Also how does security work on BO? Where are the user names/passwords stored? How are they stored? I know they are kept in some repository table, but what kind of security do these tables have. We are concerned that someone will be able to either hack into our web server, where WEBI resides, and either a)get into the application or b)access the reporting database by getting the connection information from the repo database.
I’m trying to get a high-level view of how security works in BO.
All of the passwords are stored in the repository in an encrytped format. When the passwords are passed to the database, they are sent using whatever encryption you have enabled in your Database driver.
The BOMAIN.key actually stores a hard-coded username/password for the repository, but it is in a binary/encrypted format. When a user logs in, it connects to the repository using this hard-coded user/pass and then looks up the username and compares the password supplied against the password in the repository.
If the passwords match, the user is allowed into the application and a listing of restrictions are downloaded. These restrictions let the application know which documents, universes etc that you have rights to or do not have access to. Should you fail authentification, a mark is written into the repository to show a failed login attempt. After X number of failed attempts, a value is updated showing this account is locked. During unlocking, this value is simply updated again, without the password ever being modified.
When a user generates a report, the connection for the database is pulled from the repository and used to run the report. In full-client this login occurs from the workstation, but in WebI this all occurs on the server so no information other than the results are returned.
Not to push my luck, but would you happen to know on what table/which fields the user name/password to the reporting database and user logins to the application are kept?
I was told the OBJ_M_ACTOR table stores the user name/password to the reporting database, but I wanted to double check.
The OBJ_M_ACTOR table, if you look at the structure, is fairly clear. The username and the (encrypted) password are both stored there. The rights / restrictions as to what the user can (cannot) do are stored elsewhere.
There is a sample universe with some database documentation in BOB’s Downloads that you might want to start with. 8)
OBJ_M_ACTOR only stores the username/passwords for accessing the application. One of the CONNECTION tables actually stores the connections for accessing the databases.
(BOB member since 2002-08-15)