After Migration from 10.1 to 10.2, Everyone has access to Everything

[alaricb@ca.ibm.com]

We've got a fairly mysterious issue on our Cognos 10.2 BI Server. We recently migrated from 10.1 to 10.2, by performing an export of the full content store in 10.1, and then importing it into 10.2. We imported security information as well, by checking the appropriate box during the export and import. However, it now appears that everyone has full permissions to everything. We ran into this issue while trying to restrict Executive Dashboard access. If I pick a package (or capability) and override the parent group's settings to deny all permissions to the Cognos "Everyone" group, I can still see/modify the package, and when I click "view my permissions", it shows that I have all five. I've removed myself from all of the LDAP access control groups that we use, to make sure that is not the issue.

Is this an issue that anybody else has run into in a migration? If so, is there a fix?

Thanks,

Alaric

[cognostechie]

I am not sure because I have not upgraded to 10.2 yet but to resolve this, how about doing a backup and restore of the Content Store DB instead of exporting and importing the Content Store from Cognos.

[MFGF]

We've got a fairly mysterious issue on our Cognos 10.2 BI Server. We recently migrated from 10.1 to 10.2, by performing an export of the full content store in 10.1, and then importing it into 10.2. We imported security information as well, by checking the appropriate box during the export and import. However, it now appears that everyone has full permissions to everything. We ran into this issue while trying to restrict Executive Dashboard access. If I pick a package (or capability) and override the parent group's settings to deny all permissions to the Cognos "Everyone" group, I can still see/modify the package, and when I click "view my permissions", it shows that I have all five. I've removed myself from all of the LDAP access control groups that we use, to make sure that is not the issue.

Is this an issue that anybody else has run into in a migration? If so, is there a fix?

Thanks,

Alaric

It sounds to me like everyone (the Everyone group) is a member of the System Administrator's role? Anyone who belongs to this role can see and do anything, regardless of what permissions are defined...

MF.

[Raghuvir]

We've got a fairly mysterious issue on our Cognos 10.2 BI Server. We recently migrated from 10.1 to 10.2, by performing an export of the full content store in 10.1, and then importing it into 10.2. We imported security information as well, by checking the appropriate box during the export and import. However, it now appears that everyone has full permissions to everything. We ran into this issue while trying to restrict Executive Dashboard access. If I pick a package (or capability) and override the parent group's settings to deny all permissions to the Cognos "Everyone" group, I can still see/modify the package, and when I click "view my permissions", it shows that I have all five. I've removed myself from all of the LDAP access control groups that we use, to make sure that is not the issue.

Is this an issue that anybody else has run into in a migration? If so, is there a fix?

Thanks,

Alaric

Hi,

it is recommeded to take a back up of the content store database and restore it on the new cognos configuration, by doin that all the rights get updated as it is from your previous version. By taking  full content store back up from the cognos connection, there is a loss of "My Folders" of the users.

recently we have done an upgrade from 8.4 to 10.2.1 and we performed a content store database back up and restored it in the new version which preserved the integrity of the user permissions.

Regards

[alaricb@ca.ibm.com]

MFGF hit the nail on the head. The Everyone group had the System Administrator role. I don't know who made that change, but I removed it and the issue is solved. Thanks everyone!

[cognostechie]

Now that you say I remember, it did the same thing when we upgraded to 10.2.1 !

[prikala]

When you first started your 10.2 environment, Everyone was added to system administrators.
When you imported your contentstore deployment archive, existing memberships were not removed.
You need to manually remove Everyone from default locations.

It would be nice to have "Remove Everyone from default locations" tool...

[MFGF]

MFGF hit the nail on the head. The Everyone group had the System Administrator role. I don't know who made that change, but I removed it and the issue is solved. Thanks everyone!

I'm pretty sure this is because you created and initialised a new content store database, rather than re-using the existing content store. When you set up and initialise a new content store, the initial security model is to be open - everyone has System Admin privileges. For a new installation, there's then a process of adding a security provider, turning off anonymous access, then locking down the desired functions (including adding the relevant users to the System Administrator's role and removing the Everyone group from it).

Because you restored your existing content store deployment after initialising the new content store, the content and security definitions from the deployment were added to your new, initialised content store. Nothing was removed, though. This means the assignation of Everyone to the System Administrator's role remained.

In a nutshell, I don't think anyone explicitly added Everyone to the System Administrator's role - it happened as a result of the strategy you used in upgrading.

Cheers!

MF.

[SomeClown]

To add to MF's point, you'll find Everyone in a number of other roles as well (about 40% of the pre-defined Cognos roles - don't remember which).  You'll want to find them and remove to avoid any potential issues with licensing compliance.