This document is relevant only to the Pentaho BI Platform version 1.2.0 or earlier. See the Pentaho BI Platform version 1.2.1 or later security documentation if you're using version 1.2.1 or later. (You can find the version you are running in several ways: (1) look at the log when the Pentaho BI Platform starts or (2) look at the bottom right of any page within the Pentaho BI Platform.)
The default settings that come with the Pentaho Professional BI Platform are designed to get things up and running quickly. To customize the platform for your security needs, there are a few questions that'll need answering first. After the answers are known, you can proceed to the Configuration section.
Authentication is simply the act of confirming that the user entering the system is who they say they are. This is often done by means of a username and password, but can sometimes involve certificates or other means of establishing identity. The first decision to be made is what the required authentication mechanism will be.
Authorization is the mechanism by which users are granted authorities to perform actions. Pentaho has special knowledge of authorization with respect to securing solution folders and action sequences. Other than this content-level authorization, web resources can be secured within the container.
User management is the process of creating new users and updating them after creation. For authorization to work properly, there has to be a source of usernames, and roles (also known as authorities) associated to those usernames. Typically, the associations between users and the roles they are granted are maintained in a relational database or in an LDAP directory. It is an important point to note that the Pentaho Professional BI Platform does not perform user management; this is the job of something external.