Cognos Authentication LDAP Namespace

[CognosPolzovatel]

I have the following scenario: We have an LDAP namespace setup in Cognos and our users get authenticated against this namespace. Inside the built-in Cognos namespace, we then have the default roles (i.e., All Authenticated Users, Everyone, Consumers, Query Users, etc.). We manage our users and licenses by adding users to the roles - so that they have access to the particular application (studio). However, at the moment, all users who are part of the LDAP namespace are able to login to the Cognos Connection. Luckily, they do not see anything, except for the demo folders (i.e., go_data_warehouse, etc.) However, I do not want everyone to be able to login to Cognos. I only want the users who belong to the specific roles to be able to login to Cognos. The others shouldn't have any business logging in to Cognos.

According to the Cognos “Securing Cognos 8 Environment” documentation:
“When an external authentication source is added to the Cognos 8 configuration, it is implied that all users in that source will have access to Cognos Connection. Now with Cognos 8, the ability exists to restrict access to the Cognos Connection portal and allow only members of the built-in Cognos namespace to view the content. By setting the value to ‘True’, the user logging in must be explicitly part of a group with the Cognos namespace, or a member of a group in the external authentication source that is a member of a Cognos group.”

I have this setting set to 'True.' I also have the Anonymous setting set to 'False.' All users who are part of the LDAP namespace, however, are still able to login to the Cognos Connection.

I even attempted to remove the Everyone group from the All Authenticated Users group. Cognos (8.2), however, does not give the ability to modify the users of the default groups: Everyone, All Authenticated Users.

Has anyone ever ran into this issue? Could you please provide information on how you have this setup at your organization?

[ducthcogtechie]

Open Cognos Configuration.
Go to Security/authentication. "Restrict access to members of the built-in namespace?"
By default it's set to false, hence anybody can login. Set to true and only people who are member
of a(ny) role/group inside the built-in cognos 8 namespace can authenticate succesfully.

[CognosPolzovatel]

User dutchcogtechie:

As posted in my question, I already set that property to True and re-started the Cognos 8 service - and to my surprise, this didn't work. Hence, the posting of my question.

"“When an external authentication source is added to the Cognos 8 configuration, it is implied that all users in that source will have access to Cognos Connection. Now with Cognos 8, the ability exists to restrict access to the Cognos Connection portal and allow only members of the built-in Cognos namespace to view the content. By setting the value to ‘True’, the user logging in must be explicitly part of a group with the Cognos namespace, or a member of a group in the external authentication source that is a member of a Cognos group.”

I have this setting set to 'True.' I also have the Anonymous setting set to 'False.' All users who are part of the LDAP namespace, however, are still able to login to the Cognos Connection.

I even attempted to remove the Everyone group from the All Authenticated Users group. Cognos (8.2), however, does not give the ability to modify the users of the default groups: Everyone, All Authenticated Users.

Has anyone ever ran into this issue? Could you please provide information on how you have this setup at your organization?"

[ducthcogtechie]

The everyone groups is by default member of a lot of Cognos 8 namespace groups/roles.
Did you throw out this everyone group from all of them?

[CognosPolzovatel]

Yes.

[shravani66]

Hi All,

I am facing with the similar issue. Could any one please help me.
I have successfully configured another Ad namespace in Cognos.
Now we have 2 AD namespaces apart from Cognos.
But now we are facing with other issues. Actually after creating a new namespcae we made sure that the options "allow anonymous
user access" set to false and also "restrict access to members of the built-in namespace" set to true. As already they are set with the same values
we haven't changed any.
Now the issue is:
1. Every user who is a member in new namespace are able to login into Cognos, even though we haven't provided access to anyone yet.
(I have cross checked if any group or role in Cognos contains everyone group in it, but none has this group)
2. The other issue is we are not able to search an user in Cognos even though he is member in Cognos namespace and member in one/two groups or roles.
This issue wasn't present before, earlier when i searched a user who has access to Cognos I used to found it in the result but now its not happening.

Please suggest in case I need to do any other changes. Please help me.

Thanks,
Shravani

[nsaxena]

check first name/last name of users as they appear in your namespace.

Do not try search with full name(it may not show sometime ) . attached search patter works for me (last name appears first in AD namespace in my org.)

[nsaxena]

I have the following scenario: We have an LDAP namespace setup in Cognos and our users get authenticated against this namespace. Inside the built-in Cognos namespace, we then have the default roles (i.e., All Authenticated Users, Everyone, Consumers, Query Users, etc.). We manage our users and licenses by adding users to the roles - so that they have access to the particular application (studio). However, at the moment, all users who are part of the LDAP namespace are able to login to the Cognos Connection. Luckily, they do not see anything, except for the demo folders (i.e., go_data_warehouse, etc.) However, I do not want everyone to be able to login to Cognos. I only want the users who belong to the specific roles to be able to login to Cognos. The others shouldn't have any business logging in to Cognos.

According to the Cognos “Securing Cognos 8 Environment” documentation:
“When an external authentication source is added to the Cognos 8 configuration, it is implied that all users in that source will have access to Cognos Connection. Now with Cognos 8, the ability exists to restrict access to the Cognos Connection portal and allow only members of the built-in Cognos namespace to view the content. By setting the value to ‘True’, the user logging in must be explicitly part of a group with the Cognos namespace, or a member of a group in the external authentication source that is a member of a Cognos group.”

I have this setting set to 'True.' I also have the Anonymous setting set to 'False.' All users who are part of the LDAP namespace, however, are still able to login to the Cognos Connection.

I even attempted to remove the Everyone group from the All Authenticated Users group. Cognos (8.2), however, does not give the ability to modify the users of the default groups: Everyone, All Authenticated Users.

Has anyone ever ran into this issue? Could you please provide information on how you have this setup at your organization?

Try removing everyone from directory permissions and add only Cognos (default )namespace.Let me know how it goes.

[nsaxena]

Please find it attached.

[nsaxena]

Open Cognos Configuration.
Go to Security/authentication. "Restrict access to members of the built-in namespace?"
By default it's set to false, hence anybody can login. Set to true and only people who are member
of a(ny) role/group inside the built-in cognos 8 namespace can authenticate succesfully.

This should work ideally.