Reduce the number of User Capabilities

[Cog User]

I am looking at the way we adopt our BI security model and am ultimately trying to reduce the number of capabilities a user has. 

We burst a variety of reports at Country Level.  Regional Directors need the ability to see all burst output for countries in their particular region.

As a result we have created within Cognos Connection a role for each of the 4 regions we have and also a role for each of the 246 Countries which make up the regions.  We have made the region a member of the relevant country to create inheritance.  We also make the associated LDAP user class a member of the associated Cognos Connection Object. 

For example the Northern Europe Region Role within Cognos Connection has a member of the Northern Europe User class from the LDAP.  The GB Country Role within Cognos Connection has members of the Northern Europe Region Role from Cognos Connection (to create the inheritance) and the GB user class from the LDAP.

Within the LDAP our Northern Europe director is given the User Class Northern Region.  Our GB Country User is given the User Class of Country GB.  When the GB Country User logs into Cognos Connection he obtains the credentials of the GB Country Role.  When the Northern Europe director logs into Cognos Connection, he obtains the credentials of every Country Role within Northern Europe.

When a Head Office user logs into Cognos Connection, they obtain the credentials of every single country (246 roles), including a number of user classes we use for different security (eg specific business areas).  This blows the limit allowed for this user to log into Metric Studio.


We would like the Northern Europe Regional Director to have the Northern Europe User Class, and to only see this in his credential list (which we can do by breaking inheritance).  We would also like him to have access to any report burst at Country Level within his region.  We would be able to achieve this if we could select 2 different recipients in our burst recipients, which I do not believe is possible.


Please share your comments on how / if we can reduce the number of credentials created.