If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

How to restrict access to packages in Cognos Connections

Started by rakesh411, 18 Dec 2013 12:43:23 PM

Previous topic - Next topic

rakesh411

Hello everyone,

I've read through the posts on this site as well as others but just couldn't find anything that would work for me.

I've created 4 packages.  I'd like to set it up in such a way that users in the Authors role cannot see one of these packages when they log into Cognos Connections.  I've tried everything I can think of / read about in regards to setting up security but nothing seems to make a difference - the user can still see all 4 packages.  This user is not even a member of the Authors role.  In fact, any logged in user can see all 4 packages.

Does anyone know what combination of roles / groups I need to define to set this up?   Please let me know if you need any additional info / screencaps.

Background Info

I'm running Cognos 10.1.  I've set up an LDAP namespace in addition to the default "Cognos" namespace and have enabled LDAP authentication (to log into Cognos COnnections you have to enter an intranet ID / password).  I've confirmed that LDAP authentication works.

I've removed the "Everyone" group from each of the roles by going to Administration --> Security --> Cognos.  Then I select each of the roles --> Set Properties --> Members --> remove "Everyone" if it's part of the Role. 

I've added the Authors role with "Read" permissions to the Cognos namespace.  I've removed all other roles / groups from here.  I didn't deny any permissions explicitly to the Authors role.

I've also added the Authors role to the package itself and granted "Read" and "Execute" and "Traverse" permissions.  I've denied it "Write" and "Set Policy" explicitly.  I've removed all other roles / groups from the package.

If it makes a difference, I see both the "Cognos" namespace and the LDAP namespace when I go the Security tab.  They both have check marks under the "Active " column.

Thanks for any advice,

Rakesh T.

MFGF

Quote from: rakesh411 on 18 Dec 2013 12:43:23 PM
I've created 4 packages.  I'd like to set it up in such a way that users in the Authors role cannot see one of these packages when they log into Cognos Connections.  I've tried everything I can think of / read about in regards to setting up security but nothing seems to make a difference - the user can still see all 4 packages.  This user is not even a member of the Authors role.  In fact, any logged in user can see all 4 packages.

Hi,

Find the relevant package folder in Cognos Connection and go into it's properties. Go to the Permissions tab and look at who has permissions to the package folder. If necessary, amend the permissions to remove all currently specified users/groups/roles from the list and add in just the Authors role (from the Cognos namespace) with Traverse, Read and Execute privileges granted. Having done this, only members of the Authors role should have access to the package.

MF.
Meep!

rakesh411

Thanks for the reply.  Unforunately I tried that but the user can still see all packages and isn't a member of the Authors role.  I've attached a screencap of the package permissions.

MFGF

If the only role to have explicit permissions is the Authors role and the user can still see the folder when he isn't a member of the Authors role, something else is going on.

My guess would be that the "Everyone" group is a member of the System Administrators role in the Cognos namespace? System administrators can see and do everything regardless of permissions...

MF.
Meep!

rakesh411

You're right - I didn't see the option to go to a second page of Cognos roles / groups :)  I removed the Everyone from the SystemAdministrators group and the packages are hidden now.

I have a new problem though.  When trying to log in the user gets error: the search path "storeID("")" is invalid.

I'll look into this separately though.  Thanks for the help it got me one step further !

Rakesh T.

MFGF

What permissions does the user have to the main Cognos Connection page? Use the properties button at the top of the Public Folders root and see what the permissions are set to...

MF.
Meep!

rakesh411

I have this working now.  Here are the settings I used.  It includes the Public folders permissions as requested.

- Cognos namespace permissions --> Authors = Read Execute Traverse. 
                                                     --> Removed all other roles.

- Additional LDAP namespace permissions --> Authors =  Read Execute Traverse.
                                            --> LDAP namespace itself is included in the Permissions = Read and Traverse.
                                            --> Removed all other roles.

- Removed Everyone group from all built-in Cognos Roles / Groups.

- Added new group called "Report Authors" to the built in Cognos namespace.

- Added users from LDAP as Members to newly created "Report Authors" group.  Then I denied the Everyone group all rights to this group under Permissions.  Removed all other roles.

- Added Report Authors group as a member of the built-in Cognos Authors role.  Set Permissions for Authors role as Read Execute Traverse.  Removed all other roles. I did not have to add the Report Authors group under the Permissions tab of the Author role, only under the Members tab.

- Added Authors role and Report Authors group to the permissions of the required packages with Execute and Traverse.  Removed all other roles.

- Added "Report Authors" group to the Public Folder Permissions with Read Execute Traverse.  Left permissions for all other roles as is (default).