If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Cognos Security Best Practise

Started by Raghuvir, 27 Nov 2014 03:22:15 AM

Previous topic - Next topic

Raghuvir

Hi All,

Came across this post in Cognos 8 section and i am having the same query. Is this considered as the best practise to implement security in Cognos 10 as well ?

"We currently use AD for our authentication provider, in our existing security model we map all AD groups to Cognos groups then use Cognos groups for object security etc.  Taking a step back before beginning a new reportin solution, does anyone know if this is considered best practice?  or have any documentation to back that up?  The alternative would be to skip the step of mapping AD groups to corresponding Cognos groups.  The theory with assigning AD groups to Cognos groups is that you are more insulated from changes to AD."

Thanks in advance.

Regards

goitzy

I am not sure on best practice but we have been using AD. Our team uses AD groups to separate tools the we want users to have (used to be because of licensing but now its about capabilities). We then add those groups to the Cognos roles that apply so we can manage security based on their job function all in one place at time of hire. We found it less admin time for our team.


JoS

There is a Proven Practices that answers your question:
IBM Cognos Proven Practices: Securing the IBM Cognos 10 BI Environment
http://www.ibm.com/developerworks/data/library/cognos/security/cognos_bi_platform/page602.html

Under section 'Authorization Concepts and Best Practice'

Quote
...
To alleviate these challenges there is a simple Best Practice for authorization - All references in permissions, capabilities and secured functions should only be made to groups and roles from the Cognos namespace. This means only groups and roles created in the Cognos namespace should be used to define permissions. For example, to allow a certain set of users to use an IBM Cognos 10 Studio, one would either use one of the predefined roles from the Cognos namespace or create a new role explicitly for this purpose and assign this role to the corresponding capability. While this might appear cumbersome to create multiple new groups or roles in the Cognos namespace it actually adds great value. The reasons for this are,
All references to objects used in permissions will remain intact even if the members of the role/group referred to will change.
The contents of the Cognos namespace can be migrated via deployments to other IBM Cognos 10 Systems.
The creation or assignment of external objects to Cognos namespace entries can be automated through the IBM Cognos 10 SDK.
...