If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Data level security at report level

Started by Raghuvir, 25 Nov 2014 12:01:46 PM

Previous topic - Next topic

Raghuvir

hi all,

i have a requirement where i need to implement data level security at the report level, for e.g. if user 'A' belongs to ord id '1.03.01' and when the user 'A' runs the report the user should only see information related to his/her org i.e. '1.03.01' ...is this possible in report studio ?

Request you to guide me with this.

Thanks in advance

MFGF

Quote from: Raghuvir on 25 Nov 2014 12:01:46 PM
hi all,

i have a requirement where i need to implement data level security at the report level, for e.g. if user 'A' belongs to ord id '1.03.01' and when the user 'A' runs the report the user should only see information related to his/her org i.e. '1.03.01' ...is this possible in report studio ?

Request you to guide me with this.

Thanks in advance

Probably - yes. Why would you want to implement this at the report level, though? You are making life very hard for yourself...

MF.
Meep!

cognos810

Hello Raghuvir,
Although not recommended by many, but is certainly doable using Framework manager and/or Report studio. You would need the user to Ord Id mapping somewhere. The ord Id can be supplied by your:
1) authentication source, as a user attribute which you could then use to filter the data in either the query subject in FM or in the report filter. This IBM KB shows how to add your "ORD ID" in the cognos configuration IF it already exists in your authentication source as an attribute for every user.
https://www-304.ibm.com/support/docview.wss?uid=swg21341035
2) Or, you have a database table with the userid to Ord Id mapping. Then you can join this security table to your fact table on ORD ID and later add a filter on the UserID column of this security table(again, can be in FM query subject or in a report filter) using the session parameters, EG: [Business View].[Security Table joined to Fact].[UserID] = #sq($account.personalInfo.userName)#
3) One other way would be to create groups/roles in either the Authentication source or in the Cognos namesapce. EG: Create a group called "1.03.01", add all the users who need data for that ORD ID in the group. Then in the FM Query subject or the report filter add a filter like [Ord Id] in #sq(CSVIdentityNameList ())#

The best way would be to have the data filtered at the database level itself. But if that is not an option you can use either of the above approach. You may also want to look into TenantIDs to achieve the same.

Let me know if you need more info.

Good luck,
Cognos810

Raghuvir

Quote from: MFGF on 25 Nov 2014 02:18:47 PM
Probably - yes. Why would you want to implement this at the report level, though? You are making life very hard for yourself...

MF.


Hi MFGF,

i suggested the user that we can do this at the Framework Manager level. But he is like there should be a way we can implement this at the report level also.

i have never done such type of reqirement at the report level. Please guide me to achieve this.

Regards

bdbits

#4
Just because you can does not mean you should. It is going to be *much* easier to do this in the model, especially considering future maintenance or a change in security requirements. Update the model and magically, all your reports filter the data appropriately at run time. As opposed to going into each report and modifying filters or slicers or whatever. Not to mention feeling you can let users create their own reports or queries knowing they only see data they are supposed to see.

We generally do something along the lines of cognos810's "option 3". We use Active Directory groups (our authentication source) with filters within the FM model.

Raghuvir

Quote from: cognos810 on 25 Nov 2014 02:19:36 PM
Hello Raghuvir,
Although not recommended by many, but is certainly doable using Framework manager and/or Report studio. You would need the user to Ord Id mapping somewhere. The ord Id can be supplied by your:
1) authentication source, as a user attribute which you could then use to filter the data in either the query subject in FM or in the report filter. This IBM KB shows how to add your "ORD ID" in the cognos configuration IF it already exists in your authentication source as an attribute for every user.
https://www-304.ibm.com/support/docview.wss?uid=swg21341035
2) Or, you have a database table with the userid to Ord Id mapping. Then you can join this security table to your fact table on ORD ID and later add a filter on the UserID column of this security table(again, can be in FM query subject or in a report filter) using the session parameters, EG: [Business View].[Security Table joined to Fact].[UserID] = #sq($account.personalInfo.userName)#
3) One other way would be to create groups/roles in either the Authentication source or in the Cognos namesapce. EG: Create a group called "1.03.01", add all the users who need data for that ORD ID in the group. Then in the FM Query subject or the report filter add a filter like [Ord Id] in #sq(CSVIdentityNameList ())#

The best way would be to have the data filtered at the database level itself. But if that is not an option you can use either of the above approach. You may also want to look into TenantIDs to achieve the same.

Let me know if you need more info.

Good luck,
Cognos810


Hi Cognos810

Thanks for the guidance. when i went thru the points that you have mentioned, i chose the 2nd point as i felt that it would work in my case and it did.

As guided by the experts, implementing security at the report level is not recomended i will see to it that this is done on the FM level.

Thanks Cognos810...appreciate your help.

Regards