Embed Size (px)
Citation preview
Internal and Confidential
COGNOS 8 - Implementing SecurityCognos CoE
April 19, 2023
Introduction
•Cognos 8 security is designed to meet the need for security in various situations.
•Easy to integrate with existing security infrastructure.
•Cognos 8 has its own namespace called Cognos.
•It can be built on top of one or more third party authentication providers used to define and maintain users, groups and roles.
•Security in Cognos 8 is optional, all user access will be anonymous with limited, read - only access.
April 19, 2023
Introduction
•Authentication Providers
o User authentication in Cognos 8 is managed by third-party authentication providers.
o Authentication providers define users, groups, and roles used for authentication.
o In case of multiple namespaces, namespace should be selected at the start of session and can log on to other namespace later in the session.
April 19, 2023
Introduction
•Following authentication providers are supported in Cognos 8 :
o Third party LDAP server that supports version 3 of the LDAP protocol for user authentication.
o The namespace in the directory server used for your Cognos Series 7 products.
o Windows Native security (NTLM), either your LAN security or users on your local computer
o SAP namespace.
o Active directory namespace
o Netegrity SiteMinder
April 19, 2023
Introduction
•Authorization
o Authorization is the process of granting or denying users access to data, and permission to perform activities on that data, based on their signon identity.
o Cognos 8 authorization assigns permissions to users, groups, and roles that allow them to perform actions, such as read or write, on content store objects, such as folders and reports.
o The content store can be viewed as a hierarchy of data objects like folders , reports and packages.
April 19, 2023
Introduction
•Cognos Namespace :
o The Cognos namespace is the Cognos 8 built-in namespace. It contains the Cognos objects, such as groups, roles, data sources, distribution lists, and contacts.
o During the content store initialization, built-in and predefined security entries are created in this namespace.
o Use of cognos groups and roles contained in Cognos namespace is optional.
o The groups and roles created in the Cognos Namespace repackage the users, groups and roles existing in authentication providers for optimized use in the Cognos 8 Environment.
April 19, 2023
Cognos 8 Different Levels of Security.
• Different Types of security that can be incorporated at Model Level:
oPackage Level security.
oData Level security.
oObject Level security
April 19, 2023
Cognos 8 Different Levels of Security.
•Package Level Security
o Package level security can be implemented in Framework manager.
o Roles that have access to the package can be specified.
o If the role is not specified in Framework manager ,then package will be inaccessible to any role from Cognos Connection.
April 19, 2023
Cognos 8 Different Levels of Security.
Step 1:
April 19, 2023
Cognos 8 Different Levels of Security.
Step 2:
April 19, 2023
Cognos 8 Different Levels of Security.
•Data Level Security
o It’s also possible to restrict part or all of the data that a particular Query Subject returns to a user or group of users by applying a security filter on the Query Subject in Framework Manager.
o The security filter can make use of macros or parameter maps to further enhance the abilities of the filter.
o You can specify data security by highlighting the object you wish to filter and then right click and select “Specify Data Security” .
o In the window that opens you can select the groups or users you wish to filter and either create a new filter or use an existing filter condition to apply to the user or group.
April 19, 2023
Cognos 8 Different Levels of Security.
Step 1:
April 19, 2023
Cognos 8 Different Levels of Security.
Step 2:
April 19, 2023
Cognos 8 Different Levels of Security.
• After publishing the package now when a user or a role defined in the Data Security window runs a report they are only permitted to see the data for which the filter applies.
• For example if Joe logged into Query studio and created a report with Issue_Type and Issue_Date he only will only see the issue types which are greater than 2.
April 19, 2023
Cognos 8 Different Levels of Security.
April 19, 2023
Cognos 8 Different Levels of Security.
•Object Level Security
o It is possible to restrict access to specific objects in a project. For Example:- if you have a user or group of users who you don’t
want access to a particular Namespace then you can remove access to that Namespace for that user or group of users.
o Objects which can have security applied include namespaces, query subjects, query items, filters and folders. You can either Allow (make visible) or Deny (not visible) access to these objects.
o Ensure while granting access to an object that the user or group of users you are granting access to, also have access to the package that contains them.
April 19, 2023
Cognos 8 Different Levels of Security.
April 19, 2023
Cognos 8 Different Levels of Security.
• When running a report in which a user or group of users does not have access to one or more objects in the report (ie a query item, or query subject) then the report will fail
April 19, 2023
Cognos 8 Different Levels of Security.
• It is also possible that a user is a member of more than one group, and the groups have conflicting access to an object.
• For instance the group1 group is granted access to an object, where as the group2 group is denied access to the same object. The end result is the user is DENIED access to that object.
April 19, 2023
Cognos 8 Different Levels of Security.
Example of Conflicting Access
April 19, 2023
Cognos 8 Different Levels of Security.
Example of Conflicting Access
April 19, 2023
Cognos 8 Different Levels of Security.
Report fails in case of conflicting access
April 19, 2023
Cognos 8 Security
•Userso A user entry is created and maintained in a third-party
authentication provider to uniquely identify a human or a computer account.
o User entries cannot created in Cognos 8.
•Groups and Roleso Groups and roles represent collections of users that perform similar
tasks, or have a similar status in an organization. For Example: Employees, Developers etc.
o Members of groups can be users and other groups.
o Group membership is part of the users’ basic identity.
