Deployment without Planning Rights Administrator role?

[jeffowentn]

I need to allow my "power users" to deploy planning applications in the CAC but also want to restrict their access to just their application folder.  In order to give them deployment rights, I have to assign them to the Planning Rights Administrator role.  Doing so, allows them to see all applications in the CAC.

Does anyone have a suggestion on how I can accomplish the need to allow deployments but still restrict their access to just their department's folder?

Cognos 8.4.1
Windows 2003
SQL 2005
IE8

[ericlfg]

Please see my disclaimer at the bottom!
Hey Jeff,

By definition members of the Planning Rights Administrators role is the top level administrative account in planning.  Granting this permission to a user will give them all capabilities and powers within the CAC -- which would include assigning and removing access rights to users, groups and roles.  The deployment option is only enabled when you have PRA or higher level access.  Additionally, the Deployment wizard can't be restricted in what's available to export.  Everything in the Planning Administration Domain can be exported (or imported).

You only have one option: Create a macro that runs a predefined Deployment, then give the user access to execute this macro from cognos connection.  This will require modification to the capabilities the user / group / role has in the environment.  This is because by default only PRA or Higher can access the "Administer IBM Cognos content" area of cognos connection (and subsequently the Configuration -> Content Administration section).  The below TN will need to be used to first configure the appropriate capabilities in Cognos Connection, followed by my steps below.

http://www-01.ibm.com/support/docview.wss?uid=swg21376266

Steps to follow:
1. Run the deployment wizard, giving the package a name correlating to the application being deployed.  Ex: Capex Deployment Macro

2. Set the deployment options as desired and run it.

3. Create a new macro, selecting the 'Run Deployment' step, select the package name you created in step 1, name it the same as step 1.  (Capex Deployment Macro)

4. Modify the access rights for the user (or group / role): Under the planning store -> macros -> select Execute macro -> don't cascade down.  Scroll down to the macro name you specified in step 3, select execute macro.  Ensure that only the macro that the user is supposed to run is selected.

5. In cognos connection, log in with an administrative account and navigate into Administer IBM Cognos Content -> Configuration Tab (top), -> Content Administration -> Planning -> Macros -> Click the Set Properties in the menu bar (Next to the black Delete X), Permissions, then click the 'Override the access permissions acquired from the parent entry', click the check box for Planning Contributor Users, and clear the Read and Execute check marks.  Click OK.

6. Click the More... link to the right of the macro name (capex deployment macro) and click Set Properties.  Select permissions tab, click the top check box "Override the access permissions acquired from the parent entry" if the check boxes beside the groups aren't present, and add the user / group / role that is responsible for this macro.

7. Grant Read, Execute and Traverse for the user / group / role that is responsible for this macro.

8. Log out of cognos connection and log in as one of the users that has just been given access to this macro.  You will note that all other macros do not present the 'Run' option in the form of the blue triangle.  Click the blue triangle for the macro this user has access to, and confirm in the CAC that this macro has run successfully.

Repeat steps 1 through 7 for each deployment you want to run.  You can omit Step 5 as it's a one time thing.

Please let me know if there are any areas that aren't clear to follow and I'll try to clean it up.

*NOTE:  I have NOT thoroughly tested these.  I ran some very high level tests while I was building these steps.  Make sure you thoroughly test this in a DEVELOPMENT or TEST environment before implementing in a production based environment.

[jeffowentn]

Eric,

Thank you for this...let me see what I can do with this, and then I will get back with you...

Jeff

[Rutulian]

Hi Guys,

My 2 penn'orth - a PRA is not a full sysadmin, but I think by default they have full access to the PAD (or the first user creating the PAD does, who's usually a PRA).  It should be possible to restrict rights to individual apps using the PAD rights screen, though this can be a maintenance-intensive undertaking.

In this situation the users would be able to run deployments but only seeing their 'tree'.  By default they would be able to create new apps on import, I'm not sure if this can be blocked.

The above's from memory - unfortunately I no longer have access to a system at that level to test.  I think there were problems with hardcoding in 8.2 and possibly to 8.3, but from then on out it should be possible to replicate the Planning rights by judicious use of Capabilities etc.

Hope this helps - can't give steps, but I do think what you're aiming for should be possible with a bit of user subclassing.

Kind Regards,
Alexis

[ericlfg]

Hey Alexis,

Thanks for the input.

To confirm, the PRA role is the top level Planning Administrative Role.  A member from the System Administrators role would have exactly the same abilities as the PRA in the CAC.  If you log into the CAC with PRA capabilities, you will be able to self-assign access to every area in the CAC.  You could add yourself into the Access Rights section and give access, but it will be ignored.  The PRA role, even if assigned access rights in the access rights section, cannot be restricted.

'Users' of the CAC (non-PRA users, meaning only a member of Planning Contributor Users role) can be restricted in what they can access.  These users are unable to see the Access Rights item, and if they attempt to access the Deployment wizard they will receive a message indicating that they do not have sufficient privs. to deploy.  Even if the 'User' is given everything from the Planning Administration Domain down (top level), attempting to access the Deployment wizard will yield the same insufficient privs message.

If the requirement is to have user's be able to access the deployment wizard, then they must be assigned the Planning Administration capability.  This capability is what's assigned to the PRA role automatically behind the scenes.  As stated above, if this capability is applied to a group or role then restriction of this group or role is not possible.  From Jeffowentn's requirements, these users cannot see applications that do not belong to them which is what occurs if given the Planning Administration capability.

Cheers
Eric

[Rutulian]

Thanks for the clarification Eric, I'm all too used to running as a superuser!

[ericlfg]

I know where you're coming from all too well!  :)  I, often, will have to build up a system to reconfirm what I already know -- but have pushed out of my mind. 

:)