You are on page 1of 1

AdministratorGuides>BusinessAnalyticsSecurityGuide

SecurityImplementationChecklist
Step Procedure Step Developasolidplanforyoursecuritysystem.Forexample,youmusthavetheappropriate 1 securitybackend(adirectoryserver,forinstance)inplaceandoperational. Step Determineuserroles.Whatroles(outofpotentiallymany)willhavemeaninginthePentahoBI 2 Platform?Forexample,youmighthaveroles(orgroups)thatareusedbyotherapplicationsin yourcompany.YoucouldreusethoserolesordefinenewonesforuseinthePentahoBIPlatform. IfyoualreadyhaveaBI_USERrole,youcouldtellPentahotousethatexistingrole. Step DeterminewhichrolesshouldhaveaccesstoparticularURLs.Theseroleswillbeusedto 3 defineWebresourceauthorization.Forexample,whatrolewillbeconsideredthePentaho administrator?PentahohasreasonabledefaultWebresourceauthorizationsettings,soyou probablywon'tneedtochangetheURLsthatareprotected.Youwillhavetochangetherolesthat areallowedtoaccesseachURL,however. Step Determinewhichrolesshouldhavewhichpermissionstoparticularactionsequencesin 4 thesolutionrepository.Theseroleswillbeusedtodefinedomainobjectauthorization.For example,willroleAbeallowedtoexecuteactionsequencesinfolderX? Step ConfigurethesecurityDAO.LeaveitsettothedefaultPentahosecurityDAOorswitchtoJDBC, 5 LDAP,orhybridLDAP+JDBC. Step Ifyou'dliketousearoleprefix,defineone.Bydefault,thereisnoroleprefix. 6 Step DefinethePentahoadministratorrole. 7 Step Definethedomainobjectauthorizationrules.Theserefertotherolesdefinedinstep5above. 8 Step Applytheaccesscontrollists(ACLs).Thisstepisabatchoperationandwillremoveany 9 custompermissionscreatedviatheAdminPermissionssection,orviathePentahoUserConsole. Step DefinetheWebresourceauthorizationrulesinthefilterInvocationInterceptorbeanin 10 /pentaho/server/biserveree/pentahosolutions/system/applicationContextspring security.xmlfile.Theserefertotherolesdefinedinstep3above. Step Setpluginsecurity.Therearevariouspluginsthathaveauthorizationsettings. 11 Step Restrictdatasourceediting/creation byediting/ p e n t a h o s o l u t i o n s / s y s t e m / d a t a a c c e s s 12 p l u g i n / s e t t i n g s . x m l . Step ConfigureMetadatasecurityusingPentahoMetadataEditor. 13 Step ConfigureMondriansecuritybyconfiguringtheMondrianUserRoleMapperbeanIDin 14 p e n t a h o O b j e c t s . s p r i n g . x m l . Step SetupasecureconnectionbetweenthePentahoEnterpriseConsoleandtheBAServer. 15 Step IfuserswillbepublishingcontenttotheBAServer,setthepublishpasswordin 16 / p e n t a h o s o l u t i o n s / s y s t e m / p u b l i s h e r _ c o n f i g . x m l . Step SetupatrustbetweenthePentahoEnterpriseConsoleandtheBAServer.Usersmustsupply 17 thispasswordinadditiontotheirusualusernameandpassword. Step IfyouarechangingtheAdminroleonaDIServer,editr e p o s i t o r y . s p r i n g . x m l . 18 Done