Professional Documents
Culture Documents
2 of 11
Table of Contents
Namespaces, Groups, Roles and Accounts Account Object Memberships Cognos Access Permissions Access Permission Inheritance Managing IBM Cognos Capabilities and License Compliance Best Practices for Implementing IBM Cognos BI Security 3 4 6 7 8 9
Welcome
This Ebook is designed to help you understand how IBM Cognos security works and how you can best apply it to meet all of your needs. One thing to keep in mind as you go through this; Security within Cognos will work well in virtually any environment if its applied correctly, and with the understanding that security needs to be based on a model or structure that can handle both change and growth over time.
3 of 11
Accounts
Authentication to the Cognos applications is performed through the external namespace. A user must provide valid credentials for an account object in the namespace to gain entry to the application. Once authenticated, the users visibilities to objects and actions that can be performed are completely controlled by the memberships of the account and the security applied to both the content store objects and capability objects (to be covered later in the series).
4 of 11
Explicit Membership
To illustrate this with an example, a Cognos namespace Role has been created named Managers which will be used to provide a high level of access to objects in the content store. It is determined that a manager, Melisa Smith, requires this level of access in Cognos so the Cognos administrator adds the Melisa Smith Account as a member of the Managers Role. Simple. But this soon becomes unmanageable in a real world Cognos Environment with a large number of Accounts. A better way to control memberships is with Groups.
5 of 11
This is obviously a better technique to manage members. It relies mostly on assigning memberships in the external namespace but changes there are automatically inherited into Cognos security. Its also possible to create a hierarchy of Roles or Groups in the Cognos namespace if, for example, All Managers did not exist in the external namespace.
6 of 11
Access Permissions
Read View all properties including output Create a shortcut to an object Write Modify properties of or delete an object Create objects in a container such as a package or folder Modify an objects specification in a studio: Report Studio, Query Studio, etc. Create new outputs for a report Execute Set Policy Traverse Run objects such as reports, report views, events and metrics Read and modify the security settings for an object View the contents of a container such as a package or folder
Traverse Access
To access an object a user must have Traverse access permission on all of the ancestors of the object.
Ownership of Objects
The owner of an object has full access permissions to the object (but still requires traverse access).
System Administrators
In addition to these permissions there are other important rules which influence a users access to and available actions on an object. Users which are members the System Administrators Role in the Cognos namespace have full access permissions to all objects.
7 of 11
8 of 11
License Compliance
IBM Cognos BI licenses are usually based upon (in part) access to various Features, such as Query Studio, Report Studio, Analysis Studio, PowerPlay Studio, Cognos Viewer and Administration. To monitor compliance it is necessary to determine how many Accounts have permissions to each of these features. This is where the complexity of the security hierarchy (described in Part 2 of this series) can make this task difficult. You will usually be using Groups to control access to Features so this is where good organization or a third party program able to analyze the security hierarchy would be useful.
permissions on individual Packages and Folders. Giving an Account, Group or Role permission at this level also requires permission in Global Capabilities. In the case of Folders, Capability permissions are applied to all descendants. When applied to Package objects however, the Capability permissions will be applied to all reporting objects created from that package regardless of where they reside in the Content Store. This is a useful feature that, for example, could deny access to Studios for all reports created from that package (for a specific Group), rather than denying Write access to all the individual reports. As you can see from what we have covered so far, Cognos Security can get complicated and confusing. What we will cover next are some Best Practices that will help you maintain a secure and manageable Cognos environment.
Access Permissions
Unlike other content store objects, the only Access Permissions which affect the Capabilities are Traverse and Execute. Other than that, these permissions follow the same rules described above, including Group / Role Membership, Traverse Access, and Granted and Denied Access.
Object Capabilities
Starting with IBM Cognos BI 8.3, it is possible to define Capability
9 of 11
Groups or Roles
Group and role objects in the Cognos namespace behave almost identically. The difference is that groups can contain only accounts and other groups, while roles can contain accounts, groups and other roles.
10 of 11
Managing Capabilities
Capabilities are used in Cognos BI to control access to features and functions such as the reporting studios and administration tools. There are a number of default Cognos namespace groups that are created during the Cognos installation that have certain capabilities defined. For example, Authors and Query Users have access to Query Studio, but Authors also have access to Report Studio. It is recommended that new roles be created to manage user capabilities that match the distribution of your Cognos licenses. For example, a role could be created for power users to
11 of 11
Envisn
www.envisn.com http://www.envisn.com/envisn-cognos-blog/ 233 Ayer Road Harvard, MA 01451 USA T: 978-779-0400 F: 978-772-0985 E: Info@Envisn.com