Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
12 Appendix
Some examples of insight into the details of Cognos security in a BI environment.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 3 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 4 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 5 of 24
Figure 1 shows an
example of how a simple
view of how groups and
accounts can be part of
other groups.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 6 of 24
In addition to these permissions there are other important rules which Figure 2 shows the permissions applied
influence a user’s access to and available actions on an object. to the folder labeled BI Sales.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 7 of 24
If you want to clear any overridden permissions on the However, when security is overridden at lower levels in the object
descendants of an object then check the ‘Delete the access hierarchy it becomes difficult to determine where these overrides
permissions of all child entries’ option on the permissions form. exist and what impact they have. This is another case where third
party software tools can be very helpful in finding where this
occurs.
Figure 3 shows an
example of this. Write
access is denied to
Duncan Reilly’s account
for the report labeled
Customer. Finding this
within Cognos itself
could be difficult.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 8 of 24
Access Permissions
Unlike other Content Store objects, the only Access Permissions
which affect the Capabilities are Traverse and Execute. Other than
that, these permissions follow the same rules described above,
including Group / Role Membership, Traverse Access, and Granted
and Denied Access.
License Compliance
IBM Cognos BI licenses are usually based upon (in part) access to
various Features, such as Query Studio, Report Studio, Analysis
Studio, PowerPlay Studio, Cognos Viewer and Administration.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 9 of 24
Object Capabilities
Starting with IBM Cognos BI 8.3, it is possible to define Capability
permissions on individual Packages and Folders. Giving an
Account, Group or Role permission at this level also requires
permission in Global Capabilities. As you can see from what we have covered
so far, Cognos Security can get
In the case of Folders, Capability permissions are applied to all
descendants. complicated and confusing.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 10 of 24
Secure sensitive data from unwarranted access, but allow the Add all accounts to just a single group and manage all access
necessary data to be available to all business intelligence using the Cognos namespace groups and roles.
consumers.
Groups or Roles
Control access to Cognos BI capabilities, both globally and
package based, so that content is created and distributed by Group and role objects in the Cognos namespace behave almost
approved authors, and that Cognos license limits are respected. identically. The difference is that groups can contain only accounts
and other groups, while roles can contain accounts, groups and
The best practices described here may not be the best in all other roles.
environments but will hopefully help those new to Cognos BI or for
those about to refactor how Cognos security is set up.
Group Role
Use Existing Groups Account Group Account Group Role
If your external security is also used in a corporate environment
it is likely that the accounts are maintained in an organization of
groups. Study this organization to see if it can be used to control Organizing multiple groups in a role could get complicated very
access in Cognos, probably to content. quickly, but it may make sense if you use the role for broad access
control and the groups for limited access.
Instead, you may be using an external security specifically for
Cognos, such as Cognos Series 7. Because an account must A simpler rule to follow would be to use roles to control access to
belong to a group in Series 7 in order to be recognized by Cognos capabilities, and groups to manage access to content.
BI, you have a couple of choices:
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 11 of 24
By following many of these best practices you can establish some structure to how
security is applied that will help keep order in this area as your BI environment grows and
changes. Without this, you are more likely to evolve quickly into a situation where your
security is complicated and difficult, or impossible, to maintain.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 12 of 24
Appendix
Figure 1 shows an example of how a simple view of how groups and accounts can be part of other groups. This can be helpful in seeing
how they relate to each other.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 13 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 14 of 24
Figure 3 shows an example of this. Write access is denied to Duncan Reilly’s account for the report labeled Customer. Finding
this within Cognos itself could be difficult.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 15 of 24
Figure 4 shows that the 13 people that have access to Analysis Studio within the Cognos environment.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 16 of 24
This analysis also provides the detail on all 1,580 objects that
Duncan Reilly has access to. An example of this organized by
folder is shown in figure 5B.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 17 of 24
Figure 5B – We can also see the detail for all of the 1,580 objects
organized by folder.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 18 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 19 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 20 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 21 of 24
Figure 8A – Having a tool with a built in Security Editor for Cognos can greatly simplify the process of managing security.
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 22 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 23 of 24
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.
Mastering IBM Cognos Security 24 of 24
Contact Envisn
All trademarks mentioned herein are the property of their respective owners. © 2015 Envisn Information Solutions. All rights reserved.