Unable to add individual users in security

[MarkL]

Hi, we upgraded from 8.3 to 8.4.1 recently but now are unable to add individual user ID's to folders.  The only thing we can do is add groups and then add the individuals within the group.  Has anyone encountered this?  We use Access Manager /sunone for our security.  Any help would be greatly appreciated!!!

[MFGF]

Hi,

What exactly do you mean by this - do you mean when you are on the Permissions tab of a folder in Cognos Connection?  If so, do you have the "show users in the list" checkbox checked?

MF.

[MarkL]

yes, the permissions tab on Cognos connection.  When adding the individuals after selecting 'add' they never appear in the window to give permissions.  When adding groups, they do appear in the window to give permissions to.  We have to have "show users in the list" check or we won't be able to select them.  We are just trying to figure out why it is behaving like this and what we can do to fix it.  IBM has not been any help on this.

[Rutulian]

Hi Mark,

This probably isn't what you want to hear, but (inthebestofallpossibleworlds) I wouldn't recommend assigning things directly to users.  UGR's been around a while as a concept, the years have shown doing anything directly with users can cause a lot of maintenance hiccups. Users leave the company, forget passwords, get deleted instead of archived when employees leave... Groups live on forever!

Even if every user does have a unique access profile in your organisation so you can't use groups to easily control permissions for multiple users, you can create groups with a single user in for each and only use the 'user' object to associate signons to the group.  This will allow you to do things like troubleshoot by moving 'dummy' users in and out of these groups instead of needing to go to the user in question and log on as them, as well as being able to remove and add users in case of eg long-term illness.  Other benefits include having the flexibility to stay secure when users leave the organisation by moving them out of their groups, without having to delete them or change rights on the user (so if at quarter end you find something is needed, and the ex-employee is amenable, you can get back in).

Not a solution to your problem as is, but worth bearing in mind if you're considering a move to AD security soon.  If there's anything you can do by giving rights to users that's not possible by giving rights to single-user groups, please let me know as I need to be considering this in future.

If you can demonstrate a clear difference in behaviour between previous and current versions (screenshots will get you a very long way here), Cognos Support should be able to get you an answer from other parts of the company as to whether this change was intended and allows some other functionality, or if it's something which can be reintroduced in a future fix pack.

Kind