Introduction

When to do this

Do this part on update installation when advised that changes have been made to the security model or when you wish to change the security model or AFTER an initial install AND you successfully connected to RiskManager using the client programme at least once after initial install.

By default the system will install with "Always Use Selected Group". This ensure that you can access the application initially and auto-create at least one resource ID. In this mode anyone connecting will be assumed to be authorised and Resource ID's are allocated automatically on first tconnection using the users currently active windows login account profile. Changing from that setting effectively engages the user tables and thus enables security in the selected mode while preserving the auto resource ID creation behaviour of anyone connecting, but does not grant them access to the application because they must have a user profile explicitly added by an application administrator.

Before we begin: Start The Application Server

If you have not started the application server (BPC RiskManager DataServer), go to the start menu on the server computer and select the corresponding menu item from the start menu.

Starting Configuration

When started, the application server appears as a service in the Windows system tray, typically located in the lower right hand corner of your screen. Please double click on the icon to interact with this program.

Now navigate to the "Security Tab" of the application server configuration screen.

Configuration

1. On the Security Configuration tab select your preferred method for assigning secure access to Risk Manager.
   
   

   Secure Access Method	Description
   Membership of NT Global Groups	Users are assigned access based upon which NT global groups they are a member of. For each Risk Manager role, a global NT group needs to be created. NT users are next assigned to one or many of these groups based on their designated application access level as directed by the Risk Management group. An NT administrator is required to maintain membership of the NT groups. A database table is used to map the NT group names with the Risk Manager roles. Records are added to this table using sql script: EnterConfigDataScript_Enterprise.sql. The table can also be maintained by a Risk Manager administrator using the application.
   Membership of NT Local Groups	Users are assigned access based upon which NT local groups they are a member of. For each Risk Manager role, a local NT group needs to be created. NT users are next assigned to one or many of these groups based on their designated application access level as directed by the Risk Management group. An NT administrator is required to maintain membership of the NT groups. A database table is used to map the NT group names with the Risk Manager roles. Records are added to this table using sql script: EnterConfigDataScript_Enterprise.sql. The table can also be maintained by a Risk Manager administrator using the application.
   Assign Access in Application (Login Not Trusted) Prefered Setting without LDAP or AD	Users are assigned access based upon their individual profile stored in the risk database. Secure access is configured by a Risk Manager administrator user using a security form in the Risk Manager application. Passwords are required to login and held in encrypted form in the RiskManager system. This method does NOT need an NT administrator to maintain user access.
   Assign Access in Application (Login Trusted) Alternative Prefered Setting without LDAP or AD	Users are assigned access based upon their individual profile stored in the risk database. Secure access is configured by a Risk Manager administrator user using a security form in the Risk Manager application. The Username is restricted to the users windows username and separate passwords are NOT required to login as the user is assumed to have a valid windows login already to use the system. As access to actions and risk areas is defined per user in the application, merely connecting to the system does not automatically grant edit rights in the system. This method does NOT need an NT administrator to maintain user access.
   Always Use Selected Group	This method is primarily used for testing purposes or in single user mode. All users are assigned access to the role selected in ‘Always Use Group Selection’ on the lower panel, and whether they have Audit status.
   LDAP User Verification Prefered Setting if LDAP is available	Username and password details entered are verified using LDAP authentication. Once the user’s identity is verified the role is assigned from the individual profile which is stored in the database.
   AD User Verification Prefered Setting if Active Directory is available	Username and password details entered are verified using AD (MS Active Directory) authentication. Once the user’s identity is verified the role is assigned from the individual profile which is stored in the database.

   
   
   

   • A test configuration program is available to test the results of using either of the two available NT group methods. This program is named ‘NTServicesTest.exe’. Please request this seperately from Bishop Phillips Consulting.

   
   
   

   • A test configuration program is available to test the results of using LDAP User Verification. This program is named ‘LDAPServicesTest.exe’.

   
   
   

   • A test configuration program is available to test the results of using AD User Verification. This program is named ‘ADSIServicesTest.exe’.

   
   
   

2. Select the UserName format
   
   On the Security Configuration tab select option to assign secure user identification. This setting is used to create a unique identifier for each user. Some networks enforce a unique username and this alone can be used as an identifier. However other networks allow a user to connect to the network when authenticated on the user’s PC. This potentially could allow a user to create a local account in another users name and impersonate this user. To uniquely identify users in this environment select setting ‘Use client domain and username’ to include the authenticating domain name in the client unique identifier. The generally preferred setting is the "Use client user name only" as this will facilitate connecting from across the organisation (which is also the default from V6.2.0).
   
   

   Assign Secure User Identification	Description
   Use client username only (RECOMMENDED)	The network username of the connecting user uniquely identifies the user. Eg: <Username>
   Use client domain and username	The network domain name and username of the connecting user uniquely identifies the user. Eg: <Domain>\<Username>

   
   
   
   

3. If using LDAP, record the LDAP server settings.
   
   LDAP User Verification Configurations:
   
   

   Configuration Property	Description
   LDAP Server Name	Enter LDAP server name
   LDAP DN Lookup Mask	Enter a DN value with a format parameter for username. The format parameter needs to entered as: ‘cn=%s. When user verification is performed the %s characters are replaced with the username. All additional values work as filters to restrict access to RiskMan. Use of additional filters is required for large sites where the username is not globally unique. EG: c=au, cn=%s, ou=Staff
   LDAP Verification OK Value	Enter LDAP return string value for OK verification result. This supports any changes to the LDAP return messages. EG: OK

   
   
   

4. If using AD, record the AD server settings.
   
   
   AD User Verification Configurations:
   
   
   

   Configuration Property	Description
   AD Authentication Server Name	(REQUIRED) Enter AD server name as: myauthenticationserver.mydomain.mynamespace or myauthenticationserver.mydomain (if no namespace is used)
   AD Group	(OPTIONAL) Enter an AD group name of which an authenticating user MUST be a member. This is very rarely used and for normal uses this should be left blank.
   Use LDAP or WinNT for object discovery	(REQUIRED) You will generally want to tick this box as the WinNT authentication step involves a rejected connection step will will increment the login attempt count and will trigger lockout if counters are set to lockout in under 4 tries.
   LDAP Search DN Value	(OPTIONAL) You can enter additional LDAP search criteria here such as DC values and a DN value with a format parameter for username. The format parameter needs to entered as: ‘cn=%s. When user verification is performed the %s characters are replaced with the username. All additional values work as filters to restrict access to RiskMan. Use of additional filters is required for large sites where the username is not globally unique. EG: cn=%s, ou=Staff, DC=bishopphillips, DC=com DC=bishopphillips,DC=com Normally this should be left blank.

5. When finished click ‘Save Settings’ to save changes made.

BackLinks

• BPC RiskManager - Security Configuration
• BPC RiskManager Frequently Asked Questions
• BPC RiskManager Quick Help With Common Tasks
• BPC RiskManager Server - After installing in production or adding an application server
• Steps For Migrating RiskManager V6.x from Test To Production