Post on 13-Mar-2018
transcript
Rocket City Cognos User Group
Morning Session
Jonathan McKnight
• Connecting to Cognos BI
• Cognos Security Roles
• These roles span all the Cognos BI suite.
• IBM Cognos Configuration – setting up security
• Tips and Best Practices
• Authentication providers are also referred to as namespaces.
• Supported providers in Cognos 10.2 are Active Directory, IBM
Cognos Series 7, Custom Java Provider, eTrust SiteMinder, LDAP,
SAP, and RACF.
• Multiple namespaces can be used for one Cognos instance, and
users can be logged in to multiple namespaces simultaneously.
• Active Directory
• Allows for single-sign on
• Provides a single location to control user access
• Adaptive Analytics Administrators
• Adaptive Analytics Users
• All Authenticated Users
• Analysis Users
• Anonymous
• Authors
• Cognos Insight Users
• Consumers
• Controller Administrators
• Controller Users
• Data Manager Authors
• Directory Administrators
• Everyone
• Express Authors
• Metrics Administrators
• Metrics Authors
• Metrics Users
• Mobile Users
• Planning Contributor Users
• Portal Administrators
• PowerPlay Administrators
• PowerPlay Users
• Query Users
• Readers
• Report Administrators
• Server Administrators
• Statistics Authors
• System Administrators
• 5 different access types.
• Read
• Write
• Execute
• Set Policy
• Traverse
• Grant or deny access.
• Grant allows access.
• Deny revokes access
• Deny takes precedence over grant.
• Deny does not have to be set. If nothing is selected, users will not have access.
Permission Icons Permitted Access
Read • View all the properties of an entry, including the report
specification, report output, and so on, which are
properties of a report.
• Create a shortcut to an entry.
Write • Modify properties of an entry.
• Delete an entry.
• Create entries in a container, such as a package or a
folder.
• Modify the report specification for reports created in
Report Studio and Query Studio.
• Create new outputs for a report.
Permission Icons Permitted Access
Execute • Process an entry.
• For entries such as reports, agents, and metrics, the user
can run the entry.
• For data sources, connections, and signons, the entries
can be used to retrieve data from a data provider. The
user cannot read the database information directly. The
report server can access the database information on
behalf of the user to process a request. IBM Cognos
software verifies whether users have execute permissions
for an entry before they can use the entry.
• For credentials, users can permit someone else to use
their credentials.
• Note: Users must have execute permissions for the
account they use with the run as the owner report option.
Permission Icons Permitted Access
Set Policy • Read and modify the security settings for an entry.
Traverse • View the contents of a container entry, such as a
package or a folder, and view general properties of the
container itself without full access to the content.
• Note: Users can view the general properties of the
entries for which they have any type of access. The
general properties include name, description, creation
date, and so on, which are common to all entries.
Permission What it means
Read Users can see the default report output, create shortcuts, and view
properties
Write Users can add, delete, and modify content
Execute This is required for a user to be able to run a report.
Set Policy Unless there is a very pressing reason, administrators should be the
only people with this access.
Traverse This is required for a user to be able to navigate into a folder.
* A Very Good Rule of Thumb *
• For consumers, the most common way to set up access would be to grant Read,
Execute, and Traverse permissions.
• For authors, and possibly some power users, access needs to be granted to Read,
Write, Execute, and Traverse.
• For administrators, access should be granted for Read, Write, Execute, Set Policy, and
Traverse.
• Methods of setting security
• Add all users or user groups into existing Cognos roles. Control access
based on those roles only. (More open environment, less secure)
• Do above, but further restrict access to folders based on the user or user
groups. (Less open environment, more secure, more complex to maintain)
• What works for us
• Just because it works for us does not mean it is right for you!
• Active Directory with single sign-on.
• No external dispatcher; it can’t be accessed outside of our network.
• Users are placed in groups set up in Active Directory, and access to folder
and reports are granted based on those user groups.
• Grant access only; nothing is explicitly set to Deny.
• Carefully organize content before setting up security to take
advantage of security inheritance
• Security inheritance means that objects below where security is set will
automatically inherit the security from the object above it.
• Example: When you set security on Public Folders, everything under it
will use the same security as the default.
• Organizing content into hierarchies and placing users into groups can save
a lot of time when setting up security.
• Consider the logical structure of your business when creating your folder
structure and/or dashboards in IBM Cognos Connection.
• Document your security model.
• We have a table that gets updated each night showing what users are in
our Active Directory groups.
• You work for a company called Rocket City Rockets.
• You have identified the following groups within the company who have report requirements:
• Marketing and Business Development
• Contracts and Sales
• Human Resources
• Program and Project Managers
• Executive Management
• Accounting
• The reports should not be shared across groups with the exception of Executive Management which should be able to access all reports.
• To get running quickly, you decide to leverage Active Directory for security.
• New groups are created in AD and the users are placed into these groups based on their role within the company.
• Once the groups are created, you can begin to set up security in the Administration panel of IBM Cognos Connection.
• Add the user groups to the Consumers role in Cognos namespace.
• In IBM Cognos Connection, set the security on your Public Folders
so that only authorized users can access the reports.
• Because of security inheritance, this will lock down any folder
below Public Folders with this same security.
• Create your subfolders for each user group.
• Set security for each folder by clicking on the Set Properties
button, then the Permissions tab.
• Check the “Override the access permissions acquired from the
parent entry” box and remove access for the Consumers role.
• Add the Active Directory group that corresponds to the folder.
• Grant Read, Execute, and Traverse access to the AD group.
• Repeat the steps for each of the other folders.
• Remember: Grant takes precedence over no security (inherently
denies access), and Deny takes precedence over Grant.
• Susan is in Human Resources (HR), but she also does some work
for Contracts. You have a “HR Reports” folder that grants access
for HR users, but it denies access for all other users.
• Cognos security is controlled by user groups, and Susan is a
member of the HR group and the Contracts group.
• Because the Deny access takes precedence and Contracts is
denied to the “HR Reports” folder, Susan would not be able to
view “HR Reports.”
• Your contracts team has different functions
• Granting access at the “Contracts Team” folder level will mean
that the users who can access that folder can see each of the
subfolders.
• Not everyone on your Contracts team needs access to the reports in the
“Restricted Access” folder.
• Since security is inherited from the parent, you must override the permissions.
• Simply check the “Override…” box and change the permissions for the
subfolder.
• Remove (or deny) access for the Contracts group and add your individual users or
a group to access the folder.
• Security in Cognos BI can be overwhelming!
• Setting it up, especially at first, can be a daunting task.
• Spend time learning and understanding your company’s needs!
• Create and DOCUMENT your security plan!
• Check, double check, and triple check your security. The last
thing you want to happen is for sensitive information to end up
in the wrong hands.
• If you can, have a dummy account created for you in your security
namespace to use to check security.