Making WmTNWeb secure

We run B2B 4.6 and TN 4.6. Certain business users in our organization occasionally need to check the status of documents in TN. This is generally when the customer insists they have sent a document but our backend hasn’t received it, or vice versa – in short, when there is some problem in the document transmission chain.

WmTNWeb in TN 4.6 provides simple web-based access to TN. It allows users to browse documents by sender, receiver, doc id, etc, which is ideal. However, for doing this, it requires users be members of the TNAdministrators group. This is bad from a security perspective since any user with such access can install WM Console and basically wreak havoc on the live server – submit documents, change documents types, processing rules, etc.

Is there some way to restrict WmTNWeb accounts from using WM Console?

You should be able to restrict what the WmTnWeb users are able to do. There are two user types allowed in TN web, Administrator and Partner. If you set up Partner, then the users can only view their particular documents, profile and your profile. You may also setup B2B User Groups.

Page 40 from the web manager configuration guide: "The Sender ID and Receiver ID criteria in the Transactions page allow Web Manager users to specify the partner that sent and/or received the documents that they want to view. However, the Sender ID and Receiver ID criteria behave differently based on whether the logged in user has Trading Networks administrative authority or partner authority.
External users (those with partner authority) can search only for documents for which they are either the sender or receiver. Internal users (those with Trading Networks administrative authority) can search for documents that have any sender and/or receiver.

You should be able to custom configure reporting criteria based on this section of the guide.

Sonam,

Sorry, not enough coffee yet this morning. Create TN web accounts separately. Don’t comingle roles with account creation. Do look through the web manager configuration guide. When the new version of B2B/TN comes out later this year, you’ll find a much friendlier (so I’m told) and easier to use interface for creating users/groups, etc. If you need specific help, you can catch me offline for this, but it’s pretty straight forward. Plus, if you want to restrict who can use Tn Console and who can’t, just remove console from the user desktops that no longer require it and then change all the Admin passwords (which you should do often anyway.)

Hi Ray -

> There are two user types allowed in TN web,
> Administrator and Partner.

The problem is the new WmTNWeb users have to be members of the TNAdministrators group. Membership in ‘TNPartners’ won’t do since the users need to check documents from all partners. Our TNWeb users are day to day customer support staff and not product development.

If one of these WmTNWeb users install TNConsole “to check it out”, its Baaaad news! They become superuser on the production TN machine and can change doctypes, add/remove processing rules, submit documents, etc. Restricting access to the TNConsole program is not secure. Besides WM will soon be releasing ‘trialware’ software for free download from its website.

Do you know of a way that a business user can check all the documents needed, yet be locked out of TNConsole?

Hey Sonam,

I am facing the same problem too right now. Our testers need to see the Transaction Analysis, etc for all trading partner. We want to restrict their access for read only cause what happen is, when they test in test environment, if they found a bug on the flow services, the tester will call the developer and fix the hole right away by adding/modifying document type or processing rule.

we want to implement this read access to TN on other environment except development. Developers are “not” supposed to make changes on other environment except dev i believe.

Do you guys have a way of doing this?

> Do you guys have a way of doing this?

We do - it just went live today. I’m afraid it involved writing a new package. . I took code from WmTNWeb, added our own (eg: reports, profile checks, certificate expiry checks, etc), then assigned the package to a special “TransactionMonitor” ACL, and made the group for our transaction monitor users “allowed” under that ACL.

There was another thread in these forums where another member did something similar - only he created more, finer-grained, ACL’s.

Are your package available in Shareware? If not, can u share it to us? I am not a Developer and I don’t know how to create Flow Services but everyday, it gives me an idea on how to do it and I’m learning a little bit everyday. I am just an WM Admin.

Thanks,
Faith

Hi Faith -
> Are your package available in Shareware? If not, can
> u share it to us?

That really depends upon permission my employer for whom it was written. I’ll ask, but in any case, the package is slightly too specific to our business process (it depends on specific user status codes we insert into the bizdoc) to release as-is right now. Also, I haven’t put in the code to view the source of a document. Hopefully, I can release a generic version as freeware (or shareware as it is called here) soon.

> environment, if they found a bug on the flow services, the > tester will call the developer and fix the hole right away by
> adding/modifying document type or processing rule.

