Cognos Security Implementation

Users, Groups & Roles: Users, groups, and roles are created for authentication and authorization purposes.

User: User is created and maintained in authentication provider (NTLM, AD, LDAP etc) to uniquely identify an individual or system account.

We cannot create user account in Cognos. Users are created in authentication provider. We can create Groups and Roles.

Groups: Groups and roles represent collections of users that perform similar functions, or have a similar status in an organization. Examples of groups are Employees, Developers, or Sales Personnel. Members of groups can be users and other groups.

Roles: Roles in IBM Cognos 8 have a similar function as groups. Members of roles can be users, groups, and other roles. The following diagram shows the structure of groups and roles.

The following diagram shows the structure of groups and roles.

Steps to setup Cognos Secutiy: 1. Setting @ Cognos Configuration:

a. Under Security Right click on Authentication->New resource ->Namespace

Give the Name Space Name AD and select the type.

The available types are: Active Directory, Cognos Series7, Custom java provider, NTML, LDAP, SAP

b. Specify the types of security used for authentication users. You cannot change the value of property. It is automatically set when you choose the namespace type in explorer window.

c. Specify the unique identifier for the authentication name space.

d. Specify the name of the network domain to use for the authentication.

e. Cognos is the In build namespace for Cognos. Select the Cognos namespace and change the property Allow anonymous access False.

2. Restricting access to all user in Build in Name Space:a. Once we create the name space, we should restrict the access for all the

users from the Name space. b. Set the Value to TRUE for Restrict access to members of the built-in

namespace as shown below.

3. Setting @ Cognos Connection: a. Login to Cognos Connection IBM Cognos Administration Security

Cognos.

b. Remove “Every One” Group from all the Roles in default Cognos Security Directory.

c. Make sure that while removing the Every One from System Administrator group, you add the anyone of the User Account.

Please find attached PDF file for further reference on setting security across domains.

Creating Group/Roles: Launch Cognos Connection Cognos Administration

Select Security Tab.

We can create Group/Roles only in Default Cognos Group. We cannot add Groups/Roles into Third Party Tool.

Create New Group/New Role, with appropriate naming convention as per the client guideline and click next.

Add the members/Groups/Roles from the Namespace to the Group created. Click on finish once you have done with adding the members to the group.

To type the name of entries you want to add, click Type and type the names of groups, roles, or users using the following format, where a semicolon (;) separates each entry as shown in the below screen:

In case wrong entries in the typed list, it takes the correct entries and leave behind the wrong entry and throws an error as shown in the screen shot below.

Newly created group will be added to Cognos Group.

Access Permissions: We can grant or deny the following access permissions:

Read Write Execute Set Policy Traverse

Setting access permission for an entryWe can specify access permission for an entry (User, Group & Role) in Cognos Connection.

Steps: Launch Cognos Connection Cognos Administration Security Tab Locate

the entity for which you want to set access permission.

In the Action Column, click on properties. In set properties window, select permission tab.

Choose whether to use the permissions of the parent entry or specify permissions specifically for the entry:

o To use the permissions of the parent entry, clear the Override the access permissions, then click OK if you are prompted to use the parent permissions. Click OK.

o To set access permissions for the entry, select the Override the access permissions acquired from the parent entry check box.

If you want to remove an entry from the list, select its check box and click Remove.

Cognos Security Implementation – Folder Level

Assumptions: 1. Parent Folder Namely Security Test. 2. Three Continents Namely Asia, Europe and US. 3. User from each region should not see other Continent Folders. 4. To implement the security we had created a parent group (Test Group) and

corresponding continent groups (Asia Group, Europe Group & US Group).

1. Create a parent group (Test Group) and add thee continent groups (Asia Group, Europe Group & US Group) as members as shown in the below screen shot.

2. Under permission tab, remove all existing entries and add the Test Group and grant all permissions as shown in the below screen shot.

Security Test

Asia Europe US

Security Test

3. Create continent groups Asia Group and map the user from Asia to the group as members.

4. Designate an Admin for the group from the permission tab as per the screen shot below.

5. As per the action taken above where in one user cannot view the group (Asia Group) itself.

6. Similarly create the other two continent groups and follow the same steps as followed for Asia.

7. Launch Cognos Connection Public Folder Set Properties for Security Test

Folder and go to permissions tab. Remove all existing entries Add the parent group (Test Group).

8. Public Folder Security Test Set Properties for Asia Folder and go to permissions tab. Remove all existing entries Add the Asia group, Europe Group and US Group. Give grant permission to Asia Group and Deny access permission to other two groups to restrict access.

9. Similarly give access permissions on other two folders and follow the same steps as followed for Asia Folder.