Add new role Reports to configuration UI

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to add a new role to configuration UI.

Overview

A default user for the configuration UI is created during installation of PhenixID Server.

This user will by default have full access to the configuration UI.

This document will describe how to create a new role that will only have access to the tab "REPORTS".

Please make sure to have a backup copy of the configuration before adding the new settings.

Create the reporting prism module

This change is made in the UI in advanced mode.

Add this section in the modules part.
You might have a http_configuration_ref for other modules, copy that info or if not, remove the line.

{
     "name": "com.phenixidentity~phenix-prism-report",
     "enabled": "true",
          "config": {
             "display_name": "Reports",
             "base_uri": "reports",
	     "http_configuration_ref": "5dd0ad39-d203-42e6-855c-093296105abe"
      },
		"id": "reportsprismmodule"

}

You also have to add a new prism module for the /reports link like below.
You might have a http_configuration_ref for other modules, copy that info or if not, remove the line.

	{
		"name": "com.phenixidentity~phenix-prism",
		"enabled": "true",
		"id": "prismconfig",
		"config": {
			"base_url": "/reports",
                        "http_configuration_ref": "5dd0ad39-d203-42e6-855c-093296105abe"
			"auth_redirect_url": "/reports/authenticate/unpwreport",
			"logoff_uri": "/reports/authenticate/logout/",
			"module_refs": "reportsprismmodule"
		}
	},

Stage and Commit changes.

Now you have to add the new prism module to the module_refs part of NODE_GROUPS in the Advanced mode.
It should look something like this with the new module added.

	{
		"name": "default",
		"description": "Default node group (created automatically) - all nodes belong to this group",
		"config": {
			"module_refs": "prismconfig,789a0939-0c82-407e-80c1-....


Add new internal user

Log in to the configuration UI, go to the "Advanced" tab and press the pencil to the right of "Internal users".

Make a copy of the existing user (phenixid by default). So you get a new section like this example:

{
		"id": "phenixid",
		"password": "{enc}jy58WmoTTsOUdFnS/dpoWokvikLim2NkEaZw7XxTb68=",
		"description": "Default system administrator account",
		"roles": "sysadmin"
	},
	{
		"id": "reportsuser",
		"password": "{enc}CSzOeSq1nsPITZ1+QFU9VJiTJv4+4lahJfhZV/amJAI=",
		"description": "User for reports"
	}

So in the example above we have created the new user reportsuser,  a password has been set for the new user and the role "reporting" has been set.

NOTE: No changes should be made to the default internal user, phenixid in the example above.

When done press Stage changes/Commit changes.


Create authentication for internal userstore

Go over to the Authenticators - HTTP section and add this part

{
  "alias": "unpwreport",
  "name": "PostUidAndPassword",
  "configuration": {
    "successURL": "/reports/",
    "pipeID": "authReportsPipe"
  },
  "id": "unpwreport"
}

Stage and Commit changes.

And finally, go to the Pipes section and add this for the user & password control in the InternalUserStore.

{
	"id": "authReportsPipe",
	"valves": [
      {
           "name": "InternalUserStoreValidatorValve",
           "enabled": "true",
           "config": {
           "username": "{{request.username}}",
           "password_param_name": "{{request.password}}"
      } 
    ]
}

Stage and Commit changes.


Now try to login to https://<hostname>/reports/ with the new internal user. Only the tab "REPORTS" should be visible.

[Optional] Use another authentication method to login to reports

Instead of using the  InternalUserStore you can set up any authentication method available.

Available authenticators

Below is an example of an LDAP authentication pipe.
The only thing that has to be changed for LDAP Username & password is the authReportsPipe.

{
	"id": "authReportsPipe",
	"valves": [
{
	"name": "LDAPSearchValve",
	"enabled": "true",
	"config": {
		"connection_ref": "<id of the connection>",
		"base_dn": "<FQDN to the search start>",
		"scope": "SUB",
		"size_limit": "0",
		"filter_template": "<attribute name holding the username often samaccoutname/uid>={{request.username}}" //extend the ldap search filter to restrict only allowing "true" admins.  
	},"id":"<unique_id>"
},
{
	"name": "LDAPBindValve",
	"alias": "auth_pipe_bind",
	"enabled": "true",
	"config": {
		"connection_ref": "<id of the connection>",
		"password_param_name": "password"
	},
	"id": "<unique_id>"
}
    ]
}

Stage and Commit changes.

Now try to login to https://<hostname>/reports/ with an authorized LDAP user. Only the tab "REPORTS" should be visible.