Question on Object level security in Cognos FM

[cognos05]

Once you set security for one object, you need to set it for all objects.  what does this exactly mean.

I tried setting the object based security selecting an column from a table and giving deny access to one specific user and allow for everyone.

Now when that user logs in , he is not be able to see any of the objects in the namespace. but ideally only one object was given deny access.

For other users they are able to see that one object only and the other objects are not shown.

So If I have a requirement to hide only one object, do I need to still visit other objects and make the default settings ? or is there a one place where I can set for the rest.

Your suggestions are highly appreciated.

Thanks,
Nithya

[cognos810]

Hello nithya1224,
Once you set security for one object, you need to set it for all objects, is exactly what you are seeing in this case.
In your case you applied object level security to one column (deny for one user, allow for everyone) but did not provide any security for the other columns. As per the statement, now you have to provide "Allow" to "everyone" for all the other columns.

-Cognos810

[cognos05]

SO , I have to go to all the tables and all the columns and set allow to everyone. Is that the way it behaves ?

[cognos810]

Yes, first step is to CTRL-Select all the query subjects and then specify "Allow" to Everyone.
Second step, deny access to that particular column for the user/group/role that you are trying to hide.

-Cognos810

[Michael75]

@ nithya1224

In addition to all the good advice that cognos810 has just posted, take a look at a closely-related discussion here, where you will find useful info from other Cognoise luminaries:

http://www.cognoise.com/index.php/topic,25617.0.html

[MFGF]

Yes, first step is to CTRL-Select all the query subjects and then specify "Allow" to Everyone.
Second step, deny access to that particular column for the user/group/role that you are trying to hide.

-Cognos810

No - you don't need to do this. Object Security is inherited from higher levels in the structure if it's not explicitly defined. This means you can go to the top level namespace in the model, grant access to the Everyone group to that namespace, and this is then inherited by all objects below this that do not have explicit security defined. Doing things this way keeps the security model simple - using CTRL-Select on all the query subjects applies security independently to every single one. If you want to modify it later, it's a HUGE task to do.

MF.


Sent from my iPad using Tapatalk HD

[cognos05]

Thank you !1 That saves more time when compared to selecting all query subjects and then setting access..

[bus_pass_man]

The Cognos-taught method for object security recommends two possible approaches.   One is lock down and allow and the other is open then deny.  Both methodologies work best if you set the object security first on the model root.  This allows the other objects in the model to inherit whatever setting you have chosen.   I tend to lean to the lock down and allow side.

I can't find a doc about it on-line.  This one touches on the matter but not fully.  http://public.dhe.ibm.com/software/dw/dm/cognos/modeling/security/security_in_framework_manager.pdf