Employees within a division of your company require read access to the same set of objects (campaigns, offers, templates, and so on), but they are allowed to edit and delete only their own objects and objects in folders that they own.
Solution
Define a Read-Only role that grants only read permissions on objects. Assign all users within the division to this role. Keep the default permissions as defined for the Owner and Folder Owner roles.
Note: If your company requires only a single security policy, you can use the global policy and assign all users to the Review role.
Each user is allowed to edit or delete their own objects (under the Owner role) and objects in their own folders (under the Folder Owner role), but only view objects and folders owned by others (under the Read-Only role).
The following table shows a sample subset of the object permissions for this scenario.
Table 5. Object permissions for Scenario 3
Functions/Role Folder Owner Object Owner Reviewer
Campaigns v Add Campaigns
v Edit Campaigns
v Delete Campaigns
v View Campaign Summary
Offers v Add Offers
v Edit Offers
Chapter 5. Managing Security in IBM Unica Campaign 35
Table 5. Object permissions for Scenario 3 (continued)
Functions/Role Folder Owner Object Owner Reviewer v Delete Offers
v View Offer Summary
Implementing security policies
This section describes how to create and delete security policies in Campaign and apply security policies to Campaign folders and objects.
Note: You must be assigned permission to administer the User Roles &
Permissions page in Marketing Platform to work with Campaign security policies.
In a multi-partition environment, only the platform_admin user, or another account with the PlatformAdminRole role, can work with security policies in all partitions.
To create a security policy
1. Click Settings > User Roles & Permissions. The User Roles & Permissions page displays.
2. Under the Campaign node, select the partition where you want to add a security policy.
3. Click Global Policy.
4. On the right of the page, click Add Policy.
5. Enter a policy name and description.
6. Click Save Changes.
The new policy is listed under the Global Policy on the User Roles &
Permissions page. By default, the policy contains a Folder Owner role and an Object Owner role.
To delete a security policy
Use this procedure to delete any user-created security policies in Campaign that are not in use. You cannot delete the Global Policy.
Note: Do not delete any security policies that have been applied to objects in Campaign. If you need to delete a security policy that is in use, first set the
security object of every object/folder using that security policy to a different policy (for example, the global policy). Otherwise, those objects might become
inaccessible.
1. Click Settings > User Roles & Permissions.
The User Roles & Permissions page displays.
2. Under the Campaign node, select the partition where you want to delete a security policy.
3. Click the plus sign next to Global Policy.
4. Click the policy that you want to delete.
5. Click Delete Policy.
A confirmation dialog displays.
6. Click OK to delete the policy.
Assigning security policies to folders or objects
When you create a top-level folder or object in Campaign, you must select a security policy for it. Only policies in which you have been assigned a role are available for you to associate with top-level objects or folders.
By default, all objects in Campaign are associated with the global policy, but you can assign an optional custom-defined policy.
Keep in mind the following rules when associating a folder or object with a security policy:
v You cannot assign a security policy to objects within folders. Objects automatically inherit the security policy of the folder in which they reside.
v The top-level folder determines the security policy.Objects within a folder, including sub folders, inherit the security policy of the parent folder. In other words, the security policy of the top-level folder determines the security policy of objects and subfolders within it. Therefore, you cannot manually assign a security policy to objects within folders. To change the security policy of an object, you must move the object into a folder with the desired security policy or into the top-level root folder.
v Security policy changes when objects are moved or copied.Objects and folders can be moved or copied across security policies, but the user performing the move or copy must have permissions to do so, in both the source and destination policies.
After an object or folder is moved or copied to a folder or location belonging to a different security policy than its source, the security policy of the lower-level objects or subfolders is automatically changed to the security policy of the new folder or location.
About administrative permissions in Campaign
Administrative permissions in Campaign are assigned for each partition. These administrative functions are different from the object-related functional permissions in security policies, including the global security policy. Users with these
permissions can perform the allowed actions on any objects within the partition.
Each partition includes these four pre-defined roles:
v Admin— All permissions enabled. The default user asm_admin is assigned this role.
v Execute— Most permissions enabled, except for administrative functions such as performing cleanup operations, changing object/folder ownership, and managing global suppressions.
v Design— Same permissions as the Execute role.
v Review— Read-only access to all objects. For flowcharts, these users are allowed to access the edit mode of a flowchart, but save is not allowed.
