Overview   Package  Class  Tree  Deprecated  Index  Help 
 PREV PACKAGE   NEXT PACKAGE FRAMES    NO FRAMES    

Package com.crystaldecisions.sdk.plugin.authentication.secwinad

This package contains interfaces that allow you to map users and groups from a Windows 2000 Active Directory (AD) user database to SAP BusinessObjects Enterprise, verify all logon requests that specify AD authentication, and provide Kerberos single sign-on (SSO) access to AD group members.

See:
          Description

Interface Summary
IsecWinAD This interface extends the IInfoObject and the IsecWinADBase interfaces.
IsecWinAD.CeSSOAccessMode Specifies the single sign-on (SSO) access mode.
IsecWinAD.CeSSOVendor Specifies the single sign-on (SSO) vendor.
IsecWinADBase This interface provides properties that map Active Directory (AD) principals (users or groups) to SAP BusinessObjects Enterprise, and it also supports both AD and Kerberos single sign-on (SSO) authentication.
 

Package com.crystaldecisions.sdk.plugin.authentication.secwinad Description

This package contains interfaces that allow you to map users and groups from a Windows 2000 Active Directory (AD) user database to SAP BusinessObjects Enterprise, verify all logon requests that specify AD authentication, and provide Kerberos single sign-on (SSO) access to AD group members.

To use this library, the Central Management Server (CMS) must run under a user account that has the “Act as Part of the Operating System” right. See your Windows 2000 documentation for more information.

For more information on mapping AD users and groups to SAP BusinessObjects Enterprise, see the SAP BusinessObjects Enterprise Administrator's Guide.

Retrieving an authentication plugin

Unlike the desktop plugins, the authentication plugins are static, and objects cannot be created from them. It follows that since no instances of the plugin exist, you must retrieve the plugin itself. Each type of authentication plugin is represented by an InfoObject. These objects are stored in the CI_SYSTEMOBJECTS category in the CMS InfoStore, and must be retrieved using the SI_NAME property.

Example

The following example retrieves the secWinAD authentication plugin:

IInfoObjects authObjs = iStore.query( "SELECT TOP 1 * FROM CI_SYSTEMOBJECTS WHERE SI_NAME='secWinAD'");

The query method returns a collection of InfoObjects, which in this case contains only one item--the secWinAD class. Like other InfoObjects, this object is uniquely represented by its ID property. You can also access general InfoObject properties, such as the SI_NAME property, SI_DESCRIPTION property, and SI_ID property.

To access the IsecWinAD objects returned by the query, the resulting IInfoObjects need to be cast. This example demonstrates how to cast the returned IInfoObjects as IsecWinAD objects:

IInfoObject obj = (IInfoObject) authObjs.get(0);
IsecWinAD winAuth = (IsecWinAD) obj;

Mapping a third-party user group

A third-party group can be mapped over to SAP BusinessObjects Enterprise in two ways. The third-party group alias name can be added to a new IUserGroup or it can be added to an existing group. Once the IUserGroupAlias for the third-party user group has been added to the IUserGroup, the collection must then be committed to the CMS. Before committing, ensure that the IUserGroupAlias's setDisabled method is set to false. Also be aware that adding an alias to an existing user group is not the same as re-assigning the third-party alias. Re-assignment is not handled by the CMS and must be done manually.

Once the appropriate third-party user group aliases have been created and added to an IUserGroup, the third-party user group is ready to be imported. In order to trigger the import of the third-party users, the third-party plugin InfoObject needs to be updated. It is important to note that merely adding the third-party group alias to a group does not trigger the import of the users.

To import WinAD users from a previously mapped third-party group:

  1. Query for the IUserGroup to which the third-party group alias to be mapped was added.
  2. Iterate through the returned group collection and construct a semi-colon separated string of WinAD aliasIDs. Use the IUserGroupAlias object's getAuthentication() and getID() methods to retrieve the required information.
  3. Query for the WinAD plugin InfoObject. See Retrieving an authentication plugin.
  4. Append the string of WinAD group aliasIDs to the authentication plugin's SI_MAPPED_GROUPS property.
  5. Modify the plugin's SI_ALIAS_AUTOADD and SI_MAPPED_GROUPS properties depending on the desired system behavior.
  6. Commit the plugin to the CMS.
    If the commit is successful, the third-party user group's users will be imported into SAP BusinessObjects Enterprise.

Change properties before committing

You must change at least one property of this plugin before you commit it to the CMS repository. Unchanged class instances result in a match between the information stored in the application memory and the information in the database memory. As a result, the CMS repository will not write anything to the database.

Even if you do not want to change the properties of a class instance, you can toggle one of its properties to let it commit to the CMS repository. In the example below, secADInterface has its AliasAutoAdd property initially set to false. If you want to commit secADInterface but not change any of its properties, you can set AliasAutoAdd to true and then back to false.

secADInterface.setAliasAutoAdd(true);
secADInterface.setAliasAutoAdd(false);
infoStore.commit(infoObjects);

See Also:
CePropertyID.SI_MAPPED_GROUPS, CePropertyID.SI_ALIAS_AUTOADD, CePropertyID.SI_ALIAS_AUTOCREATE
Overview   Package  Class  Tree  Deprecated  Index  Help 
 PREV PACKAGE   NEXT PACKAGE FRAMES    NO FRAMES