Contents: MashupHub User and Administrator Guide : Mashup Center 2.0
MashupHub includes security features that protect the contents of the catalog. These features also limit who can use an object from the catalog based on the permissions that a user has to access an object.
The MashupHub Administrator must register any user who wants access to MashupHub. User information, including user IDs and passwords, must be maintained in a user registry that is external to MashupHub such as an LDAP server. This user registry must be configured to the application server on which MashupHub is installed.
The ability to view or use objects in the MashupHub catalog is controlled by access permissions. These permissions can be granted to individual users or user groups. The user who creates an object in the catalog is the owner of that object. The object owner is the only user who can specify the permissions that other users have to access the object.
There are two types of permissions and one special role that are supported in MashupHub:
Enables users to view the object and view the descriptive details about the object. View permission also allows the user to rate and comment on the object. For some objects, such as widgets or pages, the View permission is equivalent authorization to download the object. For data mashups. users with View permission can save a copy of the data mashup.
Enables users to make changes to the object. For feeds and data mashups, the user can change the source or other parameters that were used to create the feed. For widgets or pages, users can upload a replacement widget or page. Edit permission also allows the user to change the descriptive details about the object, or delete the object from the catalog. Users with Edit permission also have View permission.
Has Edit permission on all of the objects in the catalog. The MashupHub Administrator has access to all of the administrative tasks that are displayed when you click on Settings
on the Home:Catalog
tab. These tasks include assigning the administrator role to other users, editing the list of categories, and controlling the tracking settings for gathering usage and auditing data.
Any object that a user does not have at least View permission for, is not listed when that user accesses the catalog.
There are two special user groups that are automatically defined by MashupHub. These user groups are not defined in the user registry:
- The ANONYMOUS group includes all users who access MashupHub without logging on.
- The REGISTERED group includes all users who must specify a user ID and password to log on to MashupHub.
Adding new users and groups
The Administrator can define additional user groups in the user registry, and some user registries allow non-administrative users to define groups.
MashupHub uses all of the user groups that are defined in the user registry. When a permission is assigned to a user group, it is effectively assigned to each user in that group.
Adding users and groups is a two-step process:
- Add new users and groups to a user registry. You have two options:
- Map the users that are allowed to access MashupHub to the AuthUsers role. Use the instructions on this Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_tasroles.html
Anonymous and authenticated access
Access to a feed that is created in MashupHub is controlled by the permissions that the feed owner assigns to the feed. If access to the feed is restricted to a set of users, any program or browser that attempts to read the feed must provide a authorized user ID and password to MashupHub. This authentication requirement is defined by the following rules:
- When a feed owner specifies that the Anonymous group of users have only the View permission, that feed is accessed by using the HTTP or HTTPS protocol.
- When a feed owner specifies any other combination of permissions or users, that feed is accessed by using the HTTPS protocol and requires user authentication. To access the feed, a user ID and password must be provided in the HTTPS header using HTTPS basic authentication.
Similarly, downloading a widget or page that is not public requires the authentication and HTTPS protocol described above.
A data mashup can use feeds that require authentication. The person who creates the data mashup must have View permission to each feed that is included in the data mashup. Users who have View permission on the data mashup can run the data mashup and view the results. Users do not need to have View permission on the feeds that are used in the data mashup.
When a feed requires authentication, the authentication is tracked and auditing information is logged in MashupHub. The MashupHub Administrator has access to those logs and reports.
The credentials to access backend servers, which are needed to register feeds, are encrypted and stored in the MashupHub metadata database.
An audit trail is kept when users access feeds and data mashups, and download widgets and pages. The audit information includes the user ID, IP address, timestamp, and the object accessed.
Parent topic: Additional administrator tasks : Mashup Center 2.0