. WebFOCUS will see only the filtered data from the base table, through the view, which does not contain user ID as a field.
But, you highlight the exact issue-- can I get SQL server to recognize &IBIMR_user as the user ID behind the WebFOCUS call to the view? My current opinion is that I can't, and that Majid's stored procedure suggestion is the best alternative so far. Unless you can describe a better way...
Jeff WebFOCUS 8.0.09, Unix-Win-z/OS FOCUS 7.3.1 on z/OS
We have been set up for some time to do exactly as you wish.
Instead of passing the WebFOCUS userid into SQL as a parameter to use as a variable in the view's filter statement, we use the WebFOCUS userid as the SQL logonid that creates the SQL session. Each WF userid has a like-named SQL userid [it helps that we're a single-sign-on shop (an employee's network ID is used at initial sign on, and he/she is never asked for credentials again). MS/Active Directory is our primary authenticator of credentials.]
With this setup, we had to use kerberos authentication to make the 3rd 'hop' to pass the ID into SQL. A/D only allows two passes of the credentails: #1 is the network logon, and #2 is the logon to WF. The logon to SQL would be #3, so we had to use kerberos technology to make that work.
The WebFOCUS data adapter referenced by synonyms specifies 'pass through' security.
Once the user logs onto SQL as 'himself' putting the SQL UserID into the view's IF filter is a snap!
We evolved a work-around for testing and high-powered 'top secret clearance' persons: Two synonyms exist for the SQL tables. Ordinary users get the default search path that uses the above mentioned synonymns with the 'pass through' data adapter. 'Special' persons have a WF profile that puts an special appdir into high up in their their search path. That appdir contains identically named synonyms, but these use a different data adapter, one that's set for 'explicit' access to SQL using a special unrestricted userid/password.
Chris
WIN/2K running WF 7.6.4 Development via DevStudio 7.6.4, MRE, TextEditor. Data is Oracle, MS-SQL.
Posts: 154 | Location: NY | Registered: October 27, 2005
Thanks, Chris!! Though I don't know whether or not we use Kerberos here, this is the kind of automatic, user-transparent (and un-hackable) solution I'm looking for. I'll see what our tech folks have to say about it.
Jeff WebFOCUS 8.0.09, Unix-Win-z/OS FOCUS 7.3.1 on z/OS
I don't know if this will help you at all, Jeff, but there is a reporting server security option called DBMS which forces the user to authenticate to the data base directly before a fex will run. We use it here on one server for Teradata. Check the Server Administration manual for your platform for more details.