Defining the Authorization Scheme
Business Analytics permissions are assigned to user groups or to individual users. To set up authorization when LDAP is the user repository, you must relate Business Analytics user groups to user groups in LDAP and define how users are assigned to groups in LDAP. User membership in LDAP groups can be defined by adding users to group entries or by adding group names to user entries, but not both.
Note: | In previous releases, Business Analytics user groups were called roles that could be implemented as user roles in LDAP instead of user groups. To use roles in LDAP for authorization in Business Analytics, please contact your Software AG representative for more information. |
You must add the built-in Business Analytics groups that define basic permissions as groups in LDAP. You assign users to these built-in groups to assign basic Business Analytics permissions. Your existing LDAP groups can then be used in Business Analytics to define run permissions for specific mashables, mashups or apps. .
1. If needed, log into Business Analytics Hub and click Admin Console in the main menu. 2. Expand MashZone NextGen Repositories and click User Repository - LDAP.
3. Click Advanced Options.
4. If user membership is defined in group entries in your LDAP directory, set these properties:
Set the
Search Groups for User Membership option.
Enter the beginning context for user group searches in the
Group Search Base property.
This is combined with the User Group Search Filter to find LDAP groups to determine user membership in groups that may have Business Analytics permissions. For example:
ou=groups
Enter the filter to apply in group searches in the
User Group Search Filter property.
This is combined with Group Search Base to find LDAP groups to determine user membership in groups that may have Business Analytics permissions. The variable {0} is replaced with the user's username from login. For example:
uniquemember={0}
Enter the LDAP attribute in group entries that identifies a group in the
Group Name Attribute property.
This attribute contains the name of user groups that is used in Business Analytics permissions. The default value is the group common name:
cn
Important: | If you change this property, you must also update the Group Name Pattern property. |
If group IDs in your LDAP Directory are not simple common names (see Group Name Attribute), enter a regular expression in
Group Name Pattern to identify the built-in
Business Analytics groups.
For example:
cn=(PRESTO_.*?)
Business Analytics expects specific names for the built-in groups that you add to your LDAP Directory. These values are defined in the common name of the group. This property allows Business Analytics to find the expected values for built-in groups, but use the full correct group names for the groups for your organization.
5. If user membership is defined solely in user entries, set these properties:
Clear the
Search Groups for User Membership option.
Enter the name of the LDAP attribute in user entries that identies the groups that users belong to in the
User Membership Attribute property.
If group IDs in your LDAP Directory are not simple common names, enter a regular expression in
Group Name Pattern to identify the built-in
Business Analytics groups.
For example:
cn=(PRESTO_.*?)
Business Analytics expects specific names for the built-in groups that you add to your LDAP Directory. These values are defined in the common name of the group. This property allows Business Analytics to find the expected values for built-in groups, but use the full correct group names for the groups for your organization.
With these properties set, for example:
Search Groups for User Membership = true
Group Search Base = ou= groups,ou=system
User Group Search Filter=uniquemember={0}
Group Name Attribute = cn
And a username of jwalker, Business Analytics would search all entries in ou=groups where uniquemember=jwalker. The names for any of these groups would be the common name (cn) for the group entry.
If these properties were set instead:
Search Groups for User Membership = false
User Membership Attribute = memberOf
The list of groups would consist of all values in the memberOf attribute in the jwalker user entry.
This list of group names would be compared to the built-in Business Analytics groups and to groups with run permissions for artifacts to determine the full set of permissions for jwalker.