Security Configuration Checklist

Configuring security involves quite a few steps. Use the list below to make sure you've covered everything. The configuration checklist applies to both the open and Enterprise Edition versions of the Pentaho BI Suite. In the Enterprise Edition version, PAC is PEC (Pentaho Enterprise Console).

  1. Plan.
    You must plan out your security before telling Pentaho how to use it. For example, you must have the appropriate security back-ends (e.g. LDAP) in place.
    1. Determine your roles.  Role names are case-sensitive in the Pentaho BI Platform.
      What roles (out of potentially many) will have meaning in the Pentaho BI Platform?  For example, you might have roles (or groups) that are used by other applications in your enterprise. You could reuse those roles or define new ones for use with the Pentaho BI Platform.  If you already have a BI_USER role, you could tell Pentaho to use that existing role.
    2. Determine which roles should have access to particular URLs.
      This is web resource authorization. Example question: What role will be considered the Pentaho administrator? Note that Pentaho has default web resource authorization settings.  You probably won't need to change the URLs that are protected.  What you will have to change are the roles that are allow to access each URL.
    3. Determine which roles should have which permissions to particular action sequences in the solution repository.
      This is domain object authorization. Example question: Will role A be allowed to execute action sequences in folder X?
  2. Configure the security DAO. Leave it set to the default Pentaho security DAO or switch to JDBC, LDAP, or hybrid LDAP+JDBC.
  3. If you'd like to use a role prefix, define one. (By default, there is no role prefix.)
  4. Define the Pentaho administrator role.
  5. Take the domain object authorization rules (from the earlier planning step) and define them.
  6. Apply the ACLs. *
  7. Take the web resource authorization rules (from the earlier planning step) and define them in the filterInvocationInterceptor bean in applicationContext-spring-security.xml.
  8. Plugin security. There are various plugins that have authorization settings.
    1. If using Data Sources (for example in WAQR), edit pentaho-solutions/system/data-access-plugin/settings.xml.
  9. Configure Metadata security using Pentaho Metadata Editor.
  10. Configure Mondrian security by configuring bean with id of Mondrian-UserRoleMapper in pentahoObjects.spring.xml.
  11. Setup a trust between the PAC and the BI Server.
  12. If users will be publishing content to the BI Server, set the publish password in pentaho-solutions/system/publisher_config.xml. (Users will need to supply this password as well as their normal username and password.)
  13. (DI Server only) Edit repository.spring.xml.

* This step is a batch operation and will remove any custom permissions created via the Admin Permissions UI or Pentaho User Console!