Managing different Authentication providers in Cognos

[SianK]

Hi All,

I have cognos environment where we have users from 2 different domains. The administrator can login through one domain and he can only access and bring to the members from that domain to different Cognos capapbility and role groups. My query is, If I want to use the users from the second domain, do I need to have another admin user set up in that domain and to access throuth the second domain. Does any body know any best practice here

Environment details: Cognos BI 10.2 version with Active directory as the authentication source with Single sign on

Thank you in advance

[bdbits]

Does this help? http://www-01.ibm.com/support/docview.wss?uid=swg21340833

I'd recommend you create groups in the Cognos namespace, then assign permissions to the groups. You would then add AD groups/users from their respective domains to the Cognos user group. I think you will find in the long run this makes things simpler, and it also somewhat insulates Cognos object security from changes external to Cognos. For example, say you have a dev and  a production environment, with different permissions for each, and maybe even different authentication namespaces. You can implement the differing permissions within the Cognos groups, and export/import objects between the environments without having to update security on the objects after the import to production.

[SianK]

Thank you for your answers.
First of all my apologies for being late to come back on this.

We are using the exact configuration setup as mentioned in your reply for this post. Also we are creating the groups inside Cognos portal

My query is my admin user account created in the domain A(forest A) cannot see the forest B when I logged in using the user id from Domain B ( forest A). So to add the users from domain B, do I need a separate account from domain B to be added in to the 'System administrator' group

Thanks in advance

[bdbits]

Yes, I think you will need a logon to the second domain (partly depends on how AD security is set up). You would also need the second domain as an authentication namespace in Cognos configuration, if you do not already.

[prikala]

Yes, I think you will need a logon to the second domain (partly depends on how AD security is set up). You would also need the second domain as an authentication namespace in Cognos configuration, if you do not already.

The user from the second domain does not need to be system administrator if your AD allows regular users to browse directory.
When you have both domains as authentication namespaces in Cognos,
- Log in to cognos using cognos admin user from domain A
- without log off, log on to the domain B using what ever account you have there
- add your AD groups/users from both AD domains in to the cognos groups (domain A user gives you the ability to administer cognos groups and the ability to browse AD domain A, domain B user gives you the ability to browse domain B)

[SianK]

Thank you Prikala, that will help.
Thank you bdbits for your support too

[BMbabu]

Hi

You said that domain A and domain B  are under forest A, means no need to create two separate name spaces under Cognos Configuration, based on forest A you have to create a single namespace on Cognos Configuration, then go to advance properties add below parameters. For this if your ID is there any domain , you could act as System Administrator.

multiDomainTree      true
chaseReferrals         true
singleSignonOption      IdentityMapping

If your cognos security is made-up with two are more forests, then you can able login as single sign-on and  your id should be there in two forest domain as well as your id's should be added as System Administrator.

I hope you understand clearly.

Regards
Madhu B