Help needed on creation of user and granting roles.

[10e5x]

Background:
Cognos 10.1.1 64bit
Oracle 11g R2 64bit
Windows 7 OS 64bit
IIS 7x

Scenario:
Users(3 groups):
                     Students, lecturers and companies(outside the network)
Accessibility:
                     Individual student able to access only reports done by themselves and reports in public folder. Should be able to access cognos even at home.
                     Lecturers able to access all students's work in his/her class.
                     Companies will be able to access some specific reports done by student or lecturer.(not in the same network)               
Goals:
                     As cognos does not have any user creation function and roles allocation, i would like to consult the pros out here what are the best authentication should i use in this scenario? I am an intern given the task to explore this project which my school is going to deploy. My school would like to give practical lesson on cognos and even assignment to students starting next semester, and would also like to invite some companies to participate. We used to do it through cloud but there are no authentication at all, and it is not very stable. Therefore we scraping it. 


Thank you in advance, and any inputs will be appreciated. I really lost, dk how to start on this proj, so please help. If find my above description not clear, i am willing to clarify.

[RKMI]

Hi,

Solution:

Create 3 roles Stud, Lect, and Comp.
In Cognos connection assign 2 folders. Student Workarea, and Comp Workarea. Set the Student Workarea premission as Lect Grant all read, write,... Student to read, write execute & traverse and deny access for comp. Than create sub folder with each student and assign the folder to the specfic student with read, write execute & traverse, add the lect with full access and  deny the access for the student role for that folder.

Comp workarea folder give the comp and lect role with all premissions. so when you have reports ready to present to a comp the lect would copy it from the specific stud folder and paste in to the comp workarea.

Note: Remember wherever you place the packages maybe in the seperate location give access for all 3 roles to read, excute and traverse. And Set policy access to the admin or the FM developer.

You might need to make some minor changes to the above procedure but this is the jist of it, hope this helps and makes sense.

Thanks,
RK

[10e5x]

Hi,

Solution:

Create 3 roles Stud, Lect, and Comp.
In Cognos connection assign 2 folders. Student Workarea, and Comp Workarea. Set the Student Workarea premission as Lect Grant all read, write,... Student to read, write execute & traverse and deny access for comp. Than create sub folder with each student and assign the folder to the specfic student with read, write execute & traverse, add the lect with full access and  deny the access for the student role for that folder.

Comp workarea folder give the comp and lect role with all premissions. so when you have reports ready to present to a comp the lect would copy it from the specific stud folder and paste in to the comp workarea.

Note: Remember wherever you place the packages maybe in the seperate location give access for all 3 roles to read, excute and traverse. And Set policy access to the admin or the FM developer.

You might need to make some minor changes to the above procedure but this is the jist of it, hope this helps and makes sense.

Thanks,
RK

WOW IT DEFINATELY HELPS. Thanks alot, this has given me a clearer overview. However i am hinted by my supervisor to research on using LDAP(yet he not willing to help). I researched on it. LDAP such as SUN ONE seems to be a good authentication provider but it is very complex. RKMI, do you have any tutorials in helping me to integrate LDAP with Cognos?

[RKMI]

I don't have any tutorials as such but, you can search for cognos ldap intergration there should a be pdf doc showing the steps. If not once you have the LDAP running then you just need to go into cognos configuration in your content manager tier do the following,

1 - In the Explorer window, under Security, right-click Authentication, and then click New resource, Namespace.

2 - In the Name box, type a name for your authentication namespace.

3 - In the Type list, click the appropriate namespace and then click OK.

4 - The new authentication provider resource appears in the Explorer window, under the Authentication component.

5 - In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.

6 - Specify the values for all other required properties to ensure that IBM Cognos 8 components can locate and use your existing authentication provider.

7 -  If you want the LDAP authentication provider to bind to the directory server using a specific Bind user DN and password when performing searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are executed under the authentication context of the end user.

8 - If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following:

Ensure that Use external identity is set to False.

Set Use bind credentials for search to True.

Specify the user ID and password for Bind user DN and password.

If you do not specify a user ID and password, and anonymous access is enabled, the search is done using anonymous.

9 - Check the mapping settings for required objects and attributes.

   Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos 8 components and the LDAP server.

    LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.

10 - From the File menu, click Save.

11 - Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

Thanks,
RK

[10e5x]

Hi RK, i am out from my workplace today so unable to try steps mentioned by you. I came in just to show my appreciation and would like to thank you very much for your replies. Cuz it seems quite 'dead' at my other post.

[RKMI]

You are welcome. Glad I can help  ;D

RK

[10e5x]

Rk, u really know your stuffs. Btw someone once suggested to me using NTLM however my supervisor insisted saying on using LDAP for authentication.
For my scenario, which ldap(cuz there seems to be alot out there) do u recommend me to install on my windows 7 64bit os?
My cognos and oracle database are in 32 bit. Working in a school environment. Mostly for teaching purposes but need to be able to access cognos from home.

My supervisor asked me to try to look for those free open source. haha budget dept. I am thinking OpenLDAP, what do you think? I want it simple to install and configure and hopefully free. (cuz i too noob)

Many grateful thanks to you. This qns not so urgent, take your time reply :)

With respect and appreciation,
10e5x

[RKMI]

Hi, You might want to post a new tread in adminstration for OpenLDAP with Cognos since I have not used it.

Here is a good document to read through for LDAP security which is very helpful
http://www.ibm.com/developerworks/data/library/cognos/page64.html

If you are planning on using Window 7 as you BI Server along oracle database ( Content Store and other internal Databases)
make sure you hardware can support it. My recommendation is to keep you BI server standalone and the DB server on another one you will avoid many contention issues between your BIBus vs DB resources in case they reside on the same machine.

Thanks,
RK

[10e5x]

Hi, You might want to post a new tread in adminstration for OpenLDAP with Cognos since I have not used it.

Here is a good document to read through for LDAP security which is very helpful
http://www.ibm.com/developerworks/data/library/cognos/page64.html

If you are planning on using Window 7 as you BI Server along oracle database ( Content Store and other internal Databases)
make sure you hardware can support it. My recommendation is to keep you BI server standalone and the DB server on another one you will avoid many contention issues between your BIBus vs DB resources in case they reside on the same machine.

Thanks,
RK

Thanks RK, i have read it and up till now i only have achieve installing it on one computer. can i ask u, what steps i need to do, in order for another computer to access my cognos content? I tried entering the installed computer ip address followed by /cognos as the url, it doesnt work as expected haha.

[10e5x]

Hi RK, i have read through the downloaded and read through the document. I have decided to use Active Directory with my cognos. Could u kindly refer to me any good tutorials on installation and creation of users to kick start me?

[10e5x]

Hi Rk, i know u have been busy, just to update you i think i have successfully authenticate user against the active directory using LDAP.Thanks, your previous post helped me to get to where i am. However now i am faced with another problem. I am newly tasked to explore to see if cognos will be able to authenticate with a database (such as oracle)? Meaning in the database i create a Table name Students with attributes such as First Name, Last Name, UserID, Password and Role. Is it possible to configure cognos to be able to authenticate against this database?

Look forward to your 'wow' input.

Thanks,
10e5x