Password
Role
Domain
Integrated domain
Foresight Analytics Platform provides several authentication methods. Authentication method is selected according to the required security level.
User credentials can be checked at DBMS server and/or in Foresight Analytics Platform.
The desktop application provides the following basic authentication types:
Password.
Role.
Domain.
Integrated domain.
Additional authentication types:
Two-factor authentication.
Integrated authentication.
Availability of basic authentication methods depends on the DBMS in use:
| DBMS type \ Authentication type | Password |
Role |
Domain |
Integrated domain |
| Oracle |
|
|
|
|
| Microsoft SQL Server 2008 |
|
|
|
|
| Microsoft SQL Server 2012\2014\2016 |
|
|
|
|
| Microsoft SQL Server (ODBC) |
|
|
|
|
| Teradata |
|
|
|
|
| PostgreSQL |
|
|
|
|
| SQLite |
|
|
|
|
| WEB Service |
|
|
|
|
Conventions:
- authentication type is available.
- authentication type is not available.
Authentication is executed by means of login and password. It is available to set up password policy.
The user enters login and password to Foresight Analytics Platform.
Foresight Analytics Platform addresses DBMS by means of the given login and password.
Role authentication, similarly to password authentication, is executed by means of login and password. The access to objects is determined by the roles assigned to the user at DBMS server, that match with the groups in Foresight Analytics Platform.
NOTE. The role authentication is available only on using Microsoft SQL Server DBMS.
The user enters login and password to Foresight Analytics Platform.
Foresight Analytics Platform addresses DBMS by means of the given login and password.
DBMS returns the list of user roles. The list of roles is compared with the list of platform groups. The user gets permissions that correspond to the groups.
On domain authentication the user is connected by means of the specified domain user data.
Domain authentication is similar to password authentication for the end user, but it simplifies user administration on using domain controllers.
The user enters domain name and password to Foresight Analytics Platform.
Foresight Analytics Platform sends the specified credentials to the DBMS server.
DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Foresight Analytics Platform permissions to connect under the domain user by means of a temporary ticket.
Integrated domain authentication is similar to standard domain authentication, except the domain user, under whom the operating system is logged in, is used for authorization.
When working with Teradata DBMS, integrated domain authentication is always executed via Kerberos authentication mechanism. When working with PostrgreSQL DBMS, this mechanism can be enabled in additional repository connection parameters.
To work according to Kerberos protocol, install MIT Kerberos on a client computer (not included into software package of Foresight Analytics Platform maps).
The user enters domain user name and password on the operating system login.
Foresight Analytics Platform sends the specified credentials to the DBMS server.
DBMS addresses the domain controlled, the domain controller checks correctness of the specified data and grants Foresight Analytics Platform permissions to connect under the domain user by means of a temporary ticket.
Two-factor authentication is a user authentication method by means of requesting two different types of authentication data.
In Foresight Analytics Platform two-factor authentication uses any basic authentication type as the first factor, the second factor is a user certificate.
The user executes basic authentication in Foresight Analytics Platform.
After the query the user gives Foresight Analytics Platform the certificate.
If the certificate matches, Foresight Analytics Platform addresses DBMS by means of the given login and password.
On integrated authentication, DBMS data is accessed under the integrated administrator. User permissions are checked at the platform level. Administrator user credentials are encrypted. Integrated authentication is set up via access control.
The user enters login and password to Foresight Analytics Platform.
Foresight Analytics Platform checks user permissions and addresses the DBMS by means of the built-in administrator user credentials.
The web application provides all desktop application authentication types, in this case BI server is used as a desktop application.
NOTE. Domain/integrated domain authentication use requires advanced settings.
The following additional authentication types are available for the web application:
OAuth (only Twitter).
SAML;
Guest login.
OAuth authentication enables the user to authenticate via Twitter. In this case, connection to DBMS is executed under the saved, encrypted administrator user credentials.
The user enters login and password of the Twitter account.
The data provider (Twitter.com) passes user authentication confirmation to the BI server.
The BI server addresses the DBMS by means of integrated administrator user credentials.
The SAML protocol enables the user to exchange identification data between authentication provider and Foresight Analytics Platform. In this case, connection to DBMS is executed under the saved, encrypted administrator user credentials.
The user enters login and password to the authentication provider.
The authentication provider passes Foresight Analytics Platform user credentials check result.
Foresight Analytics Platform addresses the DBMS by means of integrated administrator user credentials.
Basic principles of working with the web application can be learned by means if guest login setup. The user can log in without entering user credentials, by using a previously created guest account. If the guest login is used, it is recommended to limit guest account permissions.
The user opens the guest link.
BI server addresses DBMS by means of the previously entered guest account login and password.
Mobile application uses password authentication. On using the mobile application the user gets report copies and cannot edit them at the server.
The user enters login and password in Foresight Analytics Platform mobile application.
The mobile application passes the data to BI server for checking.
The BI server checks the data and addresses the mobile application server for available objects.