Framework Manager and Security

[patrickc]

I have a Framework Manager Model with object and data security. The connection to the data source is always established via the same account ("cogn_ro").

It seems to me that there is no real data security in this setup: An attacker (with a valid account and access to the package and the data source in Cognos) can always work around the object and data security in the packages by getting access to the framework manager software (legal or not) and using his valid cognos account to access all data within the framework manager. He does not need the password or username for the database. Even if he has not "read" access to the database (but is only allowed to "transit").

Is this correct?

If this is correct, the only way to have real security is to implement it via the database.
Or is there any way to prevent the Cognos 8 server from sending the username and password to the framework manager?

(Here the detailed setup:
Attacker: Has a valid Cognos login and read access for the package. The package implements object security. He is also allowed to use the Power Play. He has an valid account to the database, but only read access for another schema. He does not have username or password for the schema used in the package.

Attack: He installs (without the right to do so) Framework Manager on his machine and uses Framework Manager to access all of the data.)

I would really appreciate any suggestion and advice.

Patrick

[twlarsen]

Don't allow him to install Framework Manager, don't give him access to the database and don't allow him to install ODBC drivers. 

If he's able to do all of that, then you have more of a problem then just Cognos.  If you are giving him that much access, then hopefully he's in a position of trust!

[patrickc]

Installing Framework Manager (and a ODBC) driver is only a matter of google, bittorrent and softice.

You are right that he (the "attacker") shouldn't have access to the database.

Unfortunately, he doesn't seem to need database access:

As long as he has write access to any folder in cognos connection, he can publish a package without any object security. All he needs is information about the metadata (name of the data source in cognos, etc.).

Am I missing something?
I guess it is best practice to deny access to "lineage" information? (Are there other possibilities to obtain the metadata of a package?)

[twlarsen]

I don't think your missing anything, but hopefully you have other safeguards in place.  I trust that our IT dept wouldn't allow a computer on the network that's got unauthorized software on it.

I might disagree about needing database access.  When he's creating a package, he needs database access to run the meta data wizard.  Framework manager is going to use your local ODBC driver along with your local credentials to access the database there.  When I've tried using framework manager without a local ODBC driver, I got nowhere.

The attacker would also need to know the correct information to use in cognos config, but I'm guessing if he's going to all the things you listed he could figure that out as well.