To Security or not to Security

[bi4business]

Hi,

As you will know Framework Manager goes throught Cognos Administration rights (username / password), but when you open Framework Manager and click X at the login screen, you are able to look insight the Framework Manager model.
You can't modify, but you are able to look at the model.

Does anyone knows why IBM Cognos allowes users to see the model when the don't have access to that?

Kind Regards,

BI4BUSINESS

[MFGF]

Hi,

As you will know Framework Manager goes throught Cognos Administration rights (username / password), but when you open Framework Manager and click X at the login screen, you are able to look insight the Framework Manager model.
You can't modify, but you are able to look at the model.

Does anyone knows why IBM Cognos allowes users to see the model when the don't have access to that?

Kind Regards,

BI4BUSINESS

Framework Manager is a client tool - it's assumed that only those with Admin roles will have it installed. With the other roles, all you need (usually) is a browser, but with FM you need the software plus you need access to the model files on-disk.

The login provided when you open a model in Framework Manager is simply to ascertain your rights to see data defined by data source connections on the server and to publish packages to the Cognos server (ie all server-related authentication).

Cheers!

MF.

[bi4business]

Hi MF,

Thank you for your information.
I agree, only people with the right rights should only have access to the software.
But I have to convince the Risk Department about this.

I also told hem, it should not be possible to get access to the FM software if this role doen't belong to that person  :P
And, if some people do get access, they can't do anything with it.
I think it's the same as an ERD diagram what is put on a share.

I just collecting information what I can use for convincing the Risk Department.
They client where I work for right now is an financial institution, so I do have come up with a good story.

Thanks and Kind Regards,

BI4BUSINESS

[MFGF]

Hi MF,

Thank you for your information.
I agree, only people with the right rights should only have access to the software.
But I have to convince the Risk Department about this.

I also told hem, it should not be possible to get access to the FM software if this role doen't belong to that person  :P
And, if some people do get access, they can't do anything with it.
I think it's the same as an ERD diagram what is put on a share.

I just collecting information what I can use for convincing the Risk Department.
They client where I work for right now is an financial institution, so I do have come up with a good story.

Thanks and Kind Regards,

BI4BUSINESS

Even if someone has the software, if they don't have access to the model files there's nothing they can do. If the model files are on a secured network drive, only those with privileges will be able to get to them :)

MF.

[bdbits]

It might help to explain that FM is similar to a programming tool like Eclipse or MS Visual Studio. Without the source (FM model), it doesn't really tell you anything at all. The only two ways to get the source model are either to have the relevant files, or pull it out of Cognos itself which of course requires permissions.

[bus_pass_man]

If you look at the model.xml file you will see that it is a text file and is viewable in a great many applications (xmlspy etc.).  The other files in the project too. You can derive information about the databases which you use such as the names of tables and columns but that's about all.  Depending on how you've structured your reporting applications a lot of that metadata is exposed just by making it available to users.

Allowing access to install FM to only authorized users is a start.  It's mostly a matter of restricting access to the directory where you've got the fm install iso mounted.   There might be licence fee reasons to make sure only authorized modelers get their hands on FM.

Restricting access to your projects is another aspect of risk control.   You want to have your projects in a central source control repository.   The access rights to the stuff would be controlled by network access rights and access rights defined by the source control repository software.   

As a bonus, this would help track changes to your models.   Being able to document finger pointing is always a good thing.  Also, this will prevent the loss of too much work if someone's drive crashes or gets lost or stolen or they quit and the IT crowd wipe it before asking.  This is provided people regularly check in their changes but that's another matter.

If you want to show them that you're really helpful, ask them about what they think about the exposure of metadata through the lineage feature in the studios.  (lineage has a separate capability so it's not difficult to alter the rights to view it for various users or roles).  They might not know about it.