You can add other administrative roles for each partition as needed.
The procedures for managing administrative roles and permissions in Campaign is the same as the procedures for managing roles and permissions in Marketing Platform.
Chapter 5. Managing Security in IBM Unica Campaign 37
To configure report folder permissions
In addition to controlling access to the Analytics menu item and the Analysis tabs for object types (campaigns and offers, for example), you can configure
permissions for groups of reports based on the folder structure in which they are physically stored on the IBM Cognos®system.
1. Log in as a Campaign administrator who has the ReportSystem role.
2. Select Settings > Sync Report Folder Permissions.
The system retrieves the names the folders located on the IBM Cognos system, for all partitions. (This means that if you decide to configure folder permissions for any partition, you must configure it for all of them.)
3. Select Settings > User Permissions > Campaign.
4. Under the Campaign node, select the first partition.
5. Select Add Roles and Assign Permissions.
6. Select Save and Edit Permissions.
7. On the Permissions form, expand Reports.The Reports entry does not exist until after you run the Sync Report Folder Permissions option for the first time.
8. Configure the access settings for the report folders appropriately and then save your changes.
9. Repeat steps 4 through 8 for each partition.
Reference: Administrative permissions in Campaign
Campaign includes administrative permissions in the following categories:
v Administration v Audience Levels v Data Sources
v Dimension Hierarchies v History
v Logging
v Reports (folder permissions) v System Tables
v User Tables v User Variables
Note: You can set the permissions for all functions within a category by setting the permissions of the category heading.
Administration
Table 6. Administration (Administrative permissions) Permission Description
Access Monitoring Area
Allows access to the Campaign Monitoring area.
Perform Monitoring Tasks
Allows performing of monitoring tasks in the Campaign Monitoring area.
Access Analysis Area Allows access to reports in the Campaign Analytics area.
Table 6. Administration (Administrative permissions) (continued) Permission Description
Access Optimizations Link
If Optimize is installed, allows access to that application.
Run svradm
Command Line Tool
Allows performing of administrative functions using the Campaign Server Manager (unica_svradm).
Run genrpt
Command Line Tool
Allows running of the Campaign report generation utility (unica_acgenrpt).
Takeover Flowcharts in Edit Mode
Allows taking over control of flowcharts in Edit or Run mode from other users.
Note: Taking over control of a "locked" flowchart locks out the other user and all changes in the flowchart since the last save are lost.
Connect to Running Flowcharts
Allows attaching to running flowcharts through Campaign Server Manager (unica_svradm) or the Campaign user interface.
Terminate Server Processes
Allows terminating the Campaign Server (unica_acsvr) using the Campaign Server Manager (unica_svradm).
Terminate Campaign Listener
Allows terminating the Campaign Listener (unica_aclsnr) using the Campaign Server Manager (unica_svradm) or using the svrstop utility.
Run sesutil Command Line Tool
Allows running of the Campaign session utility (unica_acsesutil).
Override Virtual Memory Settings
Allows overriding the Virtual Memory setting in flowchart Advanced Settings.
Access Custom Attributes
Allows access to and managing of custom attribute definitions from the Campaign Settings page.
Cell Report Access Allows access to cell reports from the Reports icon on a flowchart Editpage. Excludes access to the Cell Content Report unless this permission is also explicitly granted.
Cell Report Export If cell report access is granted, allows printing and exporting of cell reports.
Cell Content Report Access
Allows access to the Cell Content report from the Reports icon on a flowchart Edit page.
Cell Content Report Export
If Cell Content Report Export is granted, allows printing and exporting of the Cell Content report.
Perform Cleanup Operations
Allows performing cleanup operations using unica_acclean or a custom tool.
Change Object/Folder Ownership
Allows changing ownership of an object or folder.
Audience levels
Table 7. Audience levels (Administrative permissions) Permission Description
Add Audience Levels Allows creation of new audience levels under Manage Audience Levelson the Campaign Settings page.
Delete Audience Levels
Allows deleting of existing audience levels under Manage Audience Levelson the Campaign Settings page.
Chapter 5. Managing Security in IBM Unica Campaign 39
Table 7. Audience levels (Administrative permissions) (continued) Permission Description
Manage Global Suppressions
Allows creation and configuration of global suppression segments in Campaign.
