Managing Users and Groups


Crystal Enterprise contains its own security system, separate from the operating system underneath. Maintained by the CMS, this allows the CE administrator to build a unique security model to control access to the reports in the system. Your security model system can be as simple or as complex as needed, providing complete flexibility for the system architect and administrator.

CE security is designed to closely mimic many security models, with the security model in Windows NT being particularly close. There are individual user accounts that include a user name and password. Those user accounts may be placed into one or more groups that incorporate similar users. For example, all sales users can be placed in a Sales group . Groups can also be placed within other groups to create a parent/child relationship between groups. For example, all West Coast sales users can be placed in a West Coast subgroup , contained within the Sales main group. This allows the administrator to define a hierarchical setup for easier application of security rights across the system.

Users are not limited to being placed in one group. If a user crosses multiple group boundaries, such as being assigned a CE administrative position, while also being employed in the Sales department, the user can be placed in both the Administrators and Sales groups.

Introducing the Admin Launchpad and Crystal Management Console

Most of the administration work in CE, including adding users and groups or integrating with an existing Windows NT, Active Directory, or LDAP security system (discussed later in the chapter), is performed in the Crystal Management Console, or CMC. This is a web-based application that may be accessed from any computer that has access to the CE network. You ll find a link to the CMC in the Crystal Administration Launchpad. You may also browse directly to the CMC.

To display the Administrative Launchpad, choose it from the Crystal Enterprise 10 program group (if you performed a full stand-alone installation on a single computer). If you have launched the CE User Launchpad (discussed in Chapter 25), you ll also find a link to the Admin Launchpad. Or, you may navigate directly to:

 http://<  web server  >/crystal/enterprise10/adminlaunch 

The Admin Launchpad will appear:

click to expand

The Admin Launchpad is a basic home page that doesn t provide any true administrative capabilities directly. However, it does contain links to online CE documentation and other administrative web pages that perform various subsets of maintenance (and that showcase the Administrative Software Development Kit, which you can also use for your own custom administrative applications). The particular link on the Admin Launchpad that you ll probably use most often is the Crystal Management Console.

Click the link to launch the CMC. You may bypass the Admin Launchpad entirely and navigate directly to the CMC, should you desire . Browse to:

 http://<  web server  >/crystal/enterprise10/admin 

You ll be prompted to log on to the CMS (which, as discussed earlier, is the heart of Crystal Enterprise). Supply a valid administrative ID and password (when you first install CE, a default account is created with a user ID of Administrator and no password using Enterprise authentication). Once you log in to the CMS, the Crystal Management Console main page will appear.

click to expand
Tip  

You can click the main links on the CMC page to navigate to various administrative screens. However, you can also navigate directly from any screen to another by choosing screens from the drop-down list in the upper left-hand corner of the CMC. Once you ve chosen the desired entry, you ll go directly to that screen.

Adding, Modifying, and Deleting User Accounts

Two user accounts are created automatically when CE is installed: Administrator and Guest. The Administrator account is used as the all access account for managing your Crystal Enterprise system. The Guest account is set up for general use for users that don t have a specific account, and may be disabled once security is set up to disallow anonymous users. Both these accounts are set to use Enterprise authentication.

Note  

Various authentication types are covered later in this chapter.

To add a new user account, click Users within the Organize category of the CMC home page. The list of existing user accounts will appear. Then click the New User button in the upper-right corner. The New User screen will appear.

click to expand

Most fields on the user screen are self-explanatory, and some are optional. Some fields or options may be of particular concern:

  • Password Settings While entries you choose here may conflict with overall password requirements set in the Enterprise Authentication screen ( viewed by clicking the Authentication link from the Manage area of the main CMC screen), the CMC will generally allow them to be ignored. For example, if you have set requirements for mixed-case passwords, or passwords of a minimum length in the Authentication screen, you ll be able to set initial passwords for users that fall outside of these requirements. The users, however, will need to adhere to the password requirements when they change their own password.

  • Connection Type The choice you make here is determined largely by the licensing scenario you have purchased with Crystal Enterprise. For example, if you have purchased only named user licenses, the concurrent option will be dimmed. And, if you have purchased only concurrent access licenses, the named option will be dimmed. If you have purchased a combination of both, you may choose which type of license you wish this user to take.

When finished specifying user information, click the OK button. The screen will refresh, showing the new user information you just entered. You ll notice that some new items appear toward the bottom of the page. First, there is now an Account Is Disabled check box that may be used to disable a user account at any time without actually deleting the user account. Also, you ll notice that an alias has been assigned to the account (aliases are used to assign a single user ID to more than one CE authentication type or other user ID).

