Replacement for Access Manager

[smadanek]

I am beginning research on replacement of the Series 7 Access Manager we are currently using with Cognos 10.  If anyone has any suggestions, please contact me either through this board or private e-mail.

We have a completely Windows environment. However, we operate outside the main IT group and cannot have our own independent copy of Active Directory. We do not want to surrender control of security to the IT group and use one of their instances of Active Directory.

We use single signon for authentication with IT maintained network signon for 99% if the 1800+ users. We have a small population of mostly test accounts that do not use single signon and have to use the Cognos login.

We have over 30,000 user classes.  98% are data access authorizations used by security filters in reporting and analysis packages against relational data and the remaining used in Cognos Content to authorize access to folders and other Cognos objects.

Any suggestions would be welcome.  However, we do not have any budget for custom development. Nor are we sufficiently proficient in the SDK to create our own interface to a secured SQL Server database.

We have developed a Lotus Notes application for user access requests and a distributed authorization workflow.

Ken Adams

[jeffowentn]

You sound like you are in a similar boat as us.  We have about 10k user classes and about 400 users, however we are primarily Planning users only and growing in the BI-side.  Roughly 90% of our users are OS sign-on, and we do not have the rights to manage AD, directly.

Cognos Connection is just not nearly the robust or useful tool as Access Manager for managing bulk changes to security.  I am curious how other places manage their security if they are not using Access Manager.  At some point, we will have to part ways with AM, but I am fearful this will cause us a great deal more maintenance effort when that happens.

[rocket]

Have a peak at BSP Software's new Security Migration Self-Service.  http://www.bspsoftware.com/SMSS.  Migrate namespaces at your pace on your schedule with ease using a combination of our proven security migrator module and step by step documentation!

[cdeehr]

You sound like you are in a similar boat as us.  We have about 10k user classes and about 400 users, however we are primarily Planning users only and growing in the BI-side.  Roughly 90% of our users are OS sign-on, and we do not have the rights to manage AD, directly.

Cognos Connection is just not nearly the robust or useful tool as Access Manager for managing bulk changes to security.  I am curious how other places manage their security if they are not using Access Manager.  At some point, we will have to part ways with AM, but I am fearful this will cause us a great deal more maintenance effort when that happens.

For maintaining security on a go-forward basis, we're using BSP's MetaManager to add Groups, and assign Users to those Groups, instead of using the Portal directly. Another option is the Cognos SDK. We have about 1k users but definitely less than 10k user classes. I'm surprised you have so many...

[jeffowentn]

Chris,

Are you Planning users or just BI users?

Is MetaManager going against an LDAP or AD directly?

Jeff

[bi4u2]

You can have it both ways. You can use the corporate AD to manage users and use the Cognos namespace to manage your security groups. You can create your own groups in the Cognos namespace or use the canned groups, then you simply add users from the main AD. That way IT is involved only when someone is hired/fired and is added to the AD.

[smadanek]

Still looking for the holy grail of a windows ldap product that does not use an separately licensed database.  As I understand it, replacing Access Manager not really a problem until we have to move the Content Store to a 64 bit environment.  The Sun LDAP server version we know have with AM 7.4 keeps on working without complaint. As far as I know there are no license issues even though Sun is now owned by Oracle.

As to the number of user classes. We do cost center/account level security with over 9K cost centers. And then have 3 other management data structures with a different components in their trees that also require detail level access control as they deal with confidential information.  Many consumer users will have access to multiple different userclass trees .  Fortunately the user classes are not too volitile.

ken adams

[deadsea]

Hi Ken:

We are in similar boat as yours and instead of creating new thread, I figured I will post here to get your feedback on how you went about creating the security infrastructure for your implementation. We have very similar requirements as yours (i.e. cost centre level security granularity).

If you dont mind, would you mind posting how you ended up resolving this?

Thanks.

[tlwilson84]

We faced the same issue.  Active Directory wasn't an option for us.  In the end we settled on Motio Persona IQ.  http://www.motio.com/products/persona.do  It has the added benefit of doing the namespace migration for you and preserving all of the CAMIDs/

[AussiePete2011]

Hi there

We're in the same boat and at this stage we're looking at AD LDS (Was ADAM) although the niggling doubt I have is the SSO side.
AD LDS allows you to still maintain control of the security without having to rely on IT provide support.
Installing the AD LDS is quick, and it's not too difficult to setup, my concern at this stage is how to enable SSO.
I'm currently looking at using a proxyuser - http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx

So has anyone used AD LDS (ADAM) in cognos and setup SSO using any specific methods?

Cheers
AussiePete