Topic
2 replies Latest Post - ‏2013-01-17T00:45:32Z by cwoliveira
SystemAdmin
SystemAdmin
693 Posts
ACCEPTED ANSWER

Pinned topic Configure FileNet to work with database for authentication instead of LDAP

‏2012-11-09T04:42:37Z |
Hi,

We have integrated FileNet along with our J2EE application. Our application uses SSO to login into the application. The application maintains users,roles and the access privileges in database. These users/groups are virtual users (eg. user1 under the Role 'Manager') and they do not exist in LDAP server. We are integrating our application with FileNet for document management. For any document related operation, our application will inturn calls FileNet. Our challenge is that FileNet expects real user(present in LDAP) for authentication. We are not in a situation to create these users/ roles in LDAP as the list of users/ roles is huge and becomes an overhead. How to overcome this problem?
Updated on 2013-01-17T00:45:32Z at 2013-01-17T00:45:32Z by cwoliveira
  • SystemAdmin
    SystemAdmin
    693 Posts
    ACCEPTED ANSWER

    Re: Configure FileNet to work with database for authentication instead of LDAP

    ‏2012-12-27T09:55:04Z  in response to SystemAdmin
    You can write the script to add the users & groups;map users to the respective groups.What is the LDAP ur Using EX:- MS Active Directory?
  • cwoliveira
    cwoliveira
    25 Posts
    ACCEPTED ANSWER

    Re: Configure FileNet to work with database for authentication instead of LDAP

    ‏2013-01-17T00:45:32Z  in response to SystemAdmin
    Hi,

    I agree with you, that's a challenge. FileNet security is designed with two major "sub-systems":

    1 - Authentication: it's based on J2EE application server (ex: WAS) security. Here it's possible to enable SSO, custom user registry with external systems, federated repositories, security domains, etc.

    2 - Authorization: it's based on communication from FileNet CE J2EE Application to a registered/supported Directory Server (LDAP)

    So, FileNet still needs a Directory Server in order to perform objects authorization.

    A workaround (STRONGLY NOT RECOMMENDED AND PROBABLY NOT SUPPORTED BY IBM) would be create on LDAP only one or more users for FileNet to work as "FileNet Service Users". Your application will log on FileNet with those accounts instead your end-users credentials. The major impacts of this approach will be the "FileNet Service Users" needing all possible permissions (ex: Obj Store Admin) required by application and all audit records on FileNet being saved for "FileNet Service Users".

    Regards,

    CW