Administration Console: Security

In this section we will describe how you setup security for the different topologies, it is useful if you have a working knowledge of Active Directory and Kerberos when using NTLM and/or Windows Integrated Security and a general understanding of security and how it relates to web applications.

(A screenshot showing the Security tab and the subsections, one for each security model)

Security Model Login Method Mapping for Roles Mapping for Cube Connection
Anonymous Not needed Fixed rules(*) Possible to define an OLAP account per cube (data source)
Basic Authentication Manual with PC accounts PC accounts mapped to Roles Roles mapped to OLAP accounts per cube (data source)
NTLM v2Use existing domain logon AD accounts mapped to RolesRoles mapped to OLAP accounts per cube (data source)
Windows Integrated Security (Kerberos) Use existing domain logonAD accounts mapped to Roles Not needed

(*) When using the Anonymous security model all users will have full pcMobile functionality, except for the Admin Console that only will be available from the pcMobile server itself. This means you can reach admin console when surfing to http://localhost (or http://localhost:portnumber if different from 80) *only on the machine where pcMobile is installed*, from everywhere else you can just reach the client and designer interfaces).

Term Explanation
PC account pcMobile account created and stored within pcMobile, used for manual logon
AD account(*) Active Directory account created in Active Directory and used for automatic logon
OLAP account AD account created in Active Directory, having access rights to the cubes, with secure caching of login credentials in pcMobile and saved per cube (data source)
Role A pcMobile role has members (PC accounts or AD accounts) and is mapped for use of different functions within pcMobile and can be mapped to OLAP accounts per cube (data source)

(*) Normally it is from a technical perspective possible to achieve the same functionality with local accounts as with AD accounts, but under normal circumstances AD accounts are preferrable.

By authentication we mean authentication towards the pcMobile server. This can be achieved in a number of different ways that we describe below. For information on how to handle delegation and/or the mapping of accounts towards pcMobile roles please refer to the section on how to administrate roles.

  • No Authentication - Anonymous, the default and most simple security setup
    Setting up Anonymous
  • Basic Authentication - is used when you want authentication, but your users aren't part of any relevant Windows Domain, for example in an extranet scenario.
    Setting up Basic Authentication
  • Authentication by Active Directory - If you have your users in an Active Directory and want to use that for authentication, there are two different possible security setups.
    • NTLM - uses the AD but does not allow delegation. The normal solution to this is to set up special OLAP accounts for each cube (data source) that will be used by different roles and map the user accounts to the different roles.
      Setting up NTLMv2
    • Windows Integrated Security (Kerberos) - uses the AD accounts with delegation for all queries sent to the cube.
      Setting up Windows Integrated Security with Delegation

  • pcmobile/itsetup/security.txt
  • Last modified: 2014/06/12 07:52
  • by pcevli