• No results found

Employees within a division of your company require read access to the same set of objects (campaigns, offers, templates, and so on), but they are allowed to edit and delete only their own objects and objects in folders that they own.

Solution

Define a Read-Only role that grants only read permissions on objects. Assign all users within the division to this role. Keep the default permissions as defined for the Owner and Folder Owner roles.

Note: If your company requires only a single security policy, you can use the global policy and assign all users to the Review role.

Each user is allowed to edit or delete their own objects (under the Owner role) and objects in their own folders (under the Folder Owner role), but only view objects and folders owned by others (under the Read-Only role).

The following table shows a sample subset of the object permissions for this scenario.

Table 5. Object permissions for Scenario 3

Functions/Role Folder Owner Object Owner Reviewer

Campaigns v Add Campaigns

v Edit Campaigns

v Delete Campaigns

v View Campaign Summary

Offers v Add Offers

v Edit Offers

Chapter 5. Managing Security in IBM Unica Campaign 35

Table 5. Object permissions for Scenario 3 (continued)

Functions/Role Folder Owner Object Owner Reviewer v Delete Offers

v View Offer Summary

Implementing security policies

This section describes how to create and delete security policies in Campaign and apply security policies to Campaign folders and objects.

Note: You must be assigned permission to administer the User Roles &

Permissions page in Marketing Platform to work with Campaign security policies.

In a multi-partition environment, only the platform_admin user, or another account with the PlatformAdminRole role, can work with security policies in all partitions.

To create a security policy

1. Click Settings > User Roles & Permissions. The User Roles & Permissions page displays.

2. Under the Campaign node, select the partition where you want to add a security policy.

3. Click Global Policy.

4. On the right of the page, click Add Policy.

5. Enter a policy name and description.

6. Click Save Changes.

The new policy is listed under the Global Policy on the User Roles &

Permissions page. By default, the policy contains a Folder Owner role and an Object Owner role.

To delete a security policy

Use this procedure to delete any user-created security policies in Campaign that are not in use. You cannot delete the Global Policy.

Note: Do not delete any security policies that have been applied to objects in Campaign. If you need to delete a security policy that is in use, first set the

security object of every object/folder using that security policy to a different policy (for example, the global policy). Otherwise, those objects might become

inaccessible.

1. Click Settings > User Roles & Permissions.

The User Roles & Permissions page displays.

2. Under the Campaign node, select the partition where you want to delete a security policy.

3. Click the plus sign next to Global Policy.

4. Click the policy that you want to delete.

5. Click Delete Policy.

A confirmation dialog displays.

6. Click OK to delete the policy.

Assigning security policies to folders or objects

When you create a top-level folder or object in Campaign, you must select a security policy for it. Only policies in which you have been assigned a role are available for you to associate with top-level objects or folders.

By default, all objects in Campaign are associated with the global policy, but you can assign an optional custom-defined policy.

Keep in mind the following rules when associating a folder or object with a security policy:

v You cannot assign a security policy to objects within folders. Objects automatically inherit the security policy of the folder in which they reside.

v The top-level folder determines the security policy.Objects within a folder, including sub folders, inherit the security policy of the parent folder. In other words, the security policy of the top-level folder determines the security policy of objects and subfolders within it. Therefore, you cannot manually assign a security policy to objects within folders. To change the security policy of an object, you must move the object into a folder with the desired security policy or into the top-level root folder.

v Security policy changes when objects are moved or copied.Objects and folders can be moved or copied across security policies, but the user performing the move or copy must have permissions to do so, in both the source and destination policies.

After an object or folder is moved or copied to a folder or location belonging to a different security policy than its source, the security policy of the lower-level objects or subfolders is automatically changed to the security policy of the new folder or location.

About administrative permissions in Campaign

Administrative permissions in Campaign are assigned for each partition. These administrative functions are different from the object-related functional permissions in security policies, including the global security policy. Users with these

permissions can perform the allowed actions on any objects within the partition.

Each partition includes these four pre-defined roles:

v Admin— All permissions enabled. The default user asm_admin is assigned this role.

v Execute— Most permissions enabled, except for administrative functions such as performing cleanup operations, changing object/folder ownership, and managing global suppressions.

v Design— Same permissions as the Execute role.

v Review— Read-only access to all objects. For flowcharts, these users are allowed to access the edit mode of a flowchart, but save is not allowed.

