In this article:
Creating Service User Credentials
Setting Up Service User Parameters
Creating a Service User
A service user of security subsystem ensures:
System login.
Correct work of auditing and user locking.
Use of application role when working with DBMS.
Use of password hashing.
NOTE. Creating a service user is required only for a repository created based on the following DBMS: PostgreSQL, Oracle, or Microsoft SQL Server.
To create a service user of security subsystem in Windows OS:
IMPORTANT. Database server supports only a single service user account. If database server contains several repositories, create a service user with equal credentials for each repository.
Save the created service user credentials on each user computer if you plan to use the desktop and the web applications at the same time. If you plan to use only the web application, save service user credentials on the computer with installed BI server.
When working in the desktop application, the users work directly with the DBMS. When working with the web application, the users work with the DBMS via BI server.
After executing the operations, a service user of security subsystem will be created on the database server and saved according to the selected method on each user computer or on the computer with installed BI server.
TIP. It is recommended to disable the mandatory periodic password change policy for an account of service user of security subsystem in DBMS.
To change the service user password, use the security manager.
Creating Service User Credentials
To create service user credentials on a database server, use the repository manager or the PP.Util.exe utility.
Repository Manager
To create service user credentials:
Start the repository manager as the administrator.
Setting Up DBMS Connection
To set up DBMS connection:
Select the Create Service User of Security Subsystem item in the repository manager dialog box and click the Continue button.
After executing the operations the DBMS Connection dialog box opens:
NOTE. The number of available parameters depends on the selected DBMS.
Set DBMS connection parameters:
DBMS Type. Select the DBMS type - Oracle, Microsoft SQL Server, or PostgreSQL. For details about available DBMS versions see the Supported DBMS section.
Advanced Settings. The button becomes available if setup is executed to the Microsoft SQL Server or PostgreSQL DBMS. In the advanced settings specify:
DBMS is Case Sensitive. The checkbox is deselected by default, and case is ignored when working with DBMS. If the checkbox is selected, all commands are executed taking case into account.
File Group. The box is available if the Microsoft SQL Server DBMS is selected. If the file group is not specified by the user in the advanced settings, the box displays DEFAULT by default, and the file group specified in the database properties by default is used on connection.
Schema Administrator's Name in Database. The box is available if the Microsoft SQL Server DBMS is selected. The DATABASE OWNER data is used by default. If the DATABASE OWNER credentials are unavailable, specify the user who has the DB_OWNER privilege on the DBMS server. The system procedures are executed on behalf of the specified user.
Server. Enter IP address or alias, with which the server is registered.
Database. The box is available if the Microsoft SQL Server or PostgreSQL DBMS type is selected. Set database name for metadata storage.
Schema. The box is displayed if the Microsoft SQL Server or PostgreSQL DBMS type is selected. Specify the identifier of a user schema to use this schema in a database. The "dbo" is used by default.
User Name (Schema). Name of the user who is a database (schema) owner.
Password. Enter the user password to access the DBMS.
Click the Check Connection button to check correctness of entered data. An appropriate message is displayed if connection is successful or failed. An appropriate message is also displayed if the file group specified in advanced settings is not found on checking the connection.
After executing the operations, the connection is set up to the DBMS, on which the repository is based.
To create service user credentials, click the Next button.
Setting Up Service User Parameters
Set up service user parameters:
Go to the Create Service User page:
Set parameters of service user credentials:
User Name. Enter service user name. By default, the user name is entered in upper case to avoid conflicts with DBMS.
NOTE. The P4AUDIT service user name is reserved by the system and cannot be used.
Password. Enter service user password. For the Microsoft SQL Server DBMS, a password should meet the requirements for password complexity.
Select a method for saving credentials:
Only for Me. Credentials will be stored in the registry key of the current user - [HKEY_CURRENT_USER\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available only for the current computer user.
Anyone Who Uses This Computer. Credentials will be stored in the local computer registry - [HKEY_LOCAL_MACHINE\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available for anyone who uses this computer.
NOTE. Credentials are saved to the local computer registry by the administrator having administrator permissions.
To the settings.xml File. Credentials will be stored in the settings.xml file located at %PROGRAMDATA%\Foresight\Foresight Analytics Platform.
NOTE. The ProgramData folder is hidden in the operating system by default.
The file is available only for the current computer user. If the file exists in the specified folder, it will be overwritten. If there is not such a file, it will be created.
Click the Finish button.
After executing the operations, server user credentials are created on the database server and saved according to the selected method on the current user computer. If service user credentials are not created on a database server and the administrator/user does not have a privilege to create DBMS users, the database authorization dialog box opens.
NOTE. If work is executed with a server based on Oracle DBMS, specify credentials of the Sys user in the dialog box and select the SYSDBA mode in server connection parameters.
PP.Util.exe
To create service user credentials, start the PP.Util.exe application located in the folder with installed Foresight Analytics Platform with the following parameters:
PP.Util.exe /create_audit_user metabase_id login password audit_login audit_password db_login db_password
Where:
metabase_id. Repository identifier. Mandatory parameter.
