Data Sources

Create a connection definition in Cognos

Step 2:

Create a Cognos Account on Each Data Source

Step 1:

Import MetadataStep 3:

Publish PackageStep 4:

iMac

Report Author

Create Report from Package

Step 5:

Report Consumer

Consumer Runs ReportStep 7:

Framework Manager

Developer

Publish the Report

Step 6:

Cog

nos

SECURITY

S

S

S

S

S

SS

Returning…

Create a Cognos Logon

The Cognos logon can be given as much or as little access as needed.The access given to this logon completely controls what can be provided through Cognos. The access can be sub-divided based upon user and role, but cannot be expanded.It is possible to work with existing logons.It is possible to work with multiple logons, each granted access to part of the data; each logon would go through the following steps; can create access duplication and problem-solving difficulties

Return

Create a Connection with Cognos ReportNet

Creating a connection is done by a Cognos administrator. (Brian and Clif for now)The connection uses the logon/password defined for Cognos.The Cognos administrators are the only people who know the logon/password. No users interact directly with this logon.The administrator will then grant permission for this connection to an approved person or group to do the metadata for the data.

Note: The connection could be defined to require the user to enter a login/password. However, each subsequent step may then get a different result based on the logon supplied.

Return

Import Metadata into Framework Manager

Done by a Cognos data modeler (25 licenses available)Uses the named connection created within CognosThe developer does not need the logon/password or connect string in order to use the connection.Cognos lists all of the tables/views/synonyms available to the logon/password, and the developer chooses which definitions to bring in.Cognos has the ability to import table relationships, if they are defined in the database.Packages are defined by grouping tables together. In DSS this corresponds to star-join models.

Return

Publish Datamodel Packages

Done by a Cognos data modeler (25 licenses available)Packages are saved to the Cognos server and access is granted to approved report author / consumer roles

Return

Create Reports from Datamodels

A Report Author is defined as someone who has been given a license to run Report Studio and Query Studio (200 licenses)A Report Author creates a report based on the datamodel packages published from Framework ManagerA Report Author is shown only packages they are granted access toThe Author needs to be aware of column-based and row-based security that is embedded in the datamodelThe Author first tests the report, and then saves the report in a defined folder so that the QA process can be conducted

Return

Cognos Account Security

When the Cognos account is created, the tables and files it has access to should include all of the tables needed by your data consumersAs an example, on the data warehouse (DSS), the Cognos account has complete access to Student, Financial and Employee dataUsers are granted access to a subset of the data available to the account, and Cognos does not show other dataFor instance, a user with the role DSS_Financial_Complete sees only packages and reports granted to that group

Return

Connection Definition Security

A connection to the data source is created using the Cognos account. Based on a data modeler’s access permissions, they will be shown only the data sources they have been granted access to If a data modeler has not been granted access to access a particular data source, the data source will not be shown and cannot be chosen by the user. The connection information (username and password) is encrypted using MD5 and stored on the Cognos application server, which is protected by an F5 firewall router. Connections to the Cognos server are restricted to a select number of fixed IP addresses.

Return

Framework Manager Table Security

Tables can have column or row-based restrictions defined For instance, the Employee table has Object Security defined for fields restricted from “general” access; these fields are allowed only for “complete” roles. The table is allowed for both “complete” and “general” users, but “general” users see only part of the fields and get an error if they try to run a report which includes restricted fields The Account Balance table has a Security Filter applied. “Complete” and “general” users see all the columns, but “general” users see fewer rows, based on the rows allowed by the security filter

Return

Package Security

A package is an individual or set of data models that a report author can use to create reports. When a data modeler publishes a package, access to that data is granted to author and report viewer roles Column and row security can be specified within the tables based on a user’s role.

Return

Report Authoring Security

Report author sees only data they have been granted access to via roles they have been assigned to Report author must also be granted role to use an authoring tool (QueryStudio or ReportStudio)

Return

Report Security

When a report is published, a hyperlink is created on the Cognos portal, in the defined folder structure, with default roles assigned to the folder If a user is granted permission to run a report, this hyperlink is visible. If a user is not granted permission to run a report, the hyperlink is not visible. Even if the user is sent the hyperlink, the user will get an error when they attempt run the report Administration of this access can be done centrally, or it can be distributed to the security administrators for a particular area. For example, Cheri Rawles has been given access to publish reports for Financial and Employee DSS data, and to give data access to those users who have been authorized by the data stewards.

