[10.2] Admins cannot see data

[xto]

Hello,
I have hard issue with restrict access to some data in Cognos. We use ldap to control user access. Admins ldap group is assign to Directory Administrators, System Administrators etc. I've created a specific ldap group lets call it "financing-group" which contains only this users who can have access to financial data.
Then I've created the Data source specially for this data. I've removed all access from Directory Administrator for this data source ("Override the access permissions acquired from the parent entry" checked) and I've added all access to financing-group. But... still all users assigned to ldap admin group can connect with this data source and see critical data.
Do you have any idea?

[MFGF]

Hi,

The System Administrators role is special. Anyone who belongs to this is effectively a super-user, with the ability to see and do things even when explicitly denied permissions to do so. This is what you would expect of a System Administrator - you should not be able to lock them out of anything. It is very important that you reserve membership of this role only to the nominated, named system administrator(s) - if not, you are breaking your license agreement with IBM.

Regards,

MF.

[Yunus]

You can setup data security in Framework Manager that will override even the Sys Admin access.  Apply a mandatory filter (that returns 0 results)to all queries run against that table unless the person is a member of the "financing-group".

The issue there is that the person who uses FM is likely your Sys Admin.

[MFGF]

The other issue is that anyone in the System Administrator's role can use Report Studio and has access to user-defined SQL. They could easily override the FM-implemented filter simply by modifying the predicate in the query.

MF.