IBM Cognos Business Intelligence Series 7 IBM Cognos ... 4 IBM Cognos Series 7 Access Manager Alternate

  • View
    1

  • Download
    0

Embed Size (px)

Text of IBM Cognos Business Intelligence Series 7 IBM Cognos ... 4 IBM Cognos Series 7 Access Manager...

  • IBM Cognos Business Intelligence Series 7 IBM Cognos Series 7 Access Manager

    Version 7.4

    Access Manager Administrator Guide

    Access Manager - Administrator Help

    ACCESS MANAGER ADMINISTRATOR GUIDE

  • Product Information

    This document applies to IBM Cognos Series 7 Access Manager Version 7.4 and may also apply to subsequent releases. To check for newer versions of this document, visit the IBM Cognos Information Centers (http://publib.boulder.ibm.com/infocenter/cogic/v1r0m0/index.jsp).

    Copyright Licensed Materials - Property of IBM

    © Copyright IBM Corp. 1999, 2009.

    US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

    IBM, the IBM logo, ibm.com, Cognos, Impromptu, and PowerPlay are trademarks or registered trademarks of International Business Machines Corp., in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.

    Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

  • Table of Contents

    Chapter 1: Security and Access Manager 7 Access Manager Components 8 Available Security Options 9 Apply Security in Other IBM Cognos Applications 10 How IBM Cognos Applications Use Authentication Data 11 Configuration Options for Access Manager Authentication Components 12 Configure an Authentication Source 12 Secure Sockets Layer (SSL) Security 12 Identify Users: Overview 13

    Access Manager Namespaces 13 Basic Signons 14 External Signons 14 Common Logon or Single Signon 15 Integrated Windows Authentication 15 Users 16 User Classes 17 Store Connection Information for IBM Cognos Servers 17 Store Signon Information for Secured Databases 17 Store Signon Information for Secured Cubes 18 Store Signon Information for Third Party Cubes 18 Delegate Administration 18 Automate Administration 18

    Chapter 2: Set Up An Authentication Source 21 Save Authentication Source Connections 21

    Access a Directory Server: Overview 22 Connect to a Directory Server 22 Modify a Directory Server Connection 23 Test a Directory Server Connection 23 Configure Secure Sockets Layer (SSL) on a Directory Server 24

    Set Up a Namespace: Overview 25 Add a Namespace 26 Log On to a Namespace 27 Log On to a Namespace as Another User 28 Add a Namespace Administrator 29 Provide Summary Information for a Namespace 29 Set Up Anonymous Access to a Namespace 30 Set Up Guest Access to a Namespace 31 Set Signon Properties for Users in a Namespace 31 Use Variables for Namespace OS Signons for Web Users 32 Set Password Properties for Users in a Namespace 33 Define Regional Settings for Users in a Namespace 34 Set a Default Namespace for a Directory Server 34 Export a Namespace for Remote Users 35 Transfer Namespace Information Between Directory Servers 36 Identify All Out of Date Namespaces 37 Upgrade Namespaces 38 Enable External User Support 39 Enable Audit Logging 40

    3 Licensed Materials - Property of IBM

    © Copyright IBM Corp. 1999, 2009

  • Alternate Authentication Sources: Overview 41 Local Authentication Export Files: Overview 41

    Add a Local Authentication Export File 42 Import a Local Authentication Export File into a Namespace 42

    Chapter 3: Set Up Authentication Data 45 Set Up Users: Overview 45

    Add a User 46 Provide a User With a Signon 47 Assign a User to a User Class 48 Provide Access to a Data Source or Application Server 49 Provide Auto-Access for a User 50 Display the User Classes and Accesses for a User 51 Define Regional Settings for Users of Web Products 51 Define User Access to Upfront 52 Link External Users 52

    Set Up User Classes: Overview 53 Add a User Class 54 Set Up a Public User Class 54 Set User Class Access Times 55 Set User Class Permissions 56 Display Users Belonging to a User Class 57

    Set Up a Data Source: Overview 57 Add a Database 58 Add an OLAP Server Database 58 Set Up Auto-Access for a Database 59 Add a Cube 60 Add a Cube Stored in a Database 61 Add Metadata 61

    Set Up a Server: Overview 62 Add a Transformer Server 62 Set Up Auto-Access for a Transformer Server 63 Add a PowerPlay Server 63 Search for Authentication Data 64 Sort Authentication Data 64

