×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Decision Support - Database Automation 8.5 Planning

Authentication and authorization

BMC Decision Support – Database Automation supports the following types of authentication mechanisms:

  • BusinessObjects Business Intelligence (BI) Enterprise
  • Lightweight Directory Access Protocol (LDAP)

Users of BMC Decision Support – Database Automation must have corresponding users in BMC Database Automation that are assigned to groups that have been granted a role with the capability to view reports. 

After the product installation, the BMC Database Automation user information is transferred to the BMC Decision Support – Database Automation data warehouse by running the run_export script on the BMC Database Automation Manager. The run_export script populates the BMC Decision Support – Database Automation data warehouse with the report data and users. The User Role Group (URG) Mapper utility maps the user information to the BMC Decision Support – Database Automation Administrators group. URG Mapper runs hourly through a Microsoft Windows scheduled task, called bds_urgmapper_tsk. This task is created during installation.

The following topics describe how authentication works and how various product roles are mapped to groups in BusinessObjects BI Enterprise:

Authentication setup and user and group creation

You can use either one or both the authentication types in your environment. The product installation process, the run_export script, and the URG Mapper automatically set up the BusinessObjects BI Enterprise authentication. You must manually configure BusinessObjects BI to work with the LDAP authentication.

The order in which authentication is set up impacts how users are created and the tasks performed by URG Mapper. Review the following authentication scenarios and determine the best approach for your environment: 

Use these scenarios to determine how you want to set up authentication in your environment and the sequence in which you want to set up authentication if you support both types of authentication.

Product is installed and run_export and URG Mapper are run (LDAP is not configured)

In this scenario, you have installed BMC Decision Support – Database Automation and run_export and URG Mapper are run. BusinessObjects BI is not configured for LDAP authentication.

After the run_export is run on the BMC Database Automation Manager for the first time and URG Mapper runs for the first time, URG Mapper does the following steps:

  1. Creates the BMC Decision Support – Database Automation groups in BusinessObjects BI and grants access levels to those groups.
    This step is the only time that URG Mapper creates all groups when it runs. (See Product roles and the access control system for a list of the groups that are created).
  2. Creates the BMC Decision Support – Database Automation users in BusinessObjects BI and maps those users to the groups.

In subsequent runs, URG Mapper does the following:

  1. If there are any changes in user information in BMC Database Automation and those changes have been transferred to the data warehouse via a run_export run, URG Mapper updates the users to reflect those changes.
  2. If any users have been added in BMC Database Automation and the user information has been transferred to the data warehouse via a run_export run, URG Mapper creates the users and maps them to the groups it already created.

LDAP is set up before the product is installed (or before run_export and URG Mapper are run)

In this scenario, BusinessObjects BI is configured for LDAP authentication before you install BMC Decision Support – Database Automation or before run_export and URG Mapper are run.

After the run_export is run on the BMC Database Automation Manager for the first time and URG Mapper runs for the first time, it does the following:

  1. Creates the BMC Decision Support – Database Automation groups in BusinessObjects BI and grants access levels to those groups.
    This step is the only time that URG Mapper creates all groups when it runs (see Product roles and the access control system for a list of the groups that are created).
  2. Maps the users who have already been imported from the LDAP group to the groups that it created in the first step.
    These users do not have a BusinessObjects BI Enterprise login, because they were already present in BusinessObjects BI. URG Mapper does not create duplicate users.
  3. If any of the users from BMC Database Automation that were transferred to the data warehouse via a run_export run do not match users already imported from the LDAP group, URG Mapper creates those users and maps them to the groups it already created.

Product is installed, run_export and URG Mapper are run, and then LDAP is configured

In this scenario, you have installed BMC Decision Support – Database Automation and run_export and URG Mapper are run (URG Mapper has already set up the groups and mapped the BusinessObjects BI Enterprise users to those groups). Then, you configure BusinessObjects BI for LDAP authentication and the users in your LDAP group. The users in your LDAP group match the BusinessObjects BI Enterprise users.

When URG Mapper runs after you set up LDAP authentication, URG Mapper does the following:

  1. Maps the users from the LDAP group to the groups that URG Mapper has already created. The existing BusinessObjects BI Enterprise users now have BusinessObjects BI Enterprise and LDAP log in credentials (they have the same aliases).
  2. If there are any changes in role mapping in BMC Database Automation and those changes have been transferred to the data warehouse via a run_export run, URG Mapper updates the users to reflect those changes.
  3. If any users have been added in BMC Database Automation and the user information has been transferred to the data warehouse via a run_export run, and those users do not already exist from the LDAP group, URG Mapper creates the users and maps them to the groups it already created.

Product roles and the access control system

In BMC Decision Support – Database Automation, all the authorized users in BMC Database Automation are members of the BDS-DA Administrators group. When you set up BMC Database Automation access controls, the user is part of a group. Each group is granted specific functional roles and access to particular domains in your BMC Database Automation environment. Each role defines a set of capabilities. The capabilities are activities and tasks that can be performed by a user. To use BMC Decision Support – Database Automation reports, a role with the View Reports capability must be granted to a group assigned to your user. The View Reports capability is granted for specific domains defined for the group. So, the user can only act on reports for devices in the domains defined for the associated group. The User Role Group (URG) Mapper assigns those users to the BDS-DA Administrators user group.

The user group assignments control access to objects and functionality in BMC Decision Support – Database Automation. BMC Database Automation data-level security (user-group-role) controls users access to report-related data and data in the universe. For example, if your user only has access to domain1 in BMC Database Automation, in BMC Decision Support – Database Automation you can generate reports for devices in domain1. You cannot generate reports for devices in any other domain.

This access control system controls the data a user can see in a report, the actions that a user can perform on a report, and the BMC Decision Support – Database Automation features that a user can access.

The following table shows how BMC Database Automation users map to the BMC Decision Support – Database Automation groups and the privileges associated with the BMC Decision Support – Database Automation groups.

BMC Database Automation user and mapping to the BusinessObjects Business Intelligence (BI) platform user group

BMC Database Automation user

BusinessObjects BI platform user group

Privileges

BMC Database Automation user in a group granted a role with View Reports capability

BDS-DA Administrators

  • Administration of all content and areas of BMC Decision Support – Database Automation in BusinessObjects Enterprise
  • Editing the universe and connection details
  • Editing and saving reports
  • Displaying, running, emailing, saving, and exporting built-in reports for the data to which your BMC Database Automation role has access
    By default all BMC Decision Support – Database Automation users are assigned to this group.

Related topics

User roles
Configuring BusinessObjects for use with LDAP
Accessing users and groups in the Central Management Console
Providing credentials for Windows scheduled tasks
Roles

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Feb 12, 2014
authorization reference ldap authentication

Comments

Log in or register to comment.

Deploying BMC Decision Support - Database Automation and Network Automation
Installing
© Copyright 2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.