If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Framework Manager & Data Source Security

Started by leithp, 11 Oct 2006 02:25:09 PM

Previous topic - Next topic

leithp

Here's an issue....

If you create a data source and give a group of people traverse and execute on it -- then anyone who manages to get hold of Framework Manager and the server's crypt files -- which you kind of have to pass out to your Framework Manager people, so at that point it's beyond your control.... anyway...

The point here is that anyone who has Framework Manager and Traverse and Execute permissions to a Data Source can essentially browse any data in that data source he or she wants by creating query subjects and using the Test tab in the Query Subject Definition window (as long as you have a signon embedded in that data source with an ID/Password included -- which we'd want to do in general to keep people from having to have passwords we don't want them to have).

Now I can see where you might want to have a lot of people (consumers) be able to run reports based off of a particular data source, but you might not want them to be able to just browse all the data available to that data source.Ã,  In order for them to run a report based off of a data source, as I understand it, they have to have Traverse and Execute permissions to that data source.Ã,  So there's no getting around that.

If I give Joe Blo access to Framework Manager, and Joe gives a copy to, say, Sue (I can't stop him), who is supposed to be just a consumer -- Sue can install Framework Manager.Ã,  And while she won't be able to publish a package, she is free to browse to any data source she has Traverse and Execute on with Framework Manager, and create query subjects, and test them and read columns of data.

This is not good.

Is there a way to tell Cognos to limit which users can even connect with the Framework Manager client?

It would be more efficient to limit access at the Package and Report levels, so that large groups of people may get T&E permissions on a data source so they can run canned reports against them, but only be able to access certain fields via the package or reports, depending on the permissions the architects and report authors gave them.

Thanks,

-P

Blue

If the user has this power with FM (which means that the security in Access Manager allows them) then they could do what you can even easier with a tool like MS Access or MS Excel WITHOUT having FM installed!

I suggest you also keep your copies of FM under stricter control otherwise the license policemen will be at your door. :)

Bluey
Robert Edis
Principal
Robert Edis Consulting
Rotorua, New Zealand

MFGF

Hi,

The answer is not to grant traverse and read privileges to everyone, but just the people you want to have access to the data source.  You can add multiple signons to a datasource in Cognos connection, then secure them for different individuals or groups - the database itself could then be used to limit the data each signon can see.

Hope that helps,

MF.
Meep!