Hi folks, We have applied security in 2 different environmen...

[vi .]

Hi folks,

We have applied security in 2 different environments UAT and Production. In case of UAT the same security is working fine but in case of Production there is issue in security.

When we check security we found that clear inheritance that we applied on page is not working in case of production .

can some one suggest why clear inheritance is not working in production.

Thanks in advanced.

[Martin Yergeau]

Does both env on same release

Can you be more specific/detailed

Why are you saying that the clear inheritance does not work

You may have another security property that is over permitted either from the same group or another.

Check all security applied on the page.

I am almost 100% sure that the securities are not the same between the two env.

[Sarah Buccellato]

Vikas, have you had a chance to review Martins questions and provide more information about the issue youre facing

[Toby Mills]

Hi Vikas

You probably have a difference in Rules or Roles thats affecting your Production rollout.

Heres what you can do to tell.

As a colleague once told me when WF 8 was new, if you can understand the Effective Policy report, you know all youll need to know about WebFOCUS security (thank you Mr. Calappi!).

Effective Policy Tells All

First you need to identify a Privilege (also called an Operation) that either is, or isnt allowed in Prod that behaves like you want in UAT.

For example, maybe in UAT a user (lets say his name is Bob) can NOT list all the published reports in a given folder. But in Prod - Bob CAN see all those reports. Maybe this behavior has you thinking that Clear inheritance is being ignored.

Once you have a User (aka Bob) and a Privilege on a Folder (like List aka Access Resource) to work with, you can do a comparison by generating an Effect Policy report for UAT and one just like it for Prod. Compare your reports

To generate an Effective Policy report, youd right click on the folder that Bob could NOT see in UAT for example. The choose Security / Effective Policy.

 

image.png782521 31 KB

 

The Effective Policy dialog box needs to know 2 things - a User ID and the privilege that youre investigating.

In our example this would be Bob and the Access Resource (or opList) privilege.

Once youve chosen those 2 things on the left side on the screen (user ID and the top and click on a privilege at the bottom on the left side), the right side will show you information about how Bob came to be able to List things in that folder (in our example, if youre in UAT, Bob actually cant see the resources that were looking for).

Heres a folder I made up called Common. I put Bob in the Group=Everyone. Heres what his Access Resource Effective Policy looks like.

 

image.png1481796 54.2 KB

 

To recap how I got here - I right click on the Common folder (youd right click on whatever youre trying to secure). Then choose Security / Effective Policy. Then I search for Bob at the top with the magnifying glass, after I click on Bob, I then click on Access Resource (youd choose whatever privilege youre having trouble with).

Now - the panel on the right tells you everything you need to know. These are all the Rules that come into play in deciding if Bob can Access Resource down in the Common folder.

Notice that that Path Element starts at the very top of the Resource Tree (just the /). After that comes /WFC, then /WFC/Repository and finally we make it down to /WFC/Repository/Common.

Sometimes its easiest to start at the bottom of the report on the right. Lets look at it that way for now. At the bottom of the Effective Policy report on the right, you can see Bob is permitted to Access Resource in the Common folder:

 

image.png895203 15.6 KB

 

You can also tell that the Subject says EVERYONE - meaning Bob is a member of EVERYONE.

The rule there says EVERYONE can ListandRun things in the Common folder (and in any child folders).

While the Effective Policy report is looking at DETAIL items such as an individual User instead of a Group, and an individual Privilege instead of a Role, the Rules on the right typically will point to Groups and Roles. To dig in more between your UAT and Prod in this example, it might be worth looking at the Role mentioned in that last rule. This is ListAndRun in my example.

Lets go look at that Role to see what all Privileges are checked in there.

Go to Security Center, and click the Roles tab at the top. Locate the ListAndRun Role and double click it to open it up:

 

image.png944507 50.5 KB

 

This is a little lengthy by default because all the Privileges are shown in case you wanted to turn on a new Privilege for this Role. Since were just interested in seeing how the Role is configured now, we can make the Role much easier to look at by choose to show only the Privileges that are enabled (choose Options / Only show selected Privileges):

 

image.png1081265 25.2 KB

 

That makes things much more clear:

 

image.png868248 14.3 KB

 

Now you can tell that there are really only 2 privileges turned on inside this Role.

Question: Are your Rules and Roles configured the same way in Prod and UAT (now that you know how to check)

By now, your eyes might be glazing over and your brain says you need more coffee.

Before I stop, let me show you one more button thats helpful when looking at Effective Policy - theres a Report button while youre in the Effective Policy Dialog that is helpful for you to print out if you want.

 

image.png1154565 49.3 KB

 

This report will show you all the things that are in the Effective Policy dialog. TIBCO Support might ask you to send one of these to them if they are helping you troubleshoot.

Try it out to see what you think.

See if you can take what Ive mentioned so far and apply it to your problem.

If youre stuck, let us know and Ill see if I can help. I will likely ask you to show me your Effective Policy Reports between the 2 environments as a starting point.

Good hunting!

[vi .]

Thank you very much Toby and MartinY.