If you ve made a mistake or would like to make a change to the user account, you may now edit any of the user options. If you do so, make sure you click the Update button to apply the changes. Otherwise, the changes will not be saved. You may do this at any time in the future by simply selecting the user account from the Manage Users page.

To delete a user account, click Users from the Organize category on the main CMC page. In the list of users, select the check box next to the user you wish to delete. Then, click the Delete button in the upper-right corner. You will be prompted to confirm the deletion. Note that some users won t present a Delete check box. The initial Administrator and Guest Enterprise accounts can t be deleted. And, any accounts provided by other authentication methods (Windows NT, Active Directory, or LDAP) must be deleted in their original locations ” they cannot be deleted here.

Note  

The preceding steps assume you are using Enterprise authentication and will be adding and maintaining users directly in Crystal Enterprise. If you prefer to use an existing Windows NT, Windows Active Directory, or LDAP system to authenticate users, create users and groups in these systems and use steps described later in the chapter to integrate CE with your existing security system.

Adding Groups

Crystal Enterprise groups can be created to organize CE users together. Users can be placed in one or more groups. Groups can also be made subgroups of other groups. Access rights in CE can be assigned to groups, in addition to individual users. Users inherit rights from their group membership, which often makes group organization and security key to a good security model with minimal effort. If you use an external authentication method (Windows NT, Active Directory, LDAP), user groups will also be imported into CE. You may merely accept these existing imported groups, or create additional groups within CE itself to group all users.

Three groups are created automatically when CE is installed: Administrators, Everyone, and New Sign-Up Accounts (you ll notice you are unable to delete these default groups). You ll find the Administrator user in the Administrators group, all users in the Everyone group, and no one in the New Sign-Up Accounts group. Place users that will need to perform administrative tasks into the Administrators group ”these users will be able to perform most administrative tasks automatically. By default, every user of Crystal Enterprise will be placed in the Everyone group (and, you can t remove this group or take a user out of this group) ”you ll set the most basic set of rights for this group. And, the New Sign-Up Accounts group will automatically contain users that create their own sign-up accounts after signing on with the Guest account.

While the three default groups that are created by default when CE is installed are convenient for certain basic security tasks, they are probably not sufficient for even mildly sophisticated security models. As the administrator, you ll want to think about the best way to group your users for security purposes. For example, some organizations group users by their job functions, with groups such as Sales, Executive, and Human Resources. Other organizations group the users by region, such as East Coast, Midwest, and West Coast. Or, organizations may use a combination of both, or other similar scenarios. There is no right or wrong way to group users, but well-thought-out groupings can make applying access rights much, much easier.

start sidebar
Disabling the Guest Account or Automatic Sign-Up

By default, when you first install CE, both the Guest account and the ability for users to create their own sign-up accounts are enabled. This very open model allows anyone who has the proper URL or link to connect to CE using the Web Desktop (discussed in Chapter 25) or a custom web interface that you may have designed. While you may lock down the Guest account to, for example, prevent deletion or addition of objects or viewing of certain folders and objects, you still may potentially open up your CE system to unwanted users by leaving it enabled.

Furthermore, those accessing CE via the Guest account can, by default, create their own individual user ID and password by clicking the Sign Up icon on the top of the CE Web Desktop. This gives you maximum flexibility to self-manage CE by not requiring administrators to set up each and every account for CE new users. Again, the New Sign- Up Accounts group can be locked down to prevent users who use the sign up feature from performing inappropriate actions or seeing inappropriate content. However, the prospect of unbridled account creation may make you (or your IT security staff) nervous.

You may disable either or both the Guest account and the sign up feature. While it probably makes little sense to disable the Guest account, but leave the sign up feature enabled (as only Guests can create their own accounts), you may find that leaving the Guest account enabled but disabling the sign up feature offers a good balance between open access and reasonable security. Or, if you want complete control over who uses Crystal Enterprise, you may disable the Guest account, in which case users must specify a specific user ID/password combination to gain access to CE.

To disable the Guest account, click Users from the Organize area of the CMC main screen. You'll be presented with a list of existing users in the system. Click the Guest account. On the user screen, simply click the Account Is Disabled check box. Then, click Update.

You'll be presented with a warning message indicating that any attempts at anonymous access will fail (this may be an issue if you've developed custom CE applications that don't provide any particular user ID/password combination within the custom code).

click to expand

From this point forward, users will immediately be presented a sign-on screen when they view the Web Desktop, rather than being presented the introductory set of folders and objects provided to the Guest account.

