Configuring Users and Roles

Users and Roles can be edited within 1Integrate.

Roles are the same for both WebLogic and WildFly installations of 1Integrate. It is only the method of assigning users to these roles that differs.

Note: You will need to restart 1Integrate for any changes to user and roles to take effect.

By default, 1Integrate is deployed with example users and passwords included. This enables a quick set-up process, but for security reasons it is HIGHLY RECOMMENDED that:

  • As a minimum, on installation, change all passwords from the default to unique values.
  • change the user names to ones relevant to your organisation.

For stronger security and management, consider using other authentication mechanisms such as using your organisation's Lightweight Directory Access Protocol (LDAP) Service e.g. Microsoft Active Directory. This ensures that passwords and usernames are not stored in the application server but managed, as normal, by an IT department.

Roles

The following roles are available in 1Integrate:

Role Description
rs_admins

The administrator can set up system parameters and has all the privileges of the other roles.

These include creating and modifying:

  • rules
  • data stores
  • sessions
  • actions
  • action maps

The administrator can also define sessions and upload files.

rs_data_engineers

A data engineer can:

  • create and modify actions
  • create and modify action maps
  • define and run sessions
rs_data_loaders A data loader can upload files into 1Integrate on the Data Stores page only.
rs_data_quality_stewards A data quality steward can define and run sessions only.
rs_monitors The Monitor role is for read-only access to parts of the REST API.
rs_rule_definers

A rule definer can create and modify:

  • rules
  • data stores
  • sessions

The rule definer can also run sessions.

rs_users A user can only view data presented on the interface.
rswsuser A web service user can use the web services.

Users

The following users are and roles are created by default upon installation:

Username Password Assigned roles
INTFull integrate1

rs_users

rswsuser

rs_rule_definers

rs_data_loaders

rs_data_engineers

rs_data_quality_stewards

INTAdmin integrate101

rs_admins

rs_users

rswsuser

INTUser integrate102 rs_users
INTWService integrate103 rswsuser
INTRule integrate104 rs_rule_definers
INTLoader integrate105

rs_data_loaders

INTEng integrate106 rs_data_engineers
INTQuality integrate107 rs_data_quality_stewards
INTMonitor integrate108 rs_monitors

WebLogic Users

1Integrate users and roles should be configured using the WebLogic Server Administrator Console.

Role membership determines a user's access to application features.

1Integrate roles are created by default. However, unlike the default users that are created, the role names set up by installer must not be altered.

Note: The default setup assigns the default users to some of the default roles, allowing you to log in and start using 1Integrate without having to change any of the security configuration. If you wish to customise the users, then role assignment can be altered.

WildFly Users

To configure users and roles, navigate to the \wildfly-[version]\SETTINGS folder. This folder contains the following files:

  • users.properties contains a list of usernames and passwords, in the form username=password.

    Note: All users listed in the table above are included as default.

  • roles.properties contains a mapping from user names to 1Integrate roles in the form username=role1,role2,role3

LDAP

For stronger security and management, Consider using other authentication and authorisation mechanisms such as your organisation's Lightweight Directory Access Protocol (LDAP) Service e.g. Microsoft Active Directory. This ensures that passwords and usernames are not stored in the application server but managed, as normal, by an IT department.

Authenticate using LDAP (WebLogic)

For information on configuring WebLogic in this way, please refer to the Oracle documentation:

https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/secmg/atn.html#GUID-46CB94C0-BF0A-4788-8E93-0D322DA67462

Authenticate using LDAP (WildFly)

The default WildFly configuration of storing passwords as plain text is not a recommended for production use. To configure 1Integrate to use your organisation's LDAP service in WildFly, perform the following configuration:

ClosedConfigure an LDAP service

  1. Find the settings.properties file, to locate this go to: [1Integrate_Directory]\SETTINGS\.

  2. Uncomment the following and fill with your LDAP values:

    #ldap.authentication.enabled=true

    #ldap.host=

    #ldap.principal=

    #ldap.credential=

    #ldap.username.attribute=

    #ldap.user.base.dn=

    #ldap.group.attribute=

    #ldap.group.base.dn=

     

    Parameter Expected Value
    ldap.host The hostname for the LDAP server.
    ldap.principal The principal (username) used for authentication with the LDAP server.
    ldap.credential The credential (password) used for authentication with the LDAP server.
    ldap.username.attribute The LDAP attribute to be used for 1Integrate login names ie.g. samAccountName
    ldap.user.base.dn The LDAP search root for users.
    ldap.group.attribute The group name attribute to be used from your LDAP server e.g. samAccountName
    ldap.group.base.dn The LDAP search root for groups. .

Change default ldap settings

Depending on your particular LDAP implementation, you may need to change some of the default LDAP settings.

# Enable if you need to override any defaults

#ldap.protocol=ldap

#ldap.port=389

#ldap.referral.mode=IGNORE

#ldap.direct.verification=true

#ldap.recursive.search=true

#ldap.group.member.attribute=member

#ldap.authentication.level=simple

To do this:

  1. Find the settings.properties file, to locate this go to: [1Integrate_Directory]\SETTINGS\.

  2. Uncomment the sections that need changing for your active directory.

Parameter Expected Value
ldap.protocol The protocol the connection will use (ldap or ldaps)
ldap.port The port number for your LDAP
ldap.referral.mode

Set to FOLLOW if you have multiple LDAP servers that refer to eachother.

ldap.direct.verification

Set to FALSE if WildFly should query the users password out of the LDAP server for user credential verification.

Note: For most installations direct verification will be sufficient.

ldap.recursive.search Recursive search will search through nested groups. If this setting is unnecessary for your environment, setting to false may improve performance.
ldap.group.member.attribute The attribute on the group object that contains the members of that group.
ldap.authentication.level

Set to none if you want to bind to the LDAP server anonymously.

Note: For security we would recommend all connections are authenticated.

Mapping LDAP groups to 1Integrate roles

Once you have completed your LDAP configuration, any users assigned to LDAP groups named the same as 1Integrate roles (e.g.rs_admins) will be authenticated and authorised by your LDAP system.

Authorisation in Wildfly

It is possible to configure authentication so that usernames and passwords are managed by LDAP and the authorisation (roles assigned to specific LDAP groups) is managed within the configuration files. This removes the need for the LDAP service to know anything about 1Integrate specific roles.

Note: In order authorise in LDAP and authenticate in WildFly, the roles.properties file must be populated with the groups that match those from the LDAP directory with the associated role(s). e.g. LDAPGroup = rs_admins.

Note: You can only map LDAP Groups to roles if using this method.

Example of the roles.properties file which is mapping LDAP groups to the relevant roles:

ADMIN\ USERS= rs_admins,rs_users,rswsuser,rs_rule_definers,rs_data_loaders,rs_data_engineers

ENGINEERS=rs_data_engineers

WORKERS=rs_users,rs_rule_definers