NOTE. The repository with the specified identifier should be in the repositories list. If a custom schema is specified in repository connection settings, service user credentials will be created for it.
login. Owner name for the ADMIN schema for repository connection. Mandatory parameter.
password. Owner password for the ADMIN schema for repository connection. Mandatory parameter.
audit_login. Name of created service user. Mandatory parameter.
NOTE. The P4AUDIT service user name is reserved by the system and cannot be used.
audit_password. Password of created service user. Mandatory parameter.
db_login. Name of the database who has privileges to create DBMS users. Optional parameter. If user name is not specified, it will be asked in interactive mode.
db_password. Name of the database user who has privileges to create DBMS users. Optional parameter. If the password is not specified, it will be requested in interactive mode.
After executing the operations, service user credentials are created on the database server.
Saving Created Service User Credentials
To save created service user credentials on each user computer or on the computer with installed BI server, use the PP.Util.exe utility or export registry data to a reg file from the computer, on which the service user is created. Registry data can be exported if one of the options for saving credentials was selected on creating a service user: Only for Me or For Anyone Who Uses This Computer. If the To the settings.xml File method for saving credentials was selected on creating a service user, copy the settings.xml generated file to each user computer or the computer with installed BI server.
The search priority of saved service user credentials:
The [HKEY_CURRENT_USER] key.
The [HKEY_LOCAL_MACHINE] key.
PP.Util.exe
To save created service user credentials, start the PP.Util.exe application located in the folder with installed Foresight Analytics Platform with the following parameters:
PP.Util.exe /save_audit_creds /ALG enc_alg /SCOPE scope realm|/DC login password
Where:
enc_alg. Encryption algorithm, which is used to encrypt user credentials:
gos. Default value. Encryption with the GOST 28147-89 algorithm is used.
pro. Encryption with Data Protection API (DPAPI) in Windows is used. This encryption type is unavailable in Linux OS.
sim. Credentials are saved unencrypted.
IMPORTANT. To ensure security during production operation of Foresight Analytics Platform, use the gos or pro value.
Optional parameter. If the parameter is not set, the default value is used.
scope. Method for saving credentials:
hkcu. Only for me. Credentials will be stored in the registry key of the current user - [HKEY_CURRENT_USER\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available only for the current computer user.
hklm. Anyone who uses this computer. Credentials will be stored in the local computer registry - [HKEY_LOCAL_MACHINE\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit\Credentials\Item0] - and are available for anyone who uses this computer.
file. Default value. To the settings.xml file.
In Windows OS, credentials will be stored in the settings.xml file located at %PROGRAMDATA%\Foresight\Foresight Analytics Platform.
NOTE. The ProgramData folder is hidden in the operating system by default.
If the file exists in the specified folders, it will be overwritten. If there is not such a file, it will be created.
Optional parameter, it is used only in Windows OS. If the parameter is not set, the default value is used.
In Linux OS, credentials can be stored only in the settings.xml file located at: /opt/foresight/fp10.x-biserver/etc.
realm|/DC. Credentials scope of the service user. Select one of the methods:
realm. If the list of repositories contains more than one repository, and service user credentials should differ for each of them, set an identifier of the SERVER_DATABASE|TYPE type for the database server specified in specific repository connection settings, where:
SERVER_DATABASE. IP address or alias of the registered database server.
NOTE. When setting up repository connection on each client computer or on the computer with installed BI server, IP address or server alias must match with the server specified in the SERVER_DATABASE parameter.
TYPE. Type of driver in use. Available values: POSTGRES, MSSQL, ORCL.
For example: "127.0.0.1|POSTGRES".
NOTE. To avoid syntax errors, enclose the value in quotation marks.
/DC. If the list of repositories contains one or more repositories, but service user credentials should be equal for all repositories, use this parameter without specifying additional settings.
Mandatory parameter.
login. Name of existing service user. Mandatory parameter, it is case sensitive.
password. Password of existing service user. Optional parameter, it is case sensitive. If the password is not specified, it will be requested in interactive mode.
After executing the operations the service user credentials will be saved on each user computer or on the computer with installed BI server.
IMPORTANT. The service user can be locked on an attempt to log in to the repository if his credentials added using the PP.Util.exe utility mismatch the source credentials specified on creating the user. To unlock the service user, contact DBMS administrator.
Exporting Service User Credentials
To save created service user credentials, export the system registry key from the computer, on which service user credentials were created, in encrypted form:
[HKEY_CURRENT_USER\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit] if the Only For Me option for saving credentials was selected.
[HKEY_LOCAL_MACHINE\SOFTWARE\Foresight\Foresight Analytics Platform\10.0\Audit] if the Anyone Who Uses This Computer option for saving credentials was selected.
Next, import the output reg file to the registry of each user computer or the computer with installed BI server.