Configuring Microsoft Active Directory for business object level security

You must configure new LDAP users and run a script to prepare IBM® Counter Fraud Management for business object level security.

Procedure

Create following users and groups in Microsoft Active Directory. Set the password of the users to the same password that is assigned in the local Linux users.

Add the following users (required and optional are listed).

Table 1. Required Users
User Name	Description
`db2odm`	Database application user that the Operational Decision Management Rules Execution Server application uses to connect to the ODMRESDB database.
`db2odmdc`	Database application user that the Operational Decision Management Decision Center application uses to connect to ODMDCDB database.
`db24core`	DB2 instance owner. This user ID controls all DB2 processes and owns all file systems and devices that are used by the databases that are contained within the instance.
`cfmauthid`	Database application user that the ICFM application uses to connect to the Counter Fraud database
`cfmbatch`	Administrative-level functional user for running batch operations. Batch jobs are scheduled and run by using the WebSphere® Application Server Job Management Console. This user does not submit batch jobs though (see `cfmbatchmgr` description). This user is an internal user that the batch job implementations use to connect to the Counter Fraud database.
`cfmadmin`	The Counter Fraud administrative user that configures the Counter Fraud application. This user has access to all default ICFM roles and is also a member of all default ICFM team groups.
`cfmbatchmgr`	This user schedules, submits, and views batch jobs by using the job management console.
`cfmengine`	Administrative-level functional user that is the 'RunAs' user for Message Driven Beans (MDBs) within the Counter Fraud applications. The database authorization and RCAC is based on the user who is associated with the trusted context. For web-based requests, this user is the principal that made the request. For non-web-based requests, which primarily consist of MDB initiated actions, then `cfmengine` is configured as the Run As user for the MDB, or in other words, the MDB is running as if the `cfmengine` user makes the requests.
`cfmimport`	Administrative-level functional user that runs the data import tool.
`cfmreporting`	Administrative-level functional user for running reporting jobs. This ID is used to query the CFREPORTING database schema, usually when managers or executives view charts from the ICFM application or from IBM Cognos Analytics.
`db2fencc`	The DB2® instance fenced user. The fenced user runs user-defined functions (UDFs) and stored procedures outside of the address space that is used by the DB2 database.
`cfmunauth`	When a trusted context does not have a user who is associated with it, this user is used. The Counter Fraud application uses this user to load an initial login page, where no identity was set for the requests.

Table 2. Optional Users: Add as needed
User Name	Description
`DBADM`	Database administrator who is creating new schemas within the database. Keep in mind that it is usually not necessary to grant to everybody in the `ADMIN_GROUP_NAME`. Only users that are performing Counter Fraud Archive (CFAR) deployments that contain new schemas require this privilege. Note: As this privilege is a higher level privilege within DB2, it might only be restricted to a particular user (or small group of users), rather than blanket grants to entire teams.
`SECADM`	Security administrator who is creating and manipulating security within the database. These cases include CFAR deployments, creating new stereotype enum tables, and setting up business object authorizations using DB2 Row Column Access Control. Note: As this privilege is a higher level privilege within DB2, it might only be restricted to a particular user (or small group of users), rather than blanket grants to entire teams.

Add the following groups.

Table 3. Required groups
Group	Required members
`CFTeamAdmin`	`cfmadmin`, `cfmbatch`, `cfmengine`, `cfmimport`, and `cfmreporting` users
`cfbatchmanagers`	`cfmbatchmgr` user
`db24coregrp`	`db24core` user
`db2fenccgrp`	`db2fencc` user

Add the cfmadmin user to the following groups:
- CFAdministrators
- CFInvestigators
- CFSupervisors
- CFTeamInvestigation
- CFTeamSupervisor
- CFTeamTriage
- CFTriageAnalysts
Add the cfmimport user to the CFAdministrators group.
Add the cfmbatchmgr user to the CFBatchManagers group.

Creating a SYSADM group named db24coregrp.

su - root
groupadd -f db24coregrp
usermod -a -G db24coregrp db24core
usermod -a -G db24coregrp root

Create the IBMLDAPSecurity-AD.ini file on the ICFM server (Data server in a three-server environment) by entering the following commands:

su - db24core
cp /home/db24core/sqllib/cfg/IBMLDAPSecurity.ini.sample /home/db24core/sqllib/cfg/IBMLDAPSecurity-AD.ini
update setting in /home/db24core/sqllib/cfg/IBMLDAPSecurity-AD.ini
chmod 664 /home/db24core/sqllib/cfg/IBMLDAPSecurity-AD.ini

Use a text editor to add following line to /home/db24core/.bashrc file:

export DB2LDAPSecurityConfig=/home/db24core/sqllib/cfg/IBMLDAPSecurity-AD.ini

Stop the ICFM application.