Disable Suppression in Flowchart
Allows clearing or selecting the Disable Global Suppressions for This Flowchartcheck box on the flowchart Advanced Settings dialog.
Data sources
Table 8. Data sources (Administrative permissions) Permission Description
Manage Datasource Access
Allows managing data source logins from the Administration area and within flowcharts.
Set Save with DB Authentication
Allow enabling the Save with Database Authentication Informationflag in table catalogs and flowchart templates.
Dimension hierarchies
Table 9. Dimension hierarchies (Administrative permissions) Permission Description
Add Dimension Hierarchies
Allows creation of new dimension hierarchies.
Edit Dimension Hierarchies
Allows editing of existing dimension hierarchies.
Delete Dimension Hierarchies
Allows deletion of existing dimension hierarchies.
Refresh Dimension Hierarchies
Allows refresh of existing dimension hierarchies.
History
Table 10. History (Administrative permissions) Permission Description
Log to Contact History Tables
Allows enabling or disabling logging to contact history tables when configuring contact processes.
Clear Contact History Allows clearing entries from the contact history tables.
Log to Response History Tables
Allows enabling or disabling logging to response history tables when configuring the Response process.
Clear Response History
Allows clearing entries from the response history tables.
Logging
Table 11. Logging (Administrative permissions) Permission Description
View System and Flowchart Logs
Allows viewing of flowchart logs and the system log
Clear Flowchart Logs Allows clearing of flowchart logs.
Table 11. Logging (Administrative permissions) (continued) Permission Description
Override Flowchart Log Options
Allows override of default flowchart logging options.
Reports (folder permissions)
The Reports node appears on the partition permissions page after running Sync Report Folder Permissionsfrom the Settings menu for the first time. The synchronize process determines the folder structure of the reports physically located on the IBM Cognos system, and then lists the names of those folders under this node.
The settings under this node grant or deny access to the reports in the folders that appear in the list.
System tables
Table 12. System tables (Administrative permissions) Permission Description
Map System Tables Allows mapping system tables.
Remap System Tables Allows remapping system tables.
Unmap System Tables Allows unmapping system tables.
Delete System Table Records
Allows deletion of records from system tables.
User Tables
Table 13. User tables (Administrative permissions) Permission Description
Map Base Tables Allows mapping base tables.
Map Dimension Tables
Allows mapping dimension tables.
Map General Tables Allows mapping general tables.
Map Delimited Files Allows mapping user tables to delimited files.
Map Fixed-Width Flat Files
Allows mapping user tables to fixed-width flat files.
Map Database Tables Allows mapping user tables to database tables.
Remap User Tables Allows remapping of user tables.
Unmap User Tables Allows unmapping of user tables.
Recompute Counts and Values
Allows using Compute button in table mapping to recompute table counts and values.
Use Raw SQL Allows the use of raw SQL in Select process queries, custom macros, and dimension hierarchies.
Chapter 5. Managing Security in IBM Unica Campaign 41
User Variables
Table 14. User variables (Administrative permissions) Permission Description
Manage User Variables
Allows creating, deleting, and setting default values for user variables in flowcharts.
Use User Variables Allows use of user variables in output files or tables.
Windows impersonation administration
This section contains the following information:
v “What is Windows impersonation?”
v “Why use Windows impersonation?”
v “What is the relationship between Campaign users and Windows users?”
v “The Windows impersonation group”
v “Windows impersonation and logging into IBM Unica Marketing” on page 43
What is Windows impersonation?
Windows impersonation is a mechanism that allows Campaign administrators to associate Campaign users with Windows users, so that Campaign processes invoked by a Campaign user run under the credentials of the corresponding Windows user.
For example, if Windows impersonation is enabled, when the Campaign user jsmithedits a flowchart, a unica_acsvr process starts under the Windows user ID associated with the Marketing Platform login name, jsmith.
Why use Windows impersonation?
By using Windows impersonation, you are able to leverage the Windows-level security permissions for file access. If your system is set up to use NTFS, you can then control access to files and directories for users and groups.
Windows impersonation also allows you to use Windows system monitoring tools to see which users are running which unica_acsvr processes on the server.
What is the relationship between Campaign users and Windows users?
To use Windows impersonation, you must establish a one-to-one relationship between Campaign users and Windows users. That is, each Campaign user must correspond to a Windows user with the exact same user name.
