Security Guide > Security Management in Informatica Administrator > User Security

User Security

The Service Manager and some application services control user security in application clients. Application clients include Informatica Administrator, Informatica Analyst, Informatica Developer, Metadata Manager, and PowerCenter Client.

The Service Manager and application services control user security by performing the following functions:

Encryption: When you log in to an application client, the Service Manager encrypts the password.
Authentication: When you log in to an application client, the Service Manager authenticates your user account based on your user name and password or on your user authentication token.
Authorization: When you request an object in an application client, the Service Manager and some application services authorize the request based on your privileges, roles, and permissions.

You can also use HTTPS for secure connection to the domain and the application services. The following application services provide HTTPS connection along with the Informatica domain:

•Data Integration Service
•Analyst Service
•Content Management Service
•Metadata Access Service
•Metadata Manager Service
•Web Service Hub Service

Encryption

Informatica encrypts passwords sent from application clients to the Service Manager. Informatica uses AES encryption with multiple 128-bit or 256-bit keys to encrypt passwords and stores the encrypted passwords in the domain configuration database. Configure HTTPS to encrypt passwords sent to the Service Manager from application clients.

Authentication

The Service Manager authenticates users who log in to application clients.

The first time you log in to an application client, you enter a user name, password, and security domain. A security domain is a collection of user accounts and groups in an Informatica domain.

The security domain that you select determines the authentication method that the Service Manager uses to authenticate your user account:

•Native. When you log in to an application client as a native user, the Service Manager authenticates your user name and password against the user accounts in the domain configuration database.
•Lightweight Directory Access Protocol (LDAP). When you log in to an application client as an LDAP user, the Service Manager passes your user name and password to the external LDAP directory service for authentication.

Single Sign-On

After you log in to an application client, the Service Manager allows you to launch another application client or to access multiple repositories within the application client. You do not need to log in to the additional application client or repository.

The first time the Service Manager authenticates your user account, it creates an encrypted authentication token for your account and returns the authentication token to the application client. The authentication token contains your user name, security domain, and an expiration time. The Service Manager periodically renews the authentication token before the expiration time.

When you access multiple repositories within an application client, the application client sends the authentication token to the Service Manager for user authentication.

When you launch one web application client from another one, the application client passes the authentication token to the next application client. The next web application client sends the authentication token to the Service Manager for user authentication. You must log out of each web application client separately. For example, if you open the Analyst tool from the Administrator tool, you must log out of the Analyst tool and the Administrator tool separately.

Note: To use single sign-on between the Administrator tool, the Analyst tool, and the Monitoring tool, you must add their fully qualified domain names to the host file for every node.

You cannot use single sign-on to connect to a web application client from a client tool. For example, if you launch the Administrator tool from the Developer tool, you must log in to the Administrator tool.

Authorization

The Service Manager authorizes user requests for domain objects. Requests can come from the Administrator tool. The following application services authorize user requests for other objects:

•Data Integration Service
•Metadata Manager Service
•Model Repository Service
•PowerCenter Repository Service

When you create native users and groups or import LDAP users and groups, the Service Manager stores the information in the domain configuration database into the following repositories:

•Model repository
•PowerCenter repository
•PowerCenter repository for Metadata Manager

The Service Manager synchronizes the user and group information between the repositories and the domain configuration database when the following events occur:

•You restart the Metadata Manager Service, Model Repository Service, or PowerCenter Repository Service.
•You add or remove native users or groups.
•The Service Manager synchronizes the list of LDAP users and groups in the domain configuration database with the list of users and groups in the LDAP directory service.

When you assign permissions to users and groups in an application client, the application service stores the permission assignments with the user and group information in the appropriate repository.

When you request an object in an application client, the appropriate application service authorizes your request. For example, if you try to edit a project in Informatica Developer, the Model Repository Service authorizes your request based on your privilege, role, and permission assignments.