Environment Command

Environment	Command
Single server	`cd /opt/IBM/icfm/2.0/bin ./icfm.1.ctl-all.sh stop was.admin.account.pwd` Where `was.admin.account.pwd` is the WebSphere Application Server administrator password, as defined in the WAS.ADMIN.ACCOUNT.PWD variable in the /icfminstall/cfm20_install/installs/`instance_name`/cfm20/topology/CFM.1.properties file.
Three server	On the Core server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-core-all.sh stop was.admin.account.pwd` On the Analytics server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-analytic-all.sh stop was.admin.account.pwd` On the Data server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-data-all.sh stop` Where `was.admin.account.pwd` is the WebSphere Application Server administrator password, as defined in the WAS.ADMIN.ACCOUNT.PWD variable in the /icfminstall/cfm20_install/installs/`instance_name`/cfm20/topology/CFM.1.properties file.

Single server

cd /opt/IBM/icfm/2.0/bin 
./icfm.1.ctl-all.sh stop was.admin.account.pwd

Where was.admin.account.pwd is the WebSphere Application Server administrator password, as defined in the WAS.ADMIN.ACCOUNT.PWD variable in the /icfminstall/cfm20_install/installs/instance_name/cfm20/topology/CFM.1.properties file.

Three server

On the Core server:

cd /opt/IBM/icfm/2.0/bin
./icfm.3.ctl-core-all.sh stop was.admin.account.pwd

On the Analytics server:

cd /opt/IBM/icfm/2.0/bin
./icfm.3.ctl-analytic-all.sh stop was.admin.account.pwd

On the Data server:

cd /opt/IBM/icfm/2.0/bin 
./icfm.3.ctl-data-all.sh stop

Change the SYSADM group name from db24core to db24coregrp by entering the following commands:
```
su - db24core
db2 update dbm cfg using SYSADM_GROUP db24coregrp
```

Configure the LDAP plug-in by entering the following commands:

su - db24core
db2 UPDATE DBM CFG USING SRVCON_PW_PLUGIN IBMLDAPauthserver
db2 UPDATE DBM CFG USING CLNT_PW_PLUGIN IBMLDAPauthclient
db2 UPDATE DBM CFG USING GROUP_PLUGIN IBMLDAPgroups

Start DB2 by entering the following commands.
Attention: Make sure to source the db24core user's Bash profile to apply the change made in Step 4. The command to source the profile is as follows:
```
"~ /home/db24core/.bashrc"
```
```
su - db24core
db2start
```

Start the IBM Counter Fraud Management application.

Environment Command

Environment	Command
Single server	`cd /opt/IBM/icfm/2.0/bin ./icfm.1.ctl-all.sh start was.admin.account.pwd` Where `was.admin.account.pwd` is the WebSphere Application Server administrator password, as defined in the WAS.ADMIN.ACCOUNT.PWD variable in the /icfminstall/cfm20_install/installs/`instance_name`/cfm20/topology/CFM.1.properties file.
Three server	On the Core server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-core-all.sh start was.admin.account.pwd` On the Analytics server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-analytic-all.sh start was.admin.account.pwd` On the Data server: `cd /opt/IBM/icfm/2.0/bin ./icfm.3.ctl-data-all.sh start` Start the application on the Analytics server: . Browse to the WebSphere Integrated Solutions Console `https://analytics_host_name:9043/ibm/console/` . Log in as `wasmgr` and navigate to Servers > All servers. Select the ICFMServer check box and then click Start. Where `was.admin.account.pwd` is the WebSphere Application Server administrator password, as defined in the WAS.ADMIN.ACCOUNT.PWD variable in the /icfminstall/cfm20_install/installs/`instance_name`/cfm20/topology/CFM.1.properties file.

Single server

cd /opt/IBM/icfm/2.0/bin 
./icfm.1.ctl-all.sh start was.admin.account.pwd

Three server

On the Core server:

cd /opt/IBM/icfm/2.0/bin
./icfm.3.ctl-core-all.sh start was.admin.account.pwd

On the Analytics server:

cd /opt/IBM/icfm/2.0/bin
./icfm.3.ctl-analytic-all.sh start was.admin.account.pwd

On the Data server:

cd /opt/IBM/icfm/2.0/bin 
./icfm.3.ctl-data-all.sh start

Start the application on the Analytics server: .
1. Browse to the WebSphere Integrated Solutions Console https://analytics_host_name:9043/ibm/console/ .
2. Log in as wasmgr and navigate to Servers > All servers.
3. Select the ICFMServer check box and then click Start.

Use the WebSphere Integrated Solutions Console to verify that the data sources can connect to the database successfully.

Run the following commands to remove the existing roles and add group-based authorizations:

su - db24core
db2 CONNECT TO CFDB

db2 DROP ROLE CFTEAMADMIN
db2 DROP ROLE CFTEAMINVESTIGATION
db2 DROP ROLE CFTEAMSUPERVISOR
db2 DROP ROLE CFTEAMTRIAGE

To apply proper permissions to Counter Fraud teams and roles, follow these steps:

Replace TEAM_GROUP_NAME with team group names that are defined in the CF.REG.TeamGroups stereotype in the CFCONFIG.SYSTEM_PROPS table. If new custom team groups are created and added to the CF.REG.TeamGroups stereotype, you must run the following grant statements for each of those custom team groups.
```
db2 -tnx "select distinct 'GRANT SELECT, INSERT ,UPDATE, DELETE ON TABLE '|| rtrim(tabschema)||'.'||rtrim(tabname)||' 
TO GROUP TEAM_GROUP_NAME;' from syscat.tables where tabschema in ('CFFACT', 'CFDOC', 'CFFOLIO', 'CFCONFIG', 'CFAUDIT',
'CFREFFACT', 'SPATIAL', 'CFSEARCH' ) "  > TEAM_GROUP_NAME_grants.sql

db2 -tvf TEAM_GROUP_NAME_grants.sql
```
Remember: Repeat this command (on one line) for each TEAM_GROUP_NAME.