Typically, administration begins with a set of existing Windows users who will use Campaign. You must create Campaign users in Marketing Platform with the exact same names as the associated Windows users.
The Windows impersonation group
Each Windows user for whom you have set up a Campaign user must be placed in a special Windows impersonation group. You must then assign the group to specific policies.
To ease administrative tasks, you can then grant read/write/execute privileges to the Campaign partition directory for the group.
Windows impersonation and logging into IBM Unica Marketing
When Windows impersonation is set up, once users have logged into Windows, Campaign users are automatically logged into IBM Unica Marketing using a single sign-on. When they open a browser and go to the IBM Unica Marketing URL, they do not need to log in again, and immediately see the IBM Unica Marketing start page.
Working with Windows impersonation
Setting up Windows impersonation involves the following tasks, described in this section:
v “Set the Windows impersonation property”
v “Create Campaign users”
v “Create the Windows impersonation group”
v “Assign the Windows impersonation group to policies”
v “Assign rights to the Windows impersonation group” on page 44
Note: LDAP and Active Directory are required to run Windows impersonation. For details about setting up LDAP and Active Directory, see the IBM Unica Marketing Platform Administrator's Guide.
Set the Windows impersonation property
On the Configuration page, set the value of the enableWindowsImpersonation property in the Campaign > unicaACListener category to TRUE.
Note: There might be additional property requirements based on your Windows Domain Controller setup. For more information, see the single sign-on section of the Marketing Platform Administrator’s Guide.
Create Campaign users
You can use Marketing Platform to create Campaign internal or external users.
Create external users by configuring Active Directory users and group
synchronization. Each user you create must have the same login name as the user’s Windows user name.
Create the Windows impersonation group
Note: You must have administration privileges on the Windows server to complete this task.
Create a Windows group specifically for Campaign users. Then add the Windows users that correspond to Campaign users to this group.
For more information about creating groups, see your Microsoft Windows documentation.
Assign the Windows impersonation group to policies
Note: You must have administration privileges on the Windows server to complete this task.
Chapter 5. Managing Security in IBM Unica Campaign 43
After you create a Windows group to store users that correspond to Campaign users, you must add the group to the following policies:
v Adjust memory quotas for a process v Create Token object
v Replace a process level token
For more information about assigning groups to policies, see your Microsoft Windows documentation.
Assign rights to the Windows impersonation group
Using Windows Explorer, grant "read/write/execute" access to the
partitions/partition_name folder under your Campaign installation to the Windows impersonation group.
For more information about assigning rights to folders, see your Microsoft Windows documentation.
About support of Proxy Server Authentication
Proxy Server Authentication support is available for customers who want to configure and run Campaign so that all internet traffic is required to pass through a proxy server. This feature enables the Active-X component for Campaign to connect through a proxy server that requires authentication, and automatically pass (per-user) stored credentials. You can configure access through a proxy using the following authentication mechanisms:
v Basic v Digest
v NTLM (NT LAN Manager)
v Negotiate (may resolve to either Kerberos or NTLM)
Note: The actual version of the mechanisms supported is determined by the Internet Explorer browser.
About support for local area network settings in the browser
The Active-X component supports the Internet Explorer (IE) options for Local Area Network (LAN) settings for:
v Automatic configuration, including options to automatically detect settings and to use a Proxy Auto Configuration (PAC) script as an automatic configuration script.
v Proxy server, including options to use a proxy server for your LAN, to bypass proxy server for local addresses, and advanced settings for the HTTP proxy address and port as well as exceptions.
Note: The Active-X component requires the PAC file address, if provided, to use either the http or https scheme (for example, http://machine:port/proxy.pac).
Although IE recognizes the file scheme (for example, file://C:/windows/
proxy.pac), the Active-X component fails to locate the PAC file if the file scheme is used. The Active-X component might also be unable to locate the PAC file if authentication is required, for example if the PAC file is served by a web server that requires authentication.
To set authentication credentials for a virtual data source named proxy
For each Campaign user, in the Marketing Platform you must set authentication credentials (user name and password) for a virtual data source named "proxy".
These credentials are used to connect to the proxy server.
1. On the Settings > Users page, add a data source named proxy for each Campaign user.
2. Set the user name and password for the proxy data source to the proxy server’s user name and password.
2. Set the user name and password for the proxy data source to the proxy server’s user name and password.