This is a cultural habit that needs to be built up in your organization. I’m a developer myself and so am sympathetic to their habit, but… this can be disasterous. You have to have change-control and get signoff on every change made on test or live. This is required because of the relative immaturity of change tracking tools in webMethods. I have to get signoff on every change to test or live in my company.

We ran into the same issue and found a simple solution…

Create a new group in the admin web and associate it to the TNPartners ACL. Assign any users that should only have access to Web Manager (and not TN Console) to this group. Make sure those users are NOT a member of the TNPartners group.

If you go into the Configuration link in Web Manager and click on Customize configuration for groups, you should see the new group that you added. You can now lock down the functions that this group is allowed to perform via the web.

Now log in as one of the users that you assigned to that group and they should have access to the Web Manager, but only for those functions you allowed via the configuration.

Try logging into TN Console as that user and it will throw authorization errors everytime they try to click on something.

Let me know if you have any questions…

Thanks Jeff. I tried the steps you said, but with no success. Can you check if what I did is correct?

  1. I created a “test-group” group
  2. I associated this group with the TNPartners ACL
  3. I created a “test-user” user
  4. Made the “test-user” a member of “test-group”. At this point, “test-user” is a member of only 2 groups:
    -----“test-group”
    -----“Everybody”
  5. I then logged into WmTNWeb as myself, went to “Web Manager > Configuration > Group” and set all the permissions for “test-group”

No new ACLs were created in this process.

However, when I log into WmTNWeb as “test-user” I get this error message below in the WmTNWeb menu sidebar on the left, and no content on the right.


The Server could not process your request because the following error occurred. Contact your server administrator.

Service wm.tnweb.configFlow:loadMenu
Error class com.wm.app.b2b.server.AccessException
[B2BSERV.0084.9004] Access Denied

I did the same on the above steps but when I logged in as test-user, I cannot view any profile. And when I logged in to TNConsole using test-user, it gaves me an error with wm.tn.ping error. I successfully can get it but I cannot view everything, I can only see the icons for Profiles, Transaction Analyis, etc.

Faith - if the ‘test-user’ (setup as described above) logs into WmTNWeb through a web browser, does it work?

Sorry everyone - I did not do thorough testing before publishing this!

The solution I described only allows you to see the transaction list, but no further drill down. This was all I was interested in at the time and did no further testing - apologies again…

We are working on a slight modification that seems to be pretty simple and straight-forward and is allowing access to all information - but only via the web. A colleague of mine is working on that solution, but we will be more than happy to share the package and instructions, but I think this time I will wait until it is thoroughly tested :wink:

Sonam, you went through the correct steps, but I’m not sure why it does not work for you - but in any case, since this was an incomplete solution…

Are you able to provide the details of the solution that you implemented?

Thanks - and sorry for the bogus info.

Jeff

Hi Sonam,

I can successfully logged-in in webManager and view transactions but I cannot view any profiles.

Right now, some testers in our environment are using webManager to view transactions for a certain Partner they are testing. You can set it up by doing your above steps but replaced “test_user” id with the DUNS id of that trading partner and use that id to login in webmanager.

Hi guys - I could neither view transactions nor do anything else when I logged into WmTNWeb with the steps above
I got the error mentioned above on a blue background, in the sidebar on the left.

> Are you able to provide the details of the solution
> that you implemented?

I can’t provide the code for the package (my employer owns that). A lot of it is tailored to our processes anyway. In time, I’d like to release a ‘cleanroom’ generic version of the code, like I did with the DDCommon.zip package from my “wm.tn:receive” Ezine article. But that will take time.

Let me know if I can help in some other way - with say, specs , if someone else is willing to work on it.

On a side note, from conversations with PD, I believe WmTNWeb permissions are still broken in 6.0.1. Can anyone confirm?

We had same issue with wanting a person to view all partner transaction via TNWeb, but not be able to use TNConsole.
6.5 i heard is supposed to address this.

In the mean time, just write a small DSP screen that utilizes the following services; wm.tn.profile:getInternalID wm.tn.query:createDocumentQuery and wm.tn.query:documentQuery
I assume you will have a list of partners they choose from on the web page, which wm.tnweb.queryFlow:searchPageFlow is useful.