Cognos 8.4 - Role base security & Doc

[dbamgr]

Hi All,

I would appreciate if someone can walk me through the steps in setting up user security in Cognos 8.4. It is just confusing? I have set Anonymous = False in Cognos Configuration and remove Everyone in from all the Cognos default groups. Now I need to assign the proper security and roles to the users. Is it better to set up security based on AD groups or Cognos groups? What is the difference and meaning between permission and capabilities?

I would like to set up user groups by department, eg. Sales, Analytics, Finance and each department can only run their own reports. In each department, most users can only run reports but a few can create their own reports. Eventually I would also like to implement data security in reports, depending on their access, users can only see specific information in the reports.

Cognos 8.4 Default Roles do not fit in this picture. Because then each user can see other department report also.  Since I need security based on Departement, so may be create seperate User groups for different departments (Sales Report Author, Sales Modeler, Finance Report Auther, etc). This will make applying data/object/package security easy.
Any input is much appreciated if some one provide me the detail Cognos8.4 security documentation how to do that and remove all the default role properly.
Thanks in advance

[MFGF]

Hi,

I'd suggest here that you use groups for your different departments, and roles for the capabilities of the users within each department.

Assuming you have departmental folders in Cognos Connection, you can then begin to set security on these for the groups.

If a group is granted no permissions to the folder, then it is completely invisible to members of the group.
If you want a group's members to be able to view existing saved report outputs, you should grant Traverse and Read permissions to the group.
If you want a group's members to be able to view and run existing reports, grant Traverse, Read and Execute permissions to the group.
If you want a group's members to be able to view, run, add and delete reports and/or change the properties of reports, grant Traverse, Read, Execute and Write permissions to the group.

You can then begin to think about the capabilities of each user.  This is where the default Cognos roles come into play.
If a user should have access to Query Studio, add the user as a member of the Query Users role.
If a user should have access to Analysis Studio, add the user as a member of the Analysis Users role.
If a user should have access to Report Studio, add the user as a member of the Authors role.

These roles have already been set up to have the relevant capabilities for Query Studio, Analysis Studio etc.  If you want to use your own roles instead, then you will need to go to the Capabilities page of the Admin console and apply the relevant capability to each new role.

Hope that helps!

MF.

[whastings]

One of the things that we found most confusing was the lack of consistency between the license definitions that Cognos sells and the predefined roles that come with the Cognos 8 installation (we are working in 8.3, but I would be surprised if 8.4 is any different). So we went through the process of reviewing each predefined role to see what each had access to and cross-referenced that information with the access rights of each of the published licenses that Cognos sells. We then created user groups that matched the Cognos licenses (e.g. Consumers, Professionals, Administrators, etc.) and added each of the "license" groups to the predefined roles that they would need for access to Cognos 8. Then each user account we created was linked to a license group, which in turn gave them appropriate access to the tools.

The next step as was recommended is to create a 2nd set of user groups that are department or responsibility based which you use to control access to the various folders, reports, analyses, etc.

I just wanted to mention the first paragraph as an alternative approach. One advantage to the above is that it also makes it easier to control your license numbers. If you have purchased 20 consumer licenses and you look at the consumer group and see 19 users assigned, you are within your agreement with Cognos, but will want to purchase additional licenses if you need to expand. We put the number of licenses purchased in brackets in the group description. For example, I created a user group called "Consumers (20)", which tells me I have 20 consumer licenses available.

If you are interested in the approach, I have an excel spreadsheet that shows the relationship that we created between the "license" groups and the predefined roles that I could send to you.

Note that you can also create folders to keep your user groups organized. Create one folder called "License Groups" and another folder called "Departments".

[jrgchip]

whastings:  I would love to see your spreadsheet.  We are dealing with the same issues now and I'm frustrated that we have no clear doc about correlations between licenses and capabilities.

[SunilAwasthi]

whastings I would be great help if you could post the security spreadsheet which you created.

[jeffowentn]

whastings - would you mind sending me the Excel spreadsheet, as well?  Thank you.

[enrico_broggi@vfc.com]

Can I receive the file as well?

Thansk a lot

[l.russo]

Can I receive the file as well?

Thansk a lot :)

[sravs]

Can you please send me the spreedsheet. I'm having the same issue

Thanks a lot!!!

[MFGF]

Well, guys, whastings hasn't been logged into the forum since April 2012. I would doubt your requests to him on here will be responded to.

Cheers!

MF.