Internal and Confidential COGNOS 8 - Implementing Security Cognos CoE

  • View
    216

  • Download
    3

Embed Size (px)

Text of Internal and Confidential COGNOS 8 - Implementing Security Cognos CoE

  • Slide 1
  • Internal and Confidential COGNOS 8 - Implementing Security Cognos CoE
  • Slide 2
  • 7 September 2015 Introduction Cognos 8 security is designed to meet the need for security in various situations. Easy to integrate with existing security infrastructure. Cognos 8 has its own namespace called Cognos. It can be built on top of one or more third party authentication providers used to define and maintain users, groups and roles. Security in Cognos 8 is optional, all user access will be anonymous with limited, read - only access.
  • Slide 3
  • 7 September 2015 Introduction Authentication Providers oUser authentication in Cognos 8 is managed by third-party authentication providers. oAuthentication providers define users, groups, and roles used for authentication. oIn case of multiple namespaces, namespace should be selected at the start of session and can log on to other namespace later in the session.
  • Slide 4
  • 7 September 2015 Introduction Following authentication providers are supported in Cognos 8 : oThird party LDAP server that supports version 3 of the LDAP protocol for user authentication. oThe namespace in the directory server used for your Cognos Series 7 products. oWindows Native security (NTLM), either your LAN security or users on your local computer oSAP namespace. oActive directory namespace oNetegrity SiteMinder
  • Slide 5
  • 7 September 2015 Introduction Authorization oAuthorization is the process of granting or denying users access to data, and permission to perform activities on that data, based on their signon identity. oCognos 8 authorization assigns permissions to users, groups, and roles that allow them to perform actions, such as read or write, on content store objects, such as folders and reports. oThe content store can be viewed as a hierarchy of data objects like folders, reports and packages.
  • Slide 6
  • 7 September 2015 Introduction Cognos Namespace : oThe Cognos namespace is the Cognos 8 built-in namespace. It contains the Cognos objects, such as groups, roles, data sources, distribution lists, and contacts. oDuring the content store initialization, built-in and predefined security entries are created in this namespace. oUse of cognos groups and roles contained in Cognos namespace is optional. oThe groups and roles created in the Cognos Namespace repackage the users, groups and roles existing in authentication providers for optimized use in the Cognos 8 Environment.
  • Slide 7
  • 7 September 2015 Cognos 8 Different Levels of Security. Different Types of security that can be incorporated at Model Level: oPackage Level security. oData Level security. oObject Level security
  • Slide 8
  • 7 September 2015 Cognos 8 Different Levels of Security. Package Level Security oPackage level security can be implemented in Framework manager. oRoles that have access to the package can be specified. oIf the role is not specified in Framework manager,then package will be inaccessible to any role from Cognos Connection.
  • Slide 9
  • 7 September 2015 Cognos 8 Different Levels of Security. Step 1:
  • Slide 10
  • 7 September 2015 Cognos 8 Different Levels of Security. Step 2:
  • Slide 11
  • 7 September 2015 Cognos 8 Different Levels of Security. Data Level Security oIts also possible to restrict part or all of the data that a particular Query Subject returns to a user or group of users by applying a security filter on the Query Subject in Framework Manager. oThe security filter can make use of macros or parameter maps to further enhance the abilities of the filter. oYou can specify data security by highlighting the object you wish to filter and then right click and select Specify Data Security. oIn the window that opens you can select the groups or users you wish to filter and either create a new filter or use an existing filter condition to apply to the user or group.
  • Slide 12
  • 7 September 2015 Cognos 8 Different Levels of Security. Step 1:
  • Slide 13
  • 7 September 2015 Cognos 8 Different Levels of Security. Step 2:
  • Slide 14
  • 7 September 2015 Cognos 8 Different Levels of Security. After publishing the package now when a user or a role defined in the Data Security window runs a report they are only permitted to see the data for which the filter applies. For example if Joe logged into Query studio and created a report with Issue_Type and Issue_Date he only will only see the issue types which are greater than 2.
  • Slide 15
  • 7 September 2015 Cognos 8 Different Levels of Security.
