The Enhanced Security Option allows creation of Roles that control who has the ability to Create, Modify, and even View reports within the Report Library.

Designed for both large and small environments, the Enhanced Security Option can support complex, distributed environments that require multiple authentication methods, as well as single server environment looking for an easy-to-use access control.

The Enhanced Security Option includes the following features:

• Access control at the Report Folder level that specifies users who can view, create, execute, edit, or delete reports (Screen shot of the Page to assign permissions)
• Access Control at the Module Level
• Windows Active Directory Integration
• PIN based Authentication (useful for External Users) (Screen shot of the Web Login Screen)
• Supports Environments with Multiple Active Directory Domains
• Supports Pass-through Authentication for Network Users (Screen shot of web user logged in showing they are authenticated)
• Built-in Redundancy Features (ensures there is not a single point of failure for authentication)
• Integrated Security Model for all Navigator Components

With the Enhanced Security Option, reports can be created for multiple organizations, customers, or groups with the assurances that only users with proper credentials can access the secured reports. This extends the power of Navigator to a new level, allowing customers to provide reports to both their internal users and external users. By combining the use of Report Builder filters and Enhanced Security access controls, users are limited to seeing report data that you allow.

Navigator 2008 v8.5 introduces a new architectural component, the Navigator Security Provider, which manages security for Navigator. The Navigator Security Provider must be installed on a Windows server. However, additional Security Providers can be installed within an environment for redundancy or to authenticate users against separate Windows Active Directory domains.

When a user logs in they provide the location of the Navigator Security Provider and an encrypted login request is sent to the Navigator Security Provider specified instead of logging directly into the OakTreeNav Database as in previous versions.

The Navigator Security Provider completes the login process by validating against the OakTreeNav database that the user is an authorized Navigator user and validates the user has entered the proper authentication password or PIN. After authentication, the user is granted access to the Report Folders as defined by the Roles assigned.

ACME, Inc needs to provide a set of reports to their external customers that access the Navigator Web Generator from the public Internet. In addition, ACME has a variety of internal users who log into a Windows Active Directory Domain who require access to a separate set of internal view-only reports.

Using the Enhanced Security Option, the administrator can define Roles and contact records within OakTree Navigator to achieve this requirement.

1. Create two roles called Internal Users and External Users. Define the Report Folders that each Role can view.
   
   
2. Create contact records in Navigator for all Internal and External users who require access. Assign users to the Internal Users Role or the External Users Role depending on the access to Report Folders they require. Within the contact record enable Windows Authentication for the Internal Users and enable PIN authentication for the External Users Role.
   
   
3. Assign users to a Role defined above that specifies the Report Folders they can access and the privileges for each Report Folder.
   
   
4. Define a PIN code in the user’s contact record in Navigator that External Users can use to access Navigator.
   

A+ School needs to allow all users authenticated on their Active Directory network to view some reports but provide additional controls so that the HR team can see additional personal information related to Service Desk contacts.

1. Configure the Default Role so that even if a user is not a defined contact within OakTree Navigator, they have view only access to a Report Folder that contains all the required reports.
   
   
2. Create a Role for the HR Team. Allow the HR Team Role access to the Report Folders required for the HR Team and remove access privileges for the Report Folder for all other Roles.
   
   
3. Add the Active Directory User Ids for members of HR Team to Navigator as a contact record with the Authentication Method set to Windows.
   
   
4. For additional control a HR Creator role can be created allowing only specific people within the HR team the ability to add, create, modify, or delete existing reports in the HR Report Folder.