April 19, 2023
Cognos 8 Security
• Structure of Groups and Roles
April 19, 2023
Cognos 8 Groups and Roles.
•Cognos Groups and Roles should be created when:
o Groups and Roles cannot be created in authentication provider.
o Groups and Roles are required that span multiple namespaces.
o Portable Groups and Roles are required that can be deployed.
o To address specific needs of Cognos 8 Administration.
o To avoid cluttering your organization security systems with information used only in Cognos 8.
April 19, 2023
Cognos 8 Groups and Roles.
•The roles used to run reports and jobs are associated with o Who runs the reports interactively.o Who are the report owners.o Whose credentials are used to run scheduled reports and jobs.
•Depending on the options selected to run reports, different roles can be assumed by the process
o The process assumes all the roles associated with the report owner when the report runs with the owner option selected.
o The session assumes all the roles associated with the user whose credentials with the user whose credentials were used to process the request when a scheduled report or job runs.
April 19, 2023
Cognos 8 Groups and Roles.
• When a content store is initialized, a set of security objects is created and stored in the Cognos namespace.
• The initial security policies grant unrestricted access to all objects in the content store to all users.
• Two kinds of entries supported oBuilt-in EntriesoPredefined Entries
April 19, 2023
Cognos 8 Groups and Roles.
•Built-in Entries
•User Account – Anonymous This entry represents a user account shared by general public who can access Cognos8 without being prompted for authentication.
•The Groups – All Authenticated Users and Everyoneo All Authenticated Users: This group represents users who are
authenticated by authentication providers.o Everyone: This group represents all authenticated users and
Anonymous user account.
•The role – System Administratoro Members of this special role are considered root users or super
users.o They may access and modify any object in the content store,
regardless of any security policies set for the object.
April 19, 2023
Cognos 8 Groups and Roles.
•Predefined Entries
o The predefined entries include several Cognos roles.o For using predefined roles, it is recommended to modify the initial
membership immediately after installing and configuring Cognos8.o The predefined roles include the following:
Consumers Members can read and execute public content, such as reports.
Query Users Members have the same access permissions as consumers. They can also use Cognos Query studio.
Authors Members have the same access permissions as Query Users.
They can use cognos Report studio and save public content , such as report and report output.
Report administrators Members can administer the public content, for which they have full access, also can use Cognos Report studio and Cognos Query Studio.
Server administrators Members can administer servers, dispatchers and jobs.
April 19, 2023
Cognos 8 Groups and Roles.
Directory Administrators
In the Cognos namespace, they administer groups,
accounts, contacts, distribution lists, data sources, and
printers.
Metrics Administrators
Members can administer Metric packages and tasks in Cognos Connection.
Metrics Authors Members can create and edit scorecard applications in
Metric Studio.
Metrics Users Members can monitor performance in Metric Studio.
Portal Administrators Members can administer the Cognos portlets and
third-party portlets in Cognos Connection. This
includes importing and customizing portlets, defining
portlet styles, and setting access permissions for
portlets.
Controller Users Members have general access to Cognos Controller
menus.
Controller Administrators
Members have full access to Cognos Controller menus
and can create individual Cognos Controller users and
define their limitations.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• Cognos Connection ->Tools -> Directory -> Users, Groups and Roles.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• Click on the Cognos Namespace. List of groups and roles will be displayed.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• To delete a cognos group or role, select it and click on delete button.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• To create a new role/group click on new role/group button and then specify name and description and click on Next.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• Add or remove the roles or groups needed to be added to this new role.
April 19, 2023
Creating Cognos 8 Groups and Roles.
• Click on Add and select a namespace to add the items into the New Role.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•Select the entries and click on arrow to put them into selected entries. Click on Ok after the process is over.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•Click on the Finish button.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•A new role role-example is created.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•To create a New Group, click on New Group icon.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•To create a New Group, click on New Group icon and click on Next button.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•Add or remove the items in new group wizard.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•Select a namespace and then select the required items and click Ok.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•Click on Finish.
April 19, 2023
Creating Cognos 8 Groups and Roles.
•A new group is created.
April 19, 2023
Cognos 8 Permissions.
•In Cognos 8, organization’s data can be secured by setting access permissions for the entries.
•The kind of access and actions to be performed by the users and groups to a specific report or other content in Cognos 8 can be specified.
•While setting access permissions, both authentication provider users, groups and roles and Cognos groups and roles can be referenced.
•Different kind of access permissions available in Cognos8 - o READo WRITEo EXECUTEo SET POLICYo TRAVERSE
April 19, 2023
Cognos 8 Permissions.
• Users must have at least traverse permissions for the parent entries of the entries they want to access.
• Permissions for users are based on permissions set for individual user accounts and for the namespaces, groups, and roles to which the users belong.
• Cognos 8 supports combined access permissions, when users who belong to more than one group log on, they have the combined permissions of all the groups to which they belong.
April 19, 2023
Cognos 8 Permissions.
•Permissions can be set for :o Packageo Foldero Report
•For explicitly setting the permissions, click the set properties icon and override parents permissions.
•New roles can be added and existing one deleted and access permissions can be applied.
April 19, 2023
Cognos 8 Permissions.
•Click on the Set Properties icon.
April 19, 2023
Cognos 8 Permissions.
•Click on Permissions tab, and check the override permissions checkbox.
April 19, 2023
Cognos 8 Permissions.
•Select the roles and then apply the access permissions accordingly.