  • Slide 16
  • 7 September 2015 Cognos 8 Different Levels of Security. Object Level Security oIt is possible to restrict access to specific objects in a project. For Example:- if you have a user or group of users who you dont want access to a particular Namespace then you can remove access to that Namespace for that user or group of users. oObjects which can have security applied include namespaces, query subjects, query items, filters and folders. You can either Allow (make visible) or Deny (not visible) access to these objects. oEnsure while granting access to an object that the user or group of users you are granting access to, also have access to the package that contains them.
  • Slide 17
  • 7 September 2015 Cognos 8 Different Levels of Security.
  • Slide 18
  • 7 September 2015 Cognos 8 Different Levels of Security. When running a report in which a user or group of users does not have access to one or more objects in the report (ie a query item, or query subject) then the report will fail
  • Slide 19
  • 7 September 2015 Cognos 8 Different Levels of Security. It is also possible that a user is a member of more than one group, and the groups have conflicting access to an object. For instance the group1 group is granted access to an object, where as the group2 group is denied access to the same object. The end result is the user is DENIED access to that object.
  • Slide 20
  • 7 September 2015 Cognos 8 Different Levels of Security. Example of Conflicting Access
  • Slide 21
  • 7 September 2015 Cognos 8 Different Levels of Security. Example of Conflicting Access
  • Slide 22
  • 7 September 2015 Cognos 8 Different Levels of Security. Report fails in case of conflicting access
  • Slide 23
  • 7 September 2015 Cognos 8 Security Users oA user entry is created and maintained in a third-party authentication provider to uniquely identify a human or a computer account. oUser entries cannot created in Cognos 8. Groups and Roles oGroups and roles represent collections of users that perform similar tasks, or have a similar status in an organization. For Example: Employees, Developers etc. oMembers of groups can be users and other groups. oGroup membership is part of the users basic identity.
  • Slide 24
  • 7 September 2015 Cognos 8 Security Structure of Groups and Roles
  • Slide 25
  • 7 September 2015 Cognos 8 Groups and Roles. Cognos Groups and Roles should be created when: oGroups and Roles cannot be created in authentication provider. oGroups and Roles are required that span multiple namespaces. oPortable Groups and Roles are required that can be deployed. oTo address specific needs of Cognos 8 Administration. oTo avoid cluttering your organization security systems with information used only in Cognos 8.
  • Slide 26
  • 7 September 2015 Cognos 8 Groups and Roles. The roles used to run reports and jobs are associated with oWho runs the reports interactively. oWho are the report owners. oWhose credentials are used to run scheduled reports and jobs. Depending on the options selected to run reports, different roles can be assumed by the process oThe process assumes all the roles associated with the report owner when the report runs with the owner option selected. oThe session assumes all the roles associated with the user whose credentials with the user whose credentials were used to process the request when a scheduled report or job runs.
  • Slide 27
  • 7 September 2015 Cognos 8 Groups and Roles. When a content store is initialized, a set of security objects is created and stored in the Cognos namespace. The initial security policies grant unrestricted access to all objects in the content store to all users. Two kinds of entries supported oBuilt-in Entries oPredefined Entries
  • Slide 28
  • 7 September 2015 Cognos 8 Groups and Roles. Built-in Entries User Account Anonymous This entry represents a user account shared by general public who can access Cognos8 without being prompted for authentication. The Groups All Authenticated Users and Everyone oAll Authenticated Users: This group represents users who are authenticated by authentication providers. oEveryone: This group represents all authenticated users and Anonymous user account. The role System Administrator oMembers of this special role are considered root users or super users. oThey may access and modify any object in the content store, regardless of any security policies set for the object.
  • Slide 29
  • 7 September 2015 Cognos 8 Groups and Roles. Predefined Entries oThe predefined entries include several Cognos roles. oFor using predefined roles, it is recommended to modify the initial membership immediately after installing and confi