IBM Content Navigator, Version 2.0.3 Supports: Content Manager, FileNet P8, OnDemand, OASIS CMIS

Authentication and authorization

Authentication is the act of verifying a user's identity based on credentials that the user provides. IBM® Content Navigator supports several different authentication configurations.

Before you configure and deploy IBM Content Navigator, you should determine whether you want:

All users to be able to access the deployed IBM Content Navigator application
Only users who have authenticated to the web application server where IBM Content Navigator is deployed to access the web application

The choice that you make determines the initial method by which users are authenticated. IBM Content Navigator supports two primary types of authentication:

Application-managed authentication

If you want all users to be able to access the deployed IBM Content Navigator application, you can use application-managed authentication. With application-managed authentication, the web application server allows the IBM Content Navigator desktop to load without authenticating the user. The IBM Content Navigator desktop is responsible for the initial user authentication.

If you want to use application-managed authentication, select IBM Content Navigator desktop authentication when you configure and deploy IBM Content Navigator. When you select this option, the initial user authentication is performed by the repository that you specify as the authenticating repository.

Important: Users who access the desktop must be defined in the authenticating repository.

However, IBM Content Navigator attempts to authenticate with the application server before the authenticating repository in the following situations:

When an administrator logs in to IBM Content Navigator
When the authenticating repository is an IBM FileNet® P8 repository
When the authenticating repository is an IBM Content Manager or IBM Content Manager OnDemand repository that is enabled for single sign-on.

When a user selects a different repository from the desktop, IBM Content Navigator prompts the user for the user’s credentials.

Tip:

This is the default authentication method for IBM Content Navigator. (In IBM Content Navigator Version 2.0 and Version 2.0.1, application managed authentication was the only alternative to SSO authentication.) End of change

Container-managed authentication

If you want only users who have authenticated to the web application server where IBM Content Navigator is deployed to access the web application, you can use container-managed authentication. With container-managed authentication, the web application server is responsible for the initial user authentication. User's credentials are authenticated by the Java Platform, Enterprise Edition application server where IBM Content Navigator is deployed. The application server uses the Java Authentication and Authorization Service (JAAS) to authenticate users.

Application server authentication provides an extra layer of security for IBM Content Navigator because it prevents users who are not authenticated on the web application server from accessing the web client.

Container-managed authentication works best when users use the same credentials to log on to all of the repositories that they have access to in the web client. If users do not use the same credentials, IBM Content Navigator prompts the user for their credentials when they try to access other repositories in the desktop configuration.

Restriction: WebSphere® Application Server, Version 8 users only: If you configure IBM Content Navigator to access more than one type of repository and Security Integration is enabled, users cannot log on to different repositories with different user credentials. Users must use the same credentials to log on to the repositories in the web client. For more information, see Logging in to a repository as a different user in a session can result in a WebSphere Application Server error.

If you want to use container-managed authentication, select one of the options when you configure and deploy IBM Content Navigator:

Application server authentication

When you select this option, the initial user authentication is performed by the web application server where IBM Content Navigator is deployed.

You should configure application server authentication if one of the following situations applies to your environment:

You want to use an LDAP server to authenticate users
The users must be defined in the LDAP server that is specified when you configure and deploy IBM Content Navigator. When an LDAP server is configured on the web application server, JAAS uses the LDAP server to authenticate users
You want to use a single sign-on (SSO) solution authenticate users:
You can configure your web application server to use SSO to authenticate web clients by using SPNEGO/Kerberos, CA SiteMinder, or IBM Tivoli® Access Manager for e-business.

You can configure your web application server to use LTPA keys to authenticate trusted users if your IBM Content Manager library server is configured for trusted logon.

You can configure your IBM Content Manager OnDemand server to accept LTPA keys from your web application server.

Application server form-based authentication

WebSphere Application Server users only. When you select this option, the initial user authentication is performed by the web application server where IBM Content Navigator is deployed.

Form-based authentication enables you to create a single login point for multiple applications and web sites in your environment. For example, you can use form-based login to enable users to access the applications within your company intranet after they provide their credentials through the login form. This reduces the number of times that users must provide their credentials when accessing applications that are hosted within your intranet.

You should configure application server form-based authentication if you use a form to gather and send user credentials to your web-application server. To use a form-based login, you must have the following JSP pages deployed in your environment:

A login page
A login error page

Restriction: Regardless of the type of authentication that you specify when you deploy IBM Content Navigator, the web application server always authenticates IBM Content Navigator administrators. Administrators must be application server administrative users or directory service (LDAP) users.

Limiting access to desktops

As an additional measure of security, you can limit access to a desktop to a specific set of users and groups. The users and groups must be defined in the authenticating repository for the desktop.

There are several restrictions that apply if you limit access to the desktop:

If you authenticate users against an IBM Content Manager OnDemand repository, the user and group names that you enter are not validated on the server. You must ensure that you enter the names correctly.
If you authenticate users against an OASIS Content Management Interoperability Services repository, this option is not available.

If a user tries to access a desktop that they are not authorized to access, the desktop does not load and IBM Content Navigator displays a message that the user is not authorized to access the desktop.

Authorization

What an authenticated user can and cannot do is called authorization. After a user is authenticated, the user is authorized to carry out the actions that are described by the access rights that are associated with the objects the user is accessing. For example, a user might have access rights to check out a class of documents and edit them; however, the user is not authorized to delete those documents.

Security and user permissions must be set on and controlled by the repository. IBM Content Navigator can be used to provide a small level of restrictive control in the web client, but it is not a substitute for well-planned security on the repository. You can adjust users’ authorization from the IBM Content Navigator:

Administrators can use the IBM Content Navigator administration tool to configure the actions that are available from the menus in the web client
Important: Administrators cannot grant additional permissions from the administration tool. The administration tool can be used only to restrict the actions that the user can take.
Users who have sufficient permissions can assign users and permissions to documents and folders from the Security window.

Restricting actions by using desktops and teamspaces

You can customize IBM Content Navigator desktops to hide certain actions from users. For example, you can create a desktop in which users have only view rights by removing actions such as Edit or Add from the menus in the desktop.

IBM Content Manager users only. IBM FileNet P8 users only. You can also use teamspaces to restrict the content that users see when they are in the teamspace.

IBM Content Manager users only. When an item is added from within the teamspace, the item inherits the security settings from the teamspace. If an item is added to the repository, and then added to the teamspace, the item does not inherit the security settings from the teamspace. In addition, if a user adds a document or folder to a teamspace and selects an item type that has item-type level security, the item uses the security that is specified by the item type rather than the security settings of the teamspace.

Restricting actions by using desktops and teamspaces does not prevent users from taking actions or accessing content from another application or API. Desktops and teamspaces are not a replacement for file-level or folder-level security. To secure an object, the security administrator for the repository should use the security features of IBM Content Navigator to grant or deny specific access rights in accordance with the security model that is defined for the repository.