You can add other administrative roles for each partition as needed.

The procedures for managing administrative roles and permissions in Campaign is the same as the procedures for managing roles and permissions in Marketing Platform.

Chapter 5. Managing Security in IBM Unica Campaign 37

To configure report folder permissions

In addition to controlling access to the Analytics menu item and the Analysis tabs for object types (campaigns and offers, for example), you can configure

permissions for groups of reports based on the folder structure in which they are physically stored on the IBM Cognos®system.

1. Log in as a Campaign administrator who has the ReportSystem role.

2. Select Settings > Sync Report Folder Permissions.

The system retrieves the names the folders located on the IBM Cognos system, for all partitions. (This means that if you decide to configure folder permissions for any partition, you must configure it for all of them.)

3. Select Settings > User Permissions > Campaign.

4. Under the Campaign node, select the first partition.

5. Select Add Roles and Assign Permissions.

6. Select Save and Edit Permissions.

7. On the Permissions form, expand Reports.The Reports entry does not exist until after you run the Sync Report Folder Permissions option for the first time.

8. Configure the access settings for the report folders appropriately and then save your changes.

9. Repeat steps 4 through 8 for each partition.

Reference: Administrative permissions in Campaign

Campaign includes administrative permissions in the following categories:

v Administration v Audience Levels v Data Sources

v Dimension Hierarchies v History

v Logging

v Reports (folder permissions) v System Tables

v User Tables v User Variables

Note: You can set the permissions for all functions within a category by setting the permissions of the category heading.

Administration

Table 6. Administration (Administrative permissions) Permission Description

Access Monitoring Area

Allows access to the Campaign Monitoring area.

Perform Monitoring Tasks

Allows performing of monitoring tasks in the Campaign Monitoring area.

Access Analysis Area Allows access to reports in the Campaign Analytics area.

Table 6. Administration (Administrative permissions) (continued) Permission Description

Access Optimizations Link

If Optimize is installed, allows access to that application.

Run svradm

Command Line Tool

Allows performing of administrative functions using the Campaign Server Manager (unica_svradm).

Run genrpt

Command Line Tool

Allows running of the Campaign report generation utility (unica_acgenrpt).

Takeover Flowcharts in Edit Mode

Allows taking over control of flowcharts in Edit or Run mode from other users.

Note: Taking over control of a "locked" flowchart locks out the other user and all changes in the flowchart since the last save are lost.

Connect to Running Flowcharts

Allows attaching to running flowcharts through Campaign Server Manager (unica_svradm) or the Campaign user interface.

Terminate Server Processes

Allows terminating the Campaign Server (unica_acsvr) using the Campaign Server Manager (unica_svradm).

Terminate Campaign Listener

Allows terminating the Campaign Listener (unica_aclsnr) using the Campaign Server Manager (unica_svradm) or using the svrstop utility.

Run sesutil Command Line Tool

Allows running of the Campaign session utility (unica_acsesutil).

Override Virtual Memory Settings

Allows overriding the Virtual Memory setting in flowchart Advanced Settings.

Access Custom Attributes

Allows access to and managing of custom attribute definitions from the Campaign Settings page.

Cell Report Access Allows access to cell reports from the Reports icon on a flowchart Editpage. Excludes access to the Cell Content Report unless this permission is also explicitly granted.

Cell Report Export If cell report access is granted, allows printing and exporting of cell reports.

Cell Content Report Access

Allows access to the Cell Content report from the Reports icon on a flowchart Edit page.

Cell Content Report Export

If Cell Content Report Export is granted, allows printing and exporting of the Cell Content report.

Perform Cleanup Operations

Allows performing cleanup operations using unica_acclean or a custom tool.

Change Object/Folder Ownership

Allows changing ownership of an object or folder.

Audience levels

Table 7. Audience levels (Administrative permissions) Permission Description

Add Audience Levels Allows creation of new audience levels under Manage Audience Levelson the Campaign Settings page.

Delete Audience Levels

Allows deleting of existing audience levels under Manage Audience Levelson the Campaign Settings page.

Chapter 5. Managing Security in IBM Unica Campaign 39

Table 7. Audience levels (Administrative permissions) (continued) Permission Description

Manage Global Suppressions

Allows creation and configuration of global suppression segments in Campaign.

