Creating groups in cognos and AD

[cognoslearner1]

Hi all,

I have  a question.. What is the use of creating a groups in the AD and using it in a Cognos instead we can create it in Cognos namespace ?
What is the advantage of doing so ? If the created groups are specific to cognos only then we can create and use in cognos namespace itself .. so that it would be easy to manage . But I see many organisations create groups in AD .

--Cognoslearner1.

[MFGF]

Hi all,

I have  a question.. What is the use of creating a groups in the AD and using it in a Cognos instead we can create it in Cognos namespace ?
What is the advantage of doing so ? If the created groups are specific to cognos only then we can create and use in cognos namespace itself .. so that it would be easy to manage . But I see many organisations create groups in AD .

--Cognoslearner1.

If the relevant groups already exist in AD, you can use them in Cognos and save time and effort. If not, you can create them in Cognos as easily as in AD - with the caveat that they are then only suitable for use in your Cognos instance and not in any other application using the AD namespace for authentication.

Cheers!

MF.

[Lynn]

Hi all,

I have  a question.. What is the use of creating a groups in the AD and using it in a Cognos instead we can create it in Cognos namespace ?
What is the advantage of doing so ? If the created groups are specific to cognos only then we can create and use in cognos namespace itself .. so that it would be easy to manage . But I see many organisations create groups in AD .

--Cognoslearner1.

I think it has a lot to do with centralizing the process. Let's say a new person joins the company and they need a network login plus access to 5 different systems in order to fulfill their role. They will need to contact the people who manage the AD for their network access. It makes sense to just address application access with that same group who can also ensure they are actually permitted to have what they are requesting. Otherwise they will need to contact multiple groups to get access to everything they need.

Cognos leverages the security repository that is already in place so it makes sense to use it to it's full capacity. If someone asks what is everything that User X has access to it would be easy to answer if everything is in the AD. If you scatter their authorities across all the different applications then you'd struggle to answer the question.

Also, do your Cognos administrators really need to be spending their time on such a mundane task? They tend to be highly skilled and may be involved in other development-related projects so perhaps managing users is not the best use of their time. If you simply reference AD groups in the Cognos realm then the job is done and day-to-day management responsibility falls elsewhere.

[cognoslearner1]

Thank you MFGF and Lynn.

My concern was if we create and use cognos groups instead of AD then it would be very useful for auditing.
By installing cognos audit extension we can get the capabilities of a user and the different roles, groups user associated.
If we set users with the AD groups then how can a audit reports query AD db ?

--Cognoslearner1.

[Lynn]

Thank you MFGF and Lynn.

My concern was if we create and use cognos groups instead of AD then it would be very useful for auditing.
By installing cognos audit extension we can get the capabilities of a user and the different roles, groups user associated.
If we set users with the AD groups then how can a audit reports query AD db ?

--Cognoslearner1.

That is an interesting question. I've not used the audit extension before. Looking at the snippet below from a best practice document leads me to think it would resolve this for you. The screenshot of the FM package you get with it also makes it look like you'd be able to see this information. Presumably you've tried this and know it is not the case?

http://www.ibm.com/developerworks/data/library/cognos/development/utilities/page574.html

Role/Capability Audit
An audit of all capabilities (such as report authoring) configured in the Cognos namespace and which roles, groups and users have been assigned access to those capabilities. Where a role or group is assigned access, the audit will log all the individual users that make up the role or group, so it is possible to accurately determine which individual users have access to a given capability.