Grant Select, Insert, Update and Delete SQL access to all the tables to the CFMBATCH users. For example:

db2 -tnx "select distinct 'GRANT SELECT, INSERT ,UPDATE, DELETE ON TABLE '|| rtrim(tabschema)||'.'||rtrim(tabname)||' 
TO USER CFMBATCH;' from syscat.tables where tabschema in ('CFFACT', 'CFDOC', 'CFFOLIO', 'CFCONFIG', 'CFAUDIT', 
'CFREFFACT', 'SPATIAL', 'CFSEARCH') "  > CFMBATCH_grants.sql

db2 -tvf CFMBATCH_grants.sql

Remember: Repeat this command (on one line) for each CFMBATCH user.

Replace ADMIN_GROUP_NAME with group names that have the Administrator role defined in the CF.REG.RoleGroups stereotype in the CFCONFIG.SYSTEM_PROPS table. The default group name for the Administrator role is CFAdministrators.

"[{"roleName": "Administrator", "groups": ["CFAdministrators"], "page": "cfm.AnalysisFlows"}, 
{"roleName": "Supervisor", "groups": ["CFSupervisors"], "page": "cfm.Supervisor"}, 
{"roleName": "Investigator", "groups": ["CFInvestigators"], "page": "cfm.Investigator"}, 
{"roleName": "Triage Analyst", "groups": ["CFTriageAnalysts"], "page": "cfm.TriageAnalyst"}]"

For example:

db2 GRANT SECADM ON DATABASE TO GROUP ADMIN_GROUP_NAME;
db2 GRANT DBADM ON DATABASE TO GROUP ADMIN_GROUP_NAME;

db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFFACT TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFDOC TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA SPATIAL TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFCONFIG TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFFOLIO TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFAUDIT TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CREATEIN, ALTERIN, DROPIN ON SCHEMA CFREFFACT TO GROUP ADMIN_GROUP_NAME;

db2 grant EXECUTE on PROCEDURE CFFACT.CF_DEFINE_CODE_TYPE to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFFACT.CF_DEFINE_PROP_TYPE to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFFACT.CF_DEFINE_SYSTEM_PROP to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFFACT.CF_DEFINE_SYSTEM_REF to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFFACT.CF_RESOLVE_PARTIES to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP_1 to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP_2 to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP_3 to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP_4 to group ADMIN_GROUP_NAME;
db2 grant EXECUTE on PROCEDURE CFREPORTING.PROGRAM_EFFECTIVENESS_DATAMART_SP_COMMON to group ADMIN_GROUP_NAME;

db2 GRANT CONTROL ON TABLE CFFACT.ACCOUNT TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CONTROL ON TABLE CFFACT.EVENT TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CONTROL ON TABLE CFFACT.PARTY TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CONTROL ON TABLE CFFACT.PHYSICAL_OBJECT TO GROUP ADMIN_GROUP_NAME;
db2 GRANT CONTROL ON TABLE CFFACT.TRANSACTION_RECORDS TO GROUP ADMIN_GROUP_NAME;

db2 -tnx "select distinct 'GRANT SELECT, INSERT ,UPDATE, DELETE ON TABLE '|| rtrim(tabschema)||'.'||rtrim(tabname)||' /
TO GROUP ADMIN_GROUP_NAME;' from syscat.tables where tabschema in ('CFBATCH') "  > ADMIN_GROUP_NAME_grants.sql

db2 -tvf ADMIN_GROUP_NAME_grants.sql

db2 -tnx "select distinct CONCAT('GRANT EXECUTE ON ' CONCAT(case when
    routinetype='P' THEN 'PROCEDURE' ELSE 'FUNCTION' END), CONCAT(' ',
    CONCAT(rtrim(routineschema), CONCAT( '.', CONCAT( rtrim(routinename), '  TO 
    GROUP ADMIN_GROUP_NAME;'))))) from syscat.routines where  routineschema in 
   ('CFREPORTING', 'CFFACT', 'CFCONFIG', 'CFREFFACT') and (routinename like 
   'CF_%' OR routinename like 'RANDOM%')"  > ADMIN_GROUP_NAME_grants_pf.sql

db2 -tvf ADMIN_GROUP_NAME_grants_pf.sql

Remember: Repeat this command for each ADMIN_GROUP_NAME.

Use the Business Object Authorization page to enable business object authorization and configure permissions for the user teams. For details, see Enabling business object authorization for ICFM teams.