Text only | Text with Images

COGNOiSe.com - The IBM Cognos Community

IBM Cognos Analytics Platform => Cognos Analytics => Administration and Security => Topic started by: Eag. E on 24 Apr 2020 04:33:21 AM

Title: How to disable Dashboard feature by default
Post by: Eag. E on 24 Apr 2020 04:33:21 AM
Hi Gurus, I want to disable Dashboard by default, whereas I set only one group of user to use it. At the very beginning I gave all "authenticated user" deny Dashboard, and gave only the right group to enable Dashboard, then I found if DENY has been applied, no other rules can be preformed.
That's your suggestion, thanks
Title: Re: How to disable Dashboard feature by default
Post by: MFGF on 24 Apr 2020 07:06:51 AM
Quote from: Eag. E on 24 Apr 2020 04:33:21 AM
Hi Gurus, I want to disable Dashboard by default, whereas I set only one group of user to use it. At the very beginning I gave all "authenticated user" deny Dashboard, and gave only the right group to enable Dashboard, then I found if DENY has been applied, no other rules can be preformed.
That's your suggestion, thanks

Hi,

Adding a specific Deny for any user/group/role overrides access granted elsewhere, so this is not the way to go. The way security works is that any user gets the sum of all capabilities granted to them (ie of all groups and roles they belong to), unless something is specifically denied. What you need here is an implicit deny - ie the users do not have the capability granted.

You need to identify what groups and roles your users belong to, and then for each, remove the 'allow' for dashboards. Make sure you remove the capability for the Everyone group and the All Authenticated Users group too (it's easy to overlook these).

Once the capability has been removed from all users, groups and roles, add it back in for just the one group you need dashboard access for.

Cheers!

MF.
Title: Re: How to disable Dashboard feature by default
Post by: Eag. E on 24 Apr 2020 08:36:03 PM
Quote from: MFGF on 24 Apr 2020 07:06:51 AM
Hi,

Adding a specific Deny for any user/group/role overrides access granted elsewhere, so this is not the way to go. The way security works is that any user gets the sum of all capabilities granted to them (ie of all groups and roles they belong to), unless something is specifically denied. What you need here is an implicit deny - ie the users do not have the capability granted.

You need to identify what groups and roles your users belong to, and then for each, remove the 'allow' for dashboards. Make sure you remove the capability for the Everyone group and the All Authenticated Users group too (it's easy to overlook these).

Once the capability has been removed from all users, groups and roles, add it back in for just the one group you need dashboard access for.

Cheers!

MF.

Thanks MF. :)
Text only | Text with Images