cognos audit extension installation.

[cognoslearner1]

Hello all,

We have a cognos 10.2.2 distributed environment CM,Disp and GW installed separately. So do we need to install audit extension on all the components ? I think we must install on primary secondary cm's and all the dispatchers.. Gateway not required ... Is my understanding correct ? please suggest me the steps...

Also is there any way to list users along with there capablities ( i e  they belong to which groups/roles ) in a report studio without audit extension ( even without using third party tools ) and without sdk ? We are using AD as the authentication source .

Thanks in advance,
Cognoslearner1

[mcc.chernandez]

Hello,
I only copy the war file to dispatchers, don't see that CM is necessary. Have you reviewed this? http://www.ibm.com/developerworks/data/library/cognos/development/utilities/page574.html

If all of your groups/roles are in AD and you simply map them to the Cognos namespace then you can report off of AD itself. For example, I use a script to copy AD information to a MSSQL table and then report off that. If you need information from the Cognos namespace this won't help

[cognoslearner1]

 Hey thanks for your reply. I will check that link.. Can you please provide me a script to copy AD details to mssql db ?

Thanks,
Cognoslearner1

[mcc.chernandez]

This is just an example using PowerShell. For a Production environment you probably should add exception handling. This is against an old (Server 2003) AD server. If you have Server 2008 or newer you can rewrite this using the Get-ADGroupMember cmdlet instead (example here: http://pipe2text.com/?page_id=1218). This assumes your AD groups start with CognosBI_, for example CognosBI_Sales, CognosBI_Authors, etc. If the group names do not start the sames you can simply not use the first loop and write the values in an array - $groups = @("CognosAdmins", "Report Authors", "Sales Users")

Code Select Expand


#loop through all AD groups that start with CognosBI_

$ou = [ADSI]"LDAP://CN=Users,DC=corp,DC=exampledomain,DC=com"
foreach ($child in $ou.psbase.Children ) {
    if ($child.ObjectCategory -like '*CN=Group*') {
        if ($child.name -like "CognosBI_*") {
            $groups += $child.Name
        }
    }
}

#now loop through each group and find members

foreach ($group in $groups) {

    $groupStr = "LDAP://CN=" + $group + ",CN=Users,DC=corp,DC=exampledomain,DC=com"
    $groupCN = [ADSI] $groupStr
    $members = $groupCN.member

    foreach ($member in $members) {

        $str = "LDAP://" + $Member
        $user = [ADSI] $str
       
        #LDAP properties of the user is now available in $user object
        #build string to output using % as delimiter

        $output += $group + " % "
        $output += [string] $user.SAMAccountName + " % "
        $output += [string] $user.GivenName + " % "
        $output += [string] $user.sn + " % "
        $output += "`n"       
    }
}

#we now have entire list of groups and their users in $output, write it to text file
$output | Out-File \\server\share\cognosusers.txt -Encoding ascii -force


From here we use an ETL process to load into MSSQL. If you can use Get-ADGroupMember you can pipe output straight to CSV using the Export-CSV cmdlet.

[cognoslearner1]

Thanks a lot. Its really useful.