Disable Suppression in Flowchart

Allows clearing or selecting the Disable Global Suppressions for This Flowchartcheck box on the flowchart Advanced Settings dialog.

Data sources

Table 8. Data sources (Administrative permissions) Permission Description

Manage Datasource Access

Allows managing data source logins from the Administration area and within flowcharts.

Set Save with DB Authentication

Allow enabling the Save with Database Authentication Informationflag in table catalogs and flowchart templates.

Dimension hierarchies

Table 9. Dimension hierarchies (Administrative permissions) Permission Description

Add Dimension Hierarchies

Allows creation of new dimension hierarchies.

Edit Dimension Hierarchies

Allows editing of existing dimension hierarchies.

Delete Dimension Hierarchies

Allows deletion of existing dimension hierarchies.

Refresh Dimension Hierarchies

Allows refresh of existing dimension hierarchies.

History

Table 10. History (Administrative permissions) Permission Description

Log to Contact History Tables

Allows enabling or disabling logging to contact history tables when configuring contact processes.

Clear Contact History Allows clearing entries from the contact history tables.

Log to Response History Tables

Allows enabling or disabling logging to response history tables when configuring the Response process.

Clear Response History

Allows clearing entries from the response history tables.

Logging

Table 11. Logging (Administrative permissions) Permission Description

View System and Flowchart Logs

Allows viewing of flowchart logs and the system log

Clear Flowchart Logs Allows clearing of flowchart logs.

Table 11. Logging (Administrative permissions) (continued) Permission Description

Override Flowchart Log Options

Allows override of default flowchart logging options.

Reports (folder permissions)

The Reports node appears on the partition permissions page after running Sync Report Folder Permissionsfrom the Settings menu for the first time. The synchronize process determines the folder structure of the reports physically located on the IBM Cognos system, and then lists the names of those folders under this node.

The settings under this node grant or deny access to the reports in the folders that appear in the list.

System tables

Table 12. System tables (Administrative permissions) Permission Description

Map System Tables Allows mapping system tables.

Remap System Tables Allows remapping system tables.

Unmap System Tables Allows unmapping system tables.

Delete System Table Records

Allows deletion of records from system tables.

User Tables

Table 13. User tables (Administrative permissions) Permission Description

Map Base Tables Allows mapping base tables.

Map Dimension Tables

Allows mapping dimension tables.

Map General Tables Allows mapping general tables.

Map Delimited Files Allows mapping user tables to delimited files.

Map Fixed-Width Flat Files

Allows mapping user tables to fixed-width flat files.

Map Database Tables Allows mapping user tables to database tables.

Remap User Tables Allows remapping of user tables.

Unmap User Tables Allows unmapping of user tables.

Recompute Counts and Values

Allows using Compute button in table mapping to recompute table counts and values.

Use Raw SQL Allows the use of raw SQL in Select process queries, custom macros, and dimension hierarchies.

Chapter 5. Managing Security in IBM Unica Campaign 41

User Variables

Table 14. User variables (Administrative permissions) Permission Description

Manage User Variables

Allows creating, deleting, and setting default values for user variables in flowcharts.

Use User Variables Allows use of user variables in output files or tables.

Windows impersonation administration

This section contains the following information:

v “What is Windows impersonation?”

v “Why use Windows impersonation?”

v “What is the relationship between Campaign users and Windows users?”

v “The Windows impersonation group”

v “Windows impersonation and logging into IBM Unica Marketing” on page 43

What is Windows impersonation?

Windows impersonation is a mechanism that allows Campaign administrators to associate Campaign users with Windows users, so that Campaign processes invoked by a Campaign user run under the credentials of the corresponding Windows user.

For example, if Windows impersonation is enabled, when the Campaign user jsmithedits a flowchart, a unica_acsvr process starts under the Windows user ID associated with the Marketing Platform login name, jsmith.

Why use Windows impersonation?

By using Windows impersonation, you are able to leverage the Windows-level security permissions for file access. If your system is set up to use NTFS, you can then control access to files and directories for users and groups.

Windows impersonation also allows you to use Windows system monitoring tools to see which users are running which unica_acsvr processes on the server.

What is the relationship between Campaign users and Windows users?

To use Windows impersonation, you must establish a one-to-one relationship between Campaign users and Windows users. That is, each Campaign user must correspond to a Windows user with the exact same user name.

