The Crystal Enterprise Settings area contains a number of systemwide settings that aren specific to a particular server. Information on system properties, metrics, clustering, instance limits, and user rights are available in this section. To configure system settings, select Settings from the Crystal drop-down menu in the CMC.
There are two key components to managing Crystal Enterprise authentication:
The first one is a less technical topic but still important to understand. The second is discussed in subsequent sections.
The License Keys tab displays important information about each license key (see Figure 27.45). Highlight a license key to display specific information about the key. Crystal Enterprise supports three types of licenses: named licenses, concurrent licenses, and processor licenses.
The license certificate keys determine the number and type of licenses available (name user or concurrent access). During the initial install of Crystal Enterprise, a license key was entered. Additional licenses can be added to Crystal Enterprise from the License Keys tab on the Authentication section of the CMC.
Crystal Enterprise gives you the flexibility to mix and match named and concurrent license types. Named licenses are assigned to specific users. Any number of named licenses can be simultaneously logged in to the system.
Concurrent licenses permit an unlimited number of named users to be added to the Crystal Enterprise, but only a certain number of those users can access the system simultaneously.
Processor licenses enable an unlimited number of both named and concurrent users for a specific processor. Processor licenses are most efficient in high-powered server environments where the server CPU is robust enough to support a large number of concurrent users.
Its best to contact Business Objects and discuss the optimum licensing strategy for your organization.
The different types of authentication that can be leveraged with Crystal Enterprise are also found under the Authorization portion of the CMC.
Crystal Enterprise provides several authentication models for providing secure report access, including Native Crystal Enterprise authentication, Windows NT Authentication, Active Directory authentication, and LDAP authentication. Crystal Enterprise supports single sign-on for both the Windows NT and Active Directory methods, so users won have to constantly enter credentials after exiting and reentering the system.
The reason Crystal Enterprise supports more security models than its own is simple: If an IT organization has already implemented an existing security model, why re-create certain entities such as user accounts and passwords?
Fortunately, none of these options is mutually exclusive; they can all be used simultaneously. This can cause some management headaches, so proceed with caution. Every topic in this chapter up until this point has used native Crystal Enterprise security as an example.
This does not imply that if Windows Active Directory authentication is used, for example, that administration is done exclusively from Active Directory. It simply implies that objects such as user accounts and passwords can be maintained within Active Directory, yet Crystal Enterprise feeds off those existing accounts when users try to retrieve reports. The configuration of Crystal Enterprise groups and objects, as well as relevant restrictions to those objects, are still created and configured from the CMC, in the same way that this chapter has shown. This is reviewed in greater detail later.
To configure system authentication settings, select Authentication from the drop-down menu in the CMC.
Crystal Enterprise provides its own native security model. This means that Crystal Enterprise is not dependent on a foreign, third-party security database to configure and restrict access to any system function, object, or entity. The Crystal Enterprise authentication model is the default model. To leverage another security database, select the appropriate tab.
Selecting the Enterprise tab, shown in Figure 27.46, enables you to enforce password rules when using Crystal Enterprise authentication. You can use this tab to control the frequency that users are forced to change their passwords, as well as the length of the passwords and whether or not the password must contain mixed-case letters.
In general, the password options offered are similar to those provided by the Windows NT and Solaris operating systems.
Selecting the LDAP tab enables a system administrator to configure LDAP connectivity to a directory server, as shown in Figure 27.47. LDAP (Lightweight Directory Access Protocol) enables a network administrator to maintain a central directory server for managing user access to a variety of applications and operating systems. Crystal Enterprise can be configured to work with a variety of directory servers via LDAP. Crystal Enterprise support for LDAP was designed and tested to the LDAP version 3 specification.
Crystal Enterprise can tie into an LDAP server for User and Group information. Folder and Object permissions (that is, authorization) are still defined within Crystal Enterprise.
When Crystal Enterprise is tied to an LDAP server, equivalent Crystal Enterprise accounts are either created, if they don already exist, or aliased if they do exist. The Crystal Enterprise system must have references to users and groups inside the system such that report object restrictions can be configured. User passwords are not stored in Crystal Enterprise. When using LDAP, its the job of the directory server to verify passwords. Any time a user attempts to access Crystal Enterprise resources, a password confirmation request is sent to the directory server. If the user authenticates properly, Crystal Enterprise then compares the users group membership and associated privileges assigned to those groups in Crystal Enterprise.
If, for example, a large number of users and groups were added to the directory server and the Crystal Enterprise administrator needed to configure Crystal Enterprise security settings, clicking the Update button on the LDAP page forces synchronization.
Crystal Enterprise provides the capability to tie in user authentication to the Windows NT or Active Directory security model. If the primary network operating system and application authentication method in an organization is Windows NT or Active Directory, this feature can be a useful timesaver. Although there are material differences between the methods, they are similar enough to be discussed as Windows authentication.
Windows authentication can be configured from the Windows AD or NT tabs, as shown in Figure 27.48. To enable Windows authentication, select the Is Enabled option. Enter the name of the Default Domain. The default domain should be the same domain that contains the majority of the Windows users that will also be Crystal Enterprise end users.
Users who do not have accounts in the specified default domain need to specify their domain name each time they log in to Crystal Enterprise.
The Mapped Member Groups section enables specification of which Windows user groups are permitted to access Crystal Enterprise. Any Windows users who belong to mapped Windows member groups are able to log in to Crystal Enterprise using single sign on.
Users who are not a member of at least one mapped Windows group will not be able to access Crystal Enterprise unless the administrator has specifically created a Crystal Enterprise user ID for them in the CMC. To import a new Windows group to Crystal Enterprise, type in the name of the Windows group (preceded by the groups domain or machine name) and click the Add button. Remember to click the Update button when you e finished adding or removing Windows groups.
The bottom of the Windows tab has two additional options for configuring NT integration. Assign Each Added Windows Alias to an Account with the Same Name forces Crystal Enterprise to match imported Windows usernames with existing Crystal Enterprise usernames. If Crystal Enterprise already has a username with the same name as an incoming Windows username, the two usernames are mapped to each other so that a duplicate account name is not created. In other words, an alias is created.
On the other hand, the Create a New Account for Every Added Windows Alias option causes Crystal Enterprise to add a new Crystal Enterprise username for each incoming Windows username. If a duplicate username exists in Crystal Enterprise, an alias is not created; instead, a new username is created with a slightly different name. When the group is added, navigate to the Manage Groups section of the CMC. Note that \NGEULAVM-03RUHI is now listed as a group within Crystal Enterprise. Selecting this user group allows access to the same options as a native Crystal Enterprise group.
New to Crystal Enterprise 10, the configuration of applications via a central location simplifies system administration. For instance, setting default colors or preferences (even setting a custom logo for the Web desktop!) can be accomplished from this location. As more applications, such as the Ad-Hoc application, are installed, these applications also add to this section.
By default, the Web Desktop area appears to allow configuration of the Web Desktops preferences (see Chapter 23 for more information on the Web Desktop, and Chapter 21 for more information on the Ad-Hoc Application). These settings become global for this installation.