Return

Report Viewing Security

Reports are run using a standard web browser The system will only accept requests using the Secured Sockets Layer (SSL) protocol, which encrypts all of the data during transmissionThe report viewer user can only run reports they have been granted access to, as Cognos shows only these reports in the web portalThe report viewer user will get an error if they try to run a report they were granted access to, if the report contains data they are not granted access toThe report viewer cannot see or determine a report’s data source, the data connection used, or the logon / password used to access the data, except as that information is documented in metadata descriptions of the report

Return

DatabaseObjects

StarSchemas

FrameworkManager

Framework ManagerSecurity Layer

Framework ManagerPackage

Published ToReportNet

FrameworkManager

Security Layer

Presentation of reportto user is controlledby multiple ReportNetRoles

ReportNetSecurity

LayerDatabases

Security Model for Cognos ReportNet

Note: B

ReportNetRoles

ReportNet Security Layer

Note: A

Notes: Each “security layer” ring represents use of ReportNet roles (or groups) to protect the innercontents. Where there are multiple rings, all rings must be satisfied to allow access.

Note: A - Each data connections is protected by a role assigned only to (a) data modeler(s), people whoare systems-developer level, and who are completely familiar with the data and how it fits together.

Note: B - When publishing models from Framework Manager, the security layer must include all roles /groups that will need to access the data in this package, or broader roles. ReportNet cannot overrule thesecurity restrictions set in Framework Manager. Publisher must have IP address registered in the F5firewall / router which guards the Cognos servers.

Note: C - ReportNet roles also control what tools a user is permitted to use; QueryStudio to createsimple queries/reports; ReportStudio to create sophisticated queries/reports; or neither to only runreports others have created.

ReportNetModel

SecurityLayer

ProducesData Model

DBConnec-tion

Note: C

Report createdin ReportNet

DBConnec-tion

DBConnec-tion

CognosPortal

Next

DataWarehouse

(or anysource)

FrameworkManager;

packages table(s)to be report source

ReportAuthorcreatesreport

Predefined ReportEmployee

DataPackage

(data model)

DW granted to followingroles:

DSS_Employee_CompleteDSS_Employee_GeneralDSS_Financial_CompleteDSS_Financial_GeneralDSS_Student_CompleteDSS_Student_GeneralDSS_Systems_Developer

Framework Manager toollimited to 25 licenses;systems developer typeswho are completely familiarwith the data tables / files,and how they need to beseparated or grouped forreporting purposes

Joins between tables aredone here, either importedfrom database definitions ormanually

Limits on columns / rows forroles within a table aredefined here

In order to publish packages,Framework Manager usermust have a static IPregistered with the F5firewall / router that protectsthe Cognos servers

StudentData

Package(data model)

FinancialData

Package(data model)

Employee package(s)granted to following roles:

DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer

Package can have built-inlimits on columns / rows thatcertain roles can access (ie,general)

Financial package(s) grantedto following roles:

DSS_Financial_CompleteDSS_Financial_GeneralDSS_Systems_Developer

Ditto on limits

Student package(s) grantedto following roles:

DSS_Student_CompleteDSS_Student_GeneralDSS_Systems_Developer

Ditto on limits

Predefined Report

Predefined Report

This report granted only to:

DSS_Employee_CompleteDSS_Systems_Developer

This report granted to:

DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer

No restricted data used, soreport shows same results toboth ‘complete’ and ‘general’user

This report granted to:

DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer

Restricted data (rows)present, so ‘complete’ usersees more results than‘general’ user

Example of Cognos Security Levels

Ditto onreports

Ditto onreports

There is no limit to howpackages can be brokendown by role access

A folder structure(with default securityapplied) can simplifyassigning security

Report author must begranted role to accessdata, plus be grantedrole to use authoringtool

Return

Data Sources

Create a connection definition in Cognos

Step 2:

Create a Cognos Account on Each Data Source

Step 1:

Import MetadataStep 3:

Publish PackageStep 4:

iMac

Report Author

Create Report from Package

Step 5:

Report Consumer

Consumer Runs ReportStep 7:

Framework Manager

Developer

Publish the Report

Step 6:

Cog

nos

SECURITY

S

S

S

S

S

SS