    Chapter 4: Set Up Security Across Applications 67 Access Manager and Architect 68 Access Manager and Transformer 69 Access Manager and PowerPlay 70 Access Manager and PowerPlay Enterprise Server 71 Access Manager and Impromptu 72 Access Manager and Impromptu Web Reports 73 Access Manager and IBM Cognos Query 73 Access Manager and Upfront 74 Access Manager and IBM Cognos Visualizer 74 Access Manager and NoticeCast 75 Ticket Services 75 Audit Ticket Service Activity 77

    Frequently Asked Questions and Troubleshooting 79 Why can't I log on as a user? 79 Why can't I delete a user? 79 Why can't I delete a user class? 79 Why can't I open a secured resource after merging namespaces? 79 When does the cut command behave like copy command? 79 Why can’t I connect to a directory server that is configured for SSL communication? 80

    4 IBM Cognos Series 7 Access Manager

  • Error Message When Adding Objects Containing the Same Basic Letter Configuration Using Active Directory Server 80

    How Do I Determine Why the Access Manager Server Won’t Start? 80

    Appendix A: Access Manager Utilitites 81 AM_NamespaceReport Utility 81 AM_NamespaceCorruptionDetect Utility 83 amADUpdate Utility 84

    Glossary 85

    Index 93

    Access Manager Administrator Guide 5

  • 6 IBM Cognos Series 7 Access Manager

  • Chapter 1: Security and Access Manager

    Access Manager provides a centralized environment to define, store, and maintain security information for IBM Cognos business information applications.

    In one central location, you can set up and maintain secure user access to data, such as cubes and reports, that are created in other IBM Cognos applications. With Access Manager, you can also set up and maintain user signon information and auto-access privileges for the data sources and servers that contain the required data.

    You must use Access Manager with: • Architect • IBM Cognos Query • Upfront • Impromptu Web Reports • Visualizer • NoticeCast

    You can choose to use Access Manager with: • Impromptu • PowerPlay • Transformer

    You should plan your security strategy and implement it in Access Manager before you start using other IBM Cognos products. First, you must identify and create users. Then you must decide how you want to group users with similar needs for access to information, and give them memberships in user classes. These user classes are given access privileges to the required application servers, such as PowerPlay Enterprise Server and Transformer Server, and data sources, such as Oracle, Sybase, and local cubes.

    After you set up your security information in Access Manager, you apply that information in the other IBM Cognos products.

    In this version of Access Manager, you can store authentication data in one of the following sources: • a namespace on an LDAP directory server • a local authentication export file (.lae)

    For information about each type of authentication source, see "Set Up An Authentication Source" (p. 21).

    Related Topics • "Automate Administration" (p. 18) • "Delegate Administration" (p. 18) • "Set Up a Namespace: Overview" (p. 25) • "Basic Signons" (p. 14) • "Common Logon or Single Signon" (p. 15) • "External Signons" (p. 14) • "Identify Users: Overview" (p. 13) • "Integrated Windows Authentication" (p. 15) • "User Classes" (p. 17) • "Users" (p. 16) • "Access Manager Components" (p. 8)

    7 Licensed Materials - Property of IBM

    © Copyright IBM Corp. 1999, 2009

  • Chapter 1: Security and Access Manager

    • "Apply Security in Other IBM Cognos Applications" (p. 10) • "Available Security Options" (p. 9) • "Configure an Authentication Source" (p. 12) • "How IBM Cognos Applications Use Authentication Data" (p. 11) • "Secure Sockets Layer (SSL) Security" (p. 12) • "Store Connection Information for IBM Cognos Servers" (p. 17) • "Store Signon Information for Secured Cubes" (p. 18) • "Store Signon Information for Secured Databases" (p. 17) • "Store Signon Information for Third Party Cubes" (p. 18)

    Access Manager Components When you install an IBM Cognos product, several Access Manager components are available:

    Access Manager Administration Administrators use this Windows-based tool to set up and maintain user classes, users, server connection information, and access to data sources. There are also two automation interfaces, Access Manager Batch Maintenance, and OLE Automation.

    Access Manager Server The Access Manager Server is an IBM Cognos security component that manages two services: • a ticket service

    The service that issues tickets used to maintain single signons for users of Web-based IBM Cognos applications. The tickets are issued for a specified period so that users can access multiple IBM Cognos applications without having to reenter authentication data.

    • an authentication service The service used for authenticating users of Web-based IBM Cognos applications. By default, this service is not enabled.

    An Access Manager Server can be configured as a ticket service or an authentication service, or both.

    At least one Access Manager Server is needed for each IBM Cog