If you are unable to create a new account, please email support@bspsoftware.com

 

is there a report in the audit package to see what groups a user is part of?

Started by akb123, 13 Oct 2014 09:41:00 AM

Previous topic - Next topic

akb123

is there a report in the audit package that I can run that can tell me what groups a user is part of? thanks!

Karti

As far as I know, there is no out-of-box report that allows you to gather such information. There may be a query you can run against the Content Store to gather such information.

cognos810


AussiePete2011

HI there

I think this really depends on what you refer to as groups.
It really depends on what authentication you have applied, e.g. ADS, LDAP, NTLM etc
Have you used the Cognos groups to define authorization or have you defined these in an external LDAP such as SunOne?

I know that you can find this type of information using 3rd party tools like BSP MetaManager and Motio but a little more clarity on the question wouldn't go astray.

Cheers
AussiePete

bus_pass_man

There's also this tool.   

http://www-01.ibm.com/support/docview.wss?uid=swg24034217

IBM Cognos BI Users and Capabilities Tool

Abstract


Gathering capabilities and group/role information associated with users for each namespace


The Users and Capabilities Tool is a diagnostic tool which analyzes the Capabilities and Users for each namespace. The resulting information reports each user's capabilities, all users included in each capability, and users group/role information.

cognostechie

@bus_pass_man It says that this tool is not supported in environments where single sign-on is enabled.

@akb123  I have this SQL which gives me the list of users and groups they belong to:

SELECT v_user.ldap_id , v_group.name group_name

FROM cmreford1 v_group_user
JOIN-- GET USERS
(SELECT cmid user_id, UPPER(NAME) ldap_id
FROM cmobjprops33) v_user
ON v_group_user.refcmid = v_user.user_id
JOIN--GET GROUPS
(SELECT cmobjnames.cmid cmid,UPPER(cmobjnames.NAME) name
FROM cmobjects,cmobjnames, cmlocales
WHERE cmobjects.classid IN (26, 54)
AND cmobjnames.mapdlocaleid = cmlocales.mapdlocaleid
AND cmobjects.cmid = cmobjnames.cmid
AND cmlocales.locale = 'en') v_group
ON v_group.cmid = v_group_user.cmid
--where v_group.name like '%%'
--and v_user.ldap_id like '%%'
order by 1,2

TheBrenda


StevenLunn

Thanks for the post cognostechie, have used that SQL and it helps. Two things:

1.) Is there a way of extracting the true user ID from the tables as well? User_ID (CMID)  in the SQL looks like an internal ID that is used for joining and as a key. The name field (ldap_id) does not show the complete name that I can see in our Cognos admin security screen. e.g for John Smith (JS43567) the SQL returns John Smith. In our environment the user's logon ID is the part in brackets.

2.) Is it possible to add in the folders a user has access to? I've extracted the folders by selecting records with a classid of 1 from the cmobjects table, but the cmid returned doesn't exist in in the Users table. Is there somewhere else I should be looking, or is this not the way it works internally?

Regards,

Steve.

daheezy

Does BSP and MotioPI have cloud based solutions?  If not, does anyone know of one?

Thanks!

Andrew Weiss

Hello,

We recently posted an article on the Avnet BSP Blog discussing how to manage, view and modify security in MetaManager.  The article shows how to visualize a topographical view of user membership and content access including indirect group membership and security inheritance.  You can see the article here:

http://www.bspsoftware.com/sorting-ibm-cognos-security-using-metamanager/

Attached is an example from the Security Auditor Module, but you can download the trial and try it out for free here:
http://www.bspsoftware.com/products/metamanager/Download/



Thanks,
-Andy
MetaManager makes administering IBM Cognos a breeze.  http://www.bspsoftware.com/MetaManager

TheBrenda

SDK Sample to define all Groups/Roles and their respective Users

http://www-01.ibm.com/support/docview.wss?uid=swg21335670

This is working for me with AD, NTLM, and LDAP. It produces a file that lists all the roles/groups and all member names that belong. If System Administrators has an AD Group as members, the tool will recusively go through the namespace and come back with the actual names - like SMITH, LINDA. Working well for me. We are even going to integrate this into our licensing audits