Tagged with group_permissions - Visokio Forums

Security: Authentication on Omniscope Web Server?

stavro — Thu, 25 Dec 2014 01:24:36 -0500

Hi,

How can I create an authentication page which will be shown when we click to mobile web server page? Also all users shouldn't access to all reports. Can you explain it detailed.

Security: Mobile Web Server user permissions

antonio — Mon, 28 Oct 2013 15:04:16 -0400

Omniscope Mobile web server allows you to configure per folder authorisation/permissioning configuration.

To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default users credentials and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

Here follows the main aspects you have to knowledge to properly configure the folder.xml file:

Permissions

These are permissions you can set on a folder or per user basis:

listDirectory : allow users to list existing files and subfolders
downloadFile : allow users to download the IOK files
viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder
getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
viewServerState : allow users to view the server state through a monitoring page

N.B. A missing permission in the configuration is equivalent to deny

User Credentials

To specify user credentials is required you specify:

username : in clear text
password : hash encrypted string using MD5 algorythm. As reference you can use this link to generate the hash.

folder.xml file structure

Anonymous section
The element describes the unauthenticated permissions, and is also used as default values for per-user permissions.
Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
Users section
The element describes the credentials and the permissions per user, and is made by the following elements/attributes:
- Enabled : whether or not the user is enabled.
- Credentials : the user username and password
- Permissions: the user permissions that will override the anonymous ones

folder.xml example

Common use cases:

Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files
Anonymous can browse folders, no Admin user, Guest users browse and play IOK files

Security: Group Permissions

Veaceslav — Tue, 27 May 2014 07:02:09 -0400

Mobile Web Server Authentication

Group Permissions

Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanisms.

Each server request goes through a security check first and if it is authorized, the request is processed and a proper response is sent back to the client.

Authorization permissions may be added to anonymous users and authentication groups. Permissions cannot be added for each individual user. To make sure a user has specific permissions you need to create a group with those permissions and add the user to that group.

Omniscope Mobile web server allows you to configure per folder authorization/permissioning configuration.

To enable this feature, just create a folder.xml configuration file and put it into your sharing folder (or subfolder).
You can start by using the folder.xml.default file, present into the mobile sharing folder, as template.

Remember, the settings present into the folder.xml file will override the default anonymous/folder permissions, and the default authentication groups and permissions. As a note for system administrators, folder.xml works like Apache .htaccess file.

Editing tip for folder.xml

Instead of manually editing the folder.xml file we suggest you copy an existing folder.xml into the correct folder and then use Omniscope Mobile Web Server UI main toolbar (Settings > Edit folder.xml configuration...) to edit the folder.xml.

Permissions

Here follows the main aspects you have to knowledge to properly configure the folder.xml file.

These are permissions you can set on a folder or per group basis:

listDirectory : allow users to list existing files and subfolders
downloadFile : allow users to download the IOK files
viewInMobile : allow users to launch the Omniscope Mobile app for the existing IOK files
fileManagement : allow users to upload IOK files, rename and delete resources, create new folders in the folder and save. Also used to control if mobile is in "Viewer" mode.
getStatic : allow users to get/access static resources from the folder, and to customise default styles (e.g. logo, icons, css files)
viewServerState : allow users to view the server state through a monitoring page
exportData : allow users to export a view's data as a CSV file.

N.B. A missing permission in the configuration is equivalent to deny

folder.xml file structure

Anonymous section
The element describes the unauthenticated permissions, and is also used as default values for per-group permissions.
Unauthenticated public access will be given these permissions. Any false/missing permissions will require authentication.
Groups section
The element describes the authentication group and its permissions, and is made by the following elements/attributes:
- Enabled : whether or not the group is enabled. Disabled groups are not considered during authentication
  Note: If the enabled attribute is missing the group will be enabled by default. A group is disabled only if the enabled attribute is present and is set to false
- Name: specifies the group name e.g. Data Analysts, Guests, Administrators, Employees, etc
- Permissions: the group permissions that will override the anonymous ones
- Mechanisms: a list of authentication mechanisms to be used when authenticating users for this group e.g. LDAP Query, List Of Users, SPNEGO (Single-Sign-On)
  - ListOfUsers: defining a list of users, e.g. :
    
