You are here:

Configuring Users and Roles

Users and Roles can be edited within 1Integrate.

Roles are the same for both WebLogic and Wildfly installations of 1Integrate. It is only the method of assigning users to these roles that differs.

Note: You will need to restart 1Integrate for any changes to user and roles to take effect.

By default, 1Integrate is deployed with example users and passwords included. This enables a quick set-up process, but for security reasons it is HIGHLY RECOMMENDED that:

As a minimum, on installation, change all passwords from the default to unique values.
change the user names to ones relevant to your organisation.

For stronger security and management, consider using other authentication mechanisms such as using your organisation's Lightweight Directory Access Protocol (LDAP) Service e.g. Microsoft Active Directory. This ensures that passwords and usernames are not stored in the application server but managed, as normal, by an IT department.

Roles

The following roles are available in 1Integrate:

Role	Description
rs_admins	The administrator can set up system parameters and has all the privileges of the other roles. These include creating and modifying: rules data stores sessions actions action maps The administrator can also define sessions and upload files.
rs_data_engineers	A data engineer can: create and modify actions create and modify action maps define and run sessions
rs_data_loaders	A data loader can upload files into 1Integrate.
rs_data_quality_stewards	A data quality steward can define and run sessions only.
rs_rule_definers	A rule definer can create and modify: rules data stores sessions The rule definer can also run sessions.
rs_users	A user can only view data presented on the interface.
rswsuser	A web service user can use the web services.

WebLogic Users

1Integrate users and roles should be configured using the WebLogic Server Administrator Console.

The following 1Integrate users are created by default:

User	Password
intadmin1	intadmin#1
intadmin2	intadmin#2
intuser1	intuser#1

In WebLogic, "groups" are used to define roles. Group membership determines a user's access to application features.

1Integrate groups are created by default. However, unlike the default users that are created, the group names set up by installer must not be altered.

Note: The default setup assigns the default users to some of the default groups, allowing you to log in and start using 1Integrate without having to change any of the security configuration. If you wish to customise the users, then group assignment can be altered.

Wildfly Users

To configure users and roles, navigate to the \wildfly-[version]\SETTINGS folder. This folder contains the following files:

users.properties contains a list of usernames and passwords, in the form username=password.

Note: All users listed in the following table are included as default.
roles.properties contains a mapping from user names to 1Integrate roles in the form username=role1,role2,role3

The following table contains a list of pre-defined users, provided upon installation to help get you started with 1Integrate:

Username	Password	Assigned roles
1Spatial	admin1	rs_admins rs_users rswsuser rs_rule_definers rs_data_loaders rs_data_engineers rs_data_quality_stewards
INTAdmin	int101	rs_admins
INTFull	int102	rs_users rswsuser rs_rule_definers rs_data_loaders rs_data_engineers rs_data_quality_stewards
INTUser	int103	rs_users
INTWService	int104	rswsuser
INTRule	int105	rs_rule_definers
INTLoader	int106	rs_rule_definers rs_data_loaders
INTEng	int107	rs_data_engineers
INTQuality	int108	rs_data_quality_stewards

LDAP

For stronger security and management, Consider using other authentication mechanisms such as using your organisation's Lightweight Directory Access Protocol (LDAP) Service e.g. Microsoft Active Directory. This ensures that passwords and usernames are not stored in the application server but managed, as normal, by an IT department.

Authenticate using LDAP (Weblogic)

For information on configuring WebLogic in this way, please refer to the Oracle documentation:

https://docs.oracle.com/middleware/12213/wls/SECMG/atn.htm#SECMG169

Authenticate using LDAP (Wildfly)

The default Wildfly configuration of storing passwords as plain text is not a recommended secure approach. To configure your organisations LDAP service in Wildfly, perform the following configuration:

Configure an LDAP service

You will need to amend the standalone.xml file, to locate this go to: 1Integrate_home\standalone\configuration

Use .LdapExtLoginModule to connect to your LDAP and use the usernames, passwords and roles for each associated user from your LDAP:

You will need to substitute the default "Radius Studio" security domain section with:

Note: You will need to use your own LDAP configurations for server/principal/credentials in the relevant fields.

The default "Radius Studio" to be replaced:

<security-domain name="RadiusStudio" cache-type="default">

<login-module flag="required" code="UsersRoles">

<module-option value="${jboss.home.dir}/SETTINGS/users.properties" name="usersProperties"/>

<module-option value="${jboss.home.dir}/SETTINGS/roles.properties" name="rolesProperties"/>

</login-module>

</authentication>

</security-domain>]

Replace the default with:

<security-domain name="RadiusStudio" cache-type="default">

<login-module

code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

<module-option name="java.naming.factory.initial"

value="com.sun.jndi.ldap.LdapCtxFactory"/>

<module-option name="java.naming.provider.url"

value="ldap://LDAPSERVER:389"/>

<module-option name="java.naming.security.authentication"

value="simple"/>

<module-option name="bindDN"

value="user.0@1spatial.local"></module-option>

<module-option name="bindCredential"

value="xxx"></module-option>

<module-option name="baseCtxDN"

value="ou=users,ou=yourgroup,dc=yourcompany,dc=local"></module-option>

<module-option name="baseFilter"

value="(cn={0})"></module-option>

<module-option name="rolesCtxDN" value="ou=users,ou=yourgroup,dc=yourcompany,dc=local"></module-option>

<module-option name="roleFilter" value="(cn={0})"></module-option>

<module-option name="roleAttributeIsDN" value="true"></module-option>

<module-option name="roleAttributeID" value="memberOf"></module-option>

<module-option name="roleNameAttributeID" value="cn"></module-option>

<module-option name="roleRecursion" value="-1"></module-option>

<module-option name="searchScope" value="SUBTREE_SCOPE"/>

<module-option name="searchTimeLimit" value="5000"/>

</login-module>

</authentication>

</security-domain>

It is also possible to configure authentication in a mixed mode so that usernames and passwords are managed by LDAP, but the roles assigned to specific LDAP users or groups are managed within the Wildfly configuration files. This provides high security but removes the need for the LDAP service to be told about 1Integrate roles.

To achieve this, configure the standalone.xml file in the following way (the section highlighted in bold shows the addition when compared to the above):

<security-domain name="RadiusStudio" cache-type="default">

<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">

<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

<module-option name="java.naming.provider.url" value="ldap://localhost:389"/>

<module-option name="java.naming.security.authentication" value="simple"/>

<module-option name="bindDN" value="<user>"/>

<module-option name="bindCredential" value="<password>"/>

<module-option name="baseCtxDN" value="ou=users,ou=yourgroup,dc=yourcompany,dc=local"/>

<module-option name="baseFilter" value="(cn={0})"/>

<module-option name="rolesCtxDN" value="cn=users,dc=yourcompanyl,dc=local"/>

<module-option name="roleFilter" value="(member={1})"/>

<module-option name="roleAttributeIsDN" value="true"/>

<module-option name="roleAttributeID" value="cn"/>

<module-option name="roleNameAttributeID" value="cn"/>

<module-option name="roleRecursion" value="0"/>

<module-option name="searchScope" value="SUBTREE_SCOPE"/>

<module-option name="searchTimeLimit" value="5000"/>

<module-option name="java.naming.referral" value="follow"/>

</login-module>

<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">

<module-option name="rolesProperties" value="${jboss.home.dir}/SETTINGS/roles.properties"/>

<module-option name="replaceRole" value="true"/>

</login-module>

</authentication>

</security-domain>

Note: In order to achieve the mixed mode authorisation the roles.properties file must be populated with the usernames that match those from the LDAP directory with the associated role for each username.