If you wish to leave the Guest account enabled, but disable the ability for Guest account users to set up their own user ID/password combination, click Authentication within the Manage section of the CMC main screen. The Authentication screen will appear, with several tabs available to click. The first tab, Enterprise, contains the option to disable the Sign-Up feature. Scroll to the bottom of the screen and uncheck Guest users can create their own Enterprise accounts. Click Update. From this point forward, even if Guest account users are allowed access to the CE Web Desktop, the Sign Up icon will not appear.

click to expand
end sidebar
 

To add a new group, click Groups from the Organize category on the CMC home page. A list of existing groups will appear. Click the New Group button in the upper-right corner. Fill in the Group Name and Description. Then, click OK. The group will be added, and the screen will refresh, with the OK button replaced with an Update button.

click to expand

Creating Subgroups

Part of the flexibility of groups is the ability to set up hierarchies, whereby one group can reside inside another group (become a subgroup of the parent group). While there s no practical limit to the numbers and levels of groups to subgroups (a subgroup can be contained within a subgroup or a top-level group, and so forth), nesting groups too deeply may not make for a reasonably simple group structure.

If you plan on nesting groups, you must create all the initial groups (both parent groups and subgroups) using steps mentioned previously in this section. Only after groups have been created can they be nested. Once you ve created groups, you may set up a parent/subgroup relationship by clicking either group name from the main list of groups in the CMC. You ll notice two applicable tabs appearing in the screen for the chosen group: Subgroups and Member Of. If you wish to add a subgroup to the current group, click the Subgroups tab. If you wish to make the current group a subgroup of another group, click the Member Of tab.

Once you ve clicked the proper tab, click either the Add/Remove Subgroups button (in the Subgroups tab) or the Member Of button (in the Member Of tab). A new screen will appear showing all other groups in the Available Groups list on the left side of the screen, and any subgroups or parent groups already assigned (if any) on the right side. Click one or more groups (CTRL-click to select multiple groups) from the Available Groups list and click the right-arrow button to add them to the right side. If you wish to remove any groups from the right side, click them and click the left arrow. Then, click OK to save your choices.

click to expand
click to expand

Placing Users in Groups

Once you ve created groups and subgroups, you ll want to add users to the groups. There are two general approaches to placing users in one or more groups: either add one or more groups for a user on the CMC Users screen or add one or more users to a group on the CMC Group screen.

To add groups for a user, click Users in the Organize category of the CMC page. Then, choose the user you wish to set group membership for. Click the Member Of tab on the user s screen to see existing group memberships (you ll always see the Everyone group listed here). Click the Member Of button to choose which groups to make the user a member of. A screen will appear showing all groups on the left side and existing group membership on the right side. As discussed earlier in the chapter, select groups to add or remove for the chosen user.

click to expand

To add users to a particular group, click Groups in the Organize category of the main CMC page. Then, choose the group you wish to add users to. Click the Users tab to see a list of existing users (if any) that already belong to the group. Click the Add Users button to pick from a list of users to add to the group.

Because large numbers of users can appear in the Available Users list, this screen has an additional Look For text box and Find Now button that allow you to enter either a few characters or a full user name to search for. Once you click the Find Now button, only users that contain the characters typed in the Look For list will appear below. As with other, similar, dialog boxes, select users to add to the group in the left list and click the right arrow to add them.

click to expand

Again, because a large CE installation can involve large numbers of users, a separate option is used to delete users from a currently selected group. After clicking the Users tab from a group s display, you ll find a separate Remove Users button in the upper right-hand corner. Click this button to display a list of existing users in a group. Choose existing users in the left list and use arrow buttons to add them to the right-hand Users to Be Removed list. If you d like to find specific users, you can use the Look For text box and Find Now button. Enter either a few characters of a user name or a full user name to search for in the Look For text box. Once you click the Find Now button, only users that contain the characters typed in the Look For list will appear below. Once you ve added users to the right list, click OK to remove them from the group.

Note  

Even if you integrate CE with an outside authentication method (Windows NT, Active Directory, or LDAP), you may create and manipulate additional groups within the CMC, beyond those that are imported from the outside server.

Password Settings

As noted earlier, each individual user account has its own password and several check boxes that affect that password. But, there are also global password settings for user accounts based on Enterprise authentication that affect password behavior overall. To edit the global settings, click Authentication in the Manage section of the CMC home page. The Enterprise tab will appear by default.

click to expand

Password Restrictions allow the administrator to force a mixed-case password, as well as a password of a certain character length. User Restrictions allow the administrator to force users to change their passwords every so often, as well as require a series of different passwords. And, Logon Restrictions allow the administrator to shut down the account if a number of unsuccessful logons are attempted. You may use any combination of these choices to enforce password standards and practices for an organization.




Crystal Reports 10
Crystal Reports 10: The Complete Reference
ISBN: B005DI80VA
EAN: N/A
Year: 2004
Pages: 223
Authors: George Peck

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net