    Credentials element has two attributes: username and password (the MD5 encrypted password).
    To generate password MD5s, visit this link
  - ldapQuery: LDAP Query mechanism enables Omniscope Server to query an LDAP/AD server to validate user credentials
    Attributes:
    - distinguishedName: LDAP group distinguished name E.g. CN=Users,DC=example,DC=com
    - url: A full URL pointing to your LDAP/AD server
      Example 1: 'LDAP://ldapserver.example.com:389'
      where LDAP is protocol name, ldapserver.example.com is the LDAP/AD server and 389 is the default port for LDAP protocol
      Example 2: 'LDAPS://ldapserver.example.com:636' where LDAPS is LDAP over SSL protocol,
      ldapserver.example.com is the LDAP/AD server and 636 is the default port for LDAPS protocol
    - ignoreSslIssues: false most of the time. Set true only if your LDAP/AD server has not been configured to use a trusted certificate and you are using LDAPS protocol
    - securityAuthentication: Security authentication type supported by your LDAP/AD server. By default, LDAP/AD server uses a simple security type. However, you should contact your administrator to check whether you need to use a different type (CRAM-MD5, or DIGEST-MD5, or none)
    - principalNameFormat: can have only one the the following values:
      1. {Name} : User's simple name will be used to authenticate. e.g. 'username' and 'password' will be used
      2. DOMAIN\{Name}: User's simple name will be added the DOMAIN name automatically e.g 'EXAMPLE.COM\username' and 'password' will be used to authenticate the user
      3. {Name}@DOMAIN: User's simple name will be appended the DOMAIN name automatically e.g. 'username@EXAMPLE.COM' and 'password' will be used to authenticate the user
    - principalDomain: must be set only if 'principalNameFormat' contains a domain name, otherwise it will be disregarded. e.g. 'EXAMPLE.COM'
  - spnegoMechanism: a Single-Sign-On authentication mechanism e.g.:
    
    spnegoMechanism element has a list of user names to be verified once users authenticate successfully on LDAP/AD server and are assigned group permissions (roles).
    WARNING: spnegoMechanism will be disregarded during authentication if SPNEGO global settings are not set in config.xml

folder.xml example



  
		fileManagement="false" getStatic="false" viewServerState="false" 
	exportData="false" />
  
  
	
	  
				fileManagement="false" getStatic="false" viewServerState="false" 
		exportData="false" />
	  
	  
		
		  
			
		  
		
					distinguishedName="CN=Users,DC=example,DC=com" 
			url="ldap://ldapserver.example.com:389" 
			ignoreSslIssues="false" 
			securityAuthentication="simple" 
			principalNameFormat="{Name}@DOMAIN" 
			principalDomain="example.com">

Common use cases:

Anonymous access not allowed, Admin user full permissions, Guest users browse and play IOK files

fileManagement="false" getStatic="false" viewServerState="false" exportData="false" /> fileManagement="true" getStatic="true" viewServerState="true" exportData="true" /> getStatic="true" />
Anonymous access not allowed, admin users authenticating with their LDAP accounts, employees browse and play IOK files and authenticate with their LDAP accounts, a new employee user authenticating with List Of Users mechanism if an LDAP account is not yet available and a user authenticating with a Single-Sign-On (SPNEGO) mechanism

fileManagement="false" getStatic="false" viewServerState="false" exportData="false" /> fileManagement="true" getStatic="true" viewServerState="true" exportData="true" /> distinguishedName="CN=Administrators,DC=example,DC=com" url="ldap://ldapserver.example.com:389" ignoreSslIssues="false" securityAuthentication="simple" principalNameFormat="{Name}@DOMAIN" principalDomain="example.com"> fileManagement="false" getStatic="true" viewServerState="false" exportData="false" /> distinguishedName="CN=Users,DC=example,DC=com" url="ldap://ldapserver.example.com:389" ignoreSslIssues="false" securityAuthentication="simple" principalNameFormat="{Name}@DOMAIN" principalDomain="example.com">

Security: List Of Users authentication

Veaceslav — Mon, 26 May 2014 06:12:43 -0400

Mobile Web Server Authentication

List Of Users authentication mechanism

Besides Single-Sign-On (SPNEGO) and LDAP Query mechanisms which authenticate users that are stored and managed on other servers like LDAP, Omniscope Mobile server may be configured to validate Omniscope users by manually adding custom users on server. Those users are stored in Omniscope Server configuration files (config.xml, folder.xml).

Configuration steps

Open Edit Default folder configuration dialog (Visokio Omniscope Server window -> Mobile Web Server section -> Config button -> Permissions section -> Default folder configuration -> Edit)
Make sure to properly edit anonymous permissions first (actions that are allowed for anonymous users will not use authentication).
Add a new group (or edit an existing group)
- Note: Disabled groups are not considered during authentication
Edit group permissions
For group mechanisms click the Add button and select List of users.
Add users.

Legacy Omniscope users

List Of Users authentication mechanism is a replacement for the legacy Omniscope users. Old configuration files are converted automatically.

Users are grouped automatically based on their permissions and whether users are enabled or disabled.

E.g.
Legacy users:

User 1 with permissions A, enabled
User 2 with permissions B, enabled
User 3 with permissions A, enabled
User 4 with permissions A, disabled
User 5 with permissions A, enabled

Are automatically converted to:

Group 1 with permissions A, enabled having User 1, User 3, User 5
Group 2 with permissions A, disabled having User 4
Group 3 with permissions B, enabled having User 2

Security: How to share reports via Internet?

Kefsid — Fri, 13 Jan 2012 06:48:16 -0500

I wanna display my reports to our clients via Internet like kefsid.com/report but first they need to log in with their password and at the same time some of the data must be filtered according to their username so that they ll not be able to see the others data.

Is it possible?