Automate assignments between users and groups in Cognos Connection?

[jeffowentn]

We are getting ready to migrate from 7.3 to 8.4.  Access Manager has a batch utility that allows you to make a lot of changes to the assignments between users and userclasses.  As we migrate to 8.4, we will pull most of our users from AD and only the basic sign-on users (not on a trusted network) will remain in a Series 7 namespace w/AM/SunOne.

Either for the migration (more significant) or for ongoing security management, is there any way to create flat files and modify security in a more automated fashion than manually picking and choosing the users and groups, one at a time?  I cannot find any sort of way to replicate the functionality of the batch utility we could use with Access Manager.

In case it helps, we will be using Windows 2003, SQL 2008, and will be using multiple servers.  We currently have about 400 users and about 7000 userclasses in the 7.3 environment, which is the reason for wanting to try to automate/script the changes to shorten the time the business is without their planning applications.

[Milt]

Hi - I had the same issue when migrating to 8.4 When I first saw the interface for managing roles and groups via Cognos Web Administration I was aghast as it is a complete nightmare to manage hundreds of roles/groups !

Anyway, after some discussion with Cognos it is possible to integrate Access Manager into 8.4. This means all users and groups are still created and maitained in Access Manager and changes are automatically reflected in "IBM Cognos 8 Administration"

The configuration is done in Cognos Configuration - you need to add 'Access Manager' in the authentication section. There are a few other things to set as well, don't ask me what as I left this to a consultant !

> Milt

[jeffowentn]

Milt,

Thank you for this feedback.  I'd like to clarify something.  We will have to continue using Access Manager to manage our basic signon users because there is no way to provide credentials for users on non-trusted domains in Active Directory.

However, I am under the understanding that we would still reference those users through the Cognos 8 namespace and then assign them to groups that only exist in the Cognos 8 namespace.  During the migration, I know Cognos 8.4 will convert the userclasses referenced in Access Manager to groups in Cognos 8.

Are you saying that the groups/userclasses can still be maintained in Access Manager and assigned to users directly in Access Manager?  I thought the groups had to exist in the Cognos 8 namespace in order to assign the users to them.

Any clarification you can provide is greatly appreciated.

Jeff

[Milt]

Hi,

Well I can describe what we have done.

Access Manager is used to create userclasses and assign users access to the userclasses - as you know access manager has a useful batch import feature whereby you can upload userclasses from a text file (which in our case is based on the e.list structure)

Access Manager also handles single sign-on, all our uses have AD account which are used for authentication

So that's how it was in 8.1 and then we continue to use this in 8.4

You can use Access Manager as a Namespace in Cognos Configuration - the type is 'Cognos Series 7'.

Then in the web configuration this can be added as a directory which will automatically include all your users and user classes from Access Manager.

Hope this helps

> Milt

[craig_karr]

Yes, as Milf said you can continue to use your access manager as the primary namespace even in 8.4 and you can use os signons in AM to get single signon. If however you would like to have your active directory as namespace instead you have two options:

Either create the groups you need in active directory (i.e make a group for every user class you had in access manager) and maintain the groups in active directory with the software provided for that purpose. Or you can have the groups in the cognos namespace. To automate the handling of users in each group you need to have a SDK (software development kit) application that can automate things in Cognos connection.

The license for SDK is very expensive but if you have an external consultant with a SDK license developing it for you, then you don't need a license yourself.

You only need a license for SDK if you are developing apps not for running them

[robmac]

Yes, as Milf said ...

Freudian slip perhaps?  :P

[jeffowentn]

Thanks for the great information.  I will test this once we get our DEV environment up and running.  I suspect we will stay with Access Manager just for the ongoing maintenance benefit.  I'll keep you posted.

[craig_karr]

Freudian slip perhaps?  :P

Yes probably  ;D

Anyway my experience is that quite many customers choose to stay with Access manager due to the Access manager batch maintenance and the lack of similar functionallity in Cognos Connection out of the box