Installation and Security
This document will highlight some part to consider regarding installation and security
Lobby Runtime Security
Lobby Runtime Security is mainly based on Presentation Objects
Lobby overview shows only granted pages(Presentation Objects) for the user.
When the user opens a lobby page the layout of the page is loaded without any PO check. Data is loaded individually in lobby elements. In this case presentation Object grants are checked for each data source used by the element. If the relevant data source is not granted, a cross sign is displayed on the element.
Figure: Element with no grants
With the Power BI element a Power BI Report or visual can be embedded into a Lobby page. A report or the underlying data source optionally can use row level security (RLS), when this is the case the identity of the logged in user is used to send to the Power BI Server. In this way the logged in user cannot see data that he shouldn't have access to.
Lobby Designer Security
Lobby page designer, lobby element designer and lobby data source designer can be taken as tools for designing lobbies. Lobby Designer Security is mainly base on projections. There is a separate projection for each designer.
- LobbyDatasourceConfiguration.projection: Datasource designer
- LobbyElementConfiguration.projection: Element Designer
- LobbyConfiguration.projection: Page designer
The logged in user must have grants for these projections in order to,
- Open designers
- View metadata of Lobby items
- Do CRUD operations on Lobby items
Power BI Security
In the Power BI element designer the report dropdown is automatically filled with the reports that are available within the Power BI Workspace the Power BI Service is linked to, this is not a per user list but the same for all the users. The data in preview mode will use the RLS security meaning that the logged in user cannot see data that he is not allowed to see. The sequence and security tokens used of a Lobby designer creating a new Power BI Element and a Lobby page viewer visiting a page which has a Power BI Element on it are drawn in the below diagram.
Special Security - Datasource Designer
Datasource designer is a special tool among three lobby designers. The user is able to access any table/view in the database and execute any query through the Datasource designer
So an extra layer of protection has been implemented on Datasource designer to protect data from unauthorized users
LOBBY DATASOURCE DESIGNER system privilege has been used as the extra layer of the protection
A user who has grants for LobbyDatasourceConfiguration.projection will be able to
- Open Datasource designers
- View metadata of data sources
- Export data sources
- Plug a data source into an element
In order to do following operations in the data source, the user must have grants for LOBBY DATASOURCE DESIGNER system privilege
- Create / import data sources
- Edit data sources
- Delete data sources
- Preview data in a data source
The Install and Reconfigure process
The Lobby items included with IFS Applications are automatically deployed to your database when running the IFS Cloud Installer. Note that every time the Installer is run, the Lobby items that ship with IFS Cloud will be redeployed and overwritten
Important: If configuration changes (i.e.: not Personalization changes) are needed on any Lobby item that was included with IFS Cloud, be sure to create a copy of that item and do the necessary configuration changes on the newly copied item..