About Rational® ClearQuest® reporting security

Rational® ClearQuest® provides security features that can be configured to protect access to the Report Launcher for Rational® ClearQuest® and access to run reports from the reporting server. Use the information in this topic to learn about the network, client, and data security.

The level of access control provided for the Report Launcher for ClearQuest® is a subset of the access control available for Rational® ClearQuest®. Access control for the Report Launcher for ClearQuest® is used for these purposes:

Determine the pool of eligible users for the Report Launcher for Rational® ClearQuest®. Report Launcher users must have existing Rational® ClearQuest® accounts before they can be granted access to the report launcher.
Validate the user credentials during logon to the Report Launcher.
Authenticate Report Launcher for Rational® ClearQuest® users who attempt to run reports on the report server.

You can also configure Rational® ClearQuest® to provide additional security mechanisms for network, client, and data security for the Report Launcher for ClearQuest®.

Network security

To provide secure access to the Report Launcher for Rational® ClearQuest® and the ClearQuest® reporting data, deploy the Report Launcher by using a secure connection (https). For information about configuring secure sockets for Rational® ClearQuest® web components, see Configuring secure connections.

Client security

Client security for Report Launcher for Rational® ClearQuest® is implemented by using J2EE Declarative Security. Using this approach, the Report Launcher itself is not security aware. Access to the client is configured through its deployment descriptor and enforced by WebSphere® Application Server. By default, the Report Launcher for Rational® ClearQuest® deployment descriptor provides these security roles to control access to the report launcher web interface and specified report directories: Basic User, Team Member, and Super User. These default roles can be customized for your environment. See Configuring security for the Report Launcher and reports.

Data security

By default, the Report Launcher for Rational® ClearQuest® does not control view access to report files that are hosted in a configured Report Launcher directory. A user with access to the Report Launcher server can browse the list of reports that exist in the Report Launcher directories for that server. However, you can secure access to the report folders by using either of the following methods:

Configure secure access to report folders by using WebSphere® Application Server J2EE Declarative Security as described in Configuring security for the Report Launcher and reports.
With Rational® ClearQuest® feature level 6 or higher, you can configure ClearQuest® folder permissions to restrict access to the queries required to retrieve report data. See Workspace folder permissions overview.

For reporting authentication, only users authorized to run the Rational® ClearQuest® queries used by a report can run it. For example, if a user named user attempts to run a report that requires access to a query in the Personal Queries folder of the admin user. Rational® ClearQuest® generates an error message like the one shown in the following example.

Cannot get the result set metadata. SQL statement does not return a ResultSet object.
SQL error #1: CRVAP0237E Resource 'cq.query:Personal Queries/All
Defects@7.0.0/SAMPL': not found.

Credential storage

The Report Launcher for Rational® ClearQuest® Report uses credentials to control access to run and view reports. BIRT Reports provide a mechanism for passing user credentials when a report is run. See Using the Report Launcher for Rational ClearQuest. BIRT reports can also be designed to prompt for user credentials, but this capability must be configured in the report design. Credentials are temporarily stored on the server during the session and are discarded when the session ends. See Passing credentials to BIRT reports at run time.