Typically, administration begins with a set of existing Windows users who will use Campaign. You must create Campaign users in Marketing Platform with the exact same names as the associated Windows users.

The Windows impersonation group

Each Windows user for whom you have set up a Campaign user must be placed in a special Windows impersonation group. You must then assign the group to specific policies.

To ease administrative tasks, you can then grant read/write/execute privileges to the Campaign partition directory for the group.

Windows impersonation and logging into IBM Unica Marketing

When Windows impersonation is set up, once users have logged into Windows, Campaign users are automatically logged into IBM Unica Marketing using a single sign-on. When they open a browser and go to the IBM Unica Marketing URL, they do not need to log in again, and immediately see the IBM Unica Marketing start page.

Working with Windows impersonation

Setting up Windows impersonation involves the following tasks, described in this section:

v “Set the Windows impersonation property”

v “Create Campaign users”

v “Create the Windows impersonation group”

v “Assign the Windows impersonation group to policies”

v “Assign rights to the Windows impersonation group” on page 44

Note: LDAP and Active Directory are required to run Windows impersonation. For details about setting up LDAP and Active Directory, see the IBM Unica Marketing Platform Administrator's Guide.

Set the Windows impersonation property

On the Configuration page, set the value of the enableWindowsImpersonation property in the Campaign > unicaACListener category to TRUE.

Note: There might be additional property requirements based on your Windows Domain Controller setup. For more information, see the single sign-on section of the Marketing Platform Administrator’s Guide.

Create Campaign users

You can use Marketing Platform to create Campaign internal or external users.

Create external users by configuring Active Directory users and group

synchronization. Each user you create must have the same login name as the user’s Windows user name.

Create the Windows impersonation group

Note: You must have administration privileges on the Windows server to complete this task.

Create a Windows group specifically for Campaign users. Then add the Windows users that correspond to Campaign users to this group.

For more information about creating groups, see your Microsoft Windows documentation.

Assign the Windows impersonation group to policies

Note: You must have administration privileges on the Windows server to complete this task.

Chapter 5. Managing Security in IBM Unica Campaign 43

After you create a Windows group to store users that correspond to Campaign users, you must add the group to the following policies:

v Adjust memory quotas for a process v Create Token object

v Replace a process level token

For more information about assigning groups to policies, see your Microsoft Windows documentation.

Assign rights to the Windows impersonation group

Using Windows Explorer, grant "read/write/execute" access to the

partitions/partition_name folder under your Campaign installation to the Windows impersonation group.

For more information about assigning rights to folders, see your Microsoft Windows documentation.

About support of Proxy Server Authentication

Proxy Server Authentication support is available for customers who want to configure and run Campaign so that all internet traffic is required to pass through a proxy server. This feature enables the Active-X component for Campaign to connect through a proxy server that requires authentication, and automatically pass (per-user) stored credentials. You can configure access through a proxy using the following authentication mechanisms:

v Basic v Digest

v NTLM (NT LAN Manager)

v Negotiate (may resolve to either Kerberos or NTLM)

Note: The actual version of the mechanisms supported is determined by the Internet Explorer browser.

About support for local area network settings in the browser

The Active-X component supports the Internet Explorer (IE) options for Local Area Network (LAN) settings for:

v Automatic configuration, including options to automatically detect settings and to use a Proxy Auto Configuration (PAC) script as an automatic configuration script.

v Proxy server, including options to use a proxy server for your LAN, to bypass proxy server for local addresses, and advanced settings for the HTTP proxy address and port as well as exceptions.

Note: The Active-X component requires the PAC file address, if provided, to use either the http or https scheme (for example, http://machine:port/proxy.pac).

Although IE recognizes the file scheme (for example, file://C:/windows/

proxy.pac), the Active-X component fails to locate the PAC file if the file scheme is used. The Active-X component might also be unable to locate the PAC file if authentication is required, for example if the PAC file is served by a web server that requires authentication.

To set authentication credentials for a virtual data source named proxy

For each Campaign user, in the Marketing Platform you must set authentication credentials (user name and password) for a virtual data source named "proxy".

These credentials are used to connect to the proxy server.

1. On the Settings > Users page, add a data source named proxy for each Campaign user.

2. Set the user name and password for the proxy data source to the proxy server’s user name and password.

2. Set the user name and password for the proxy data source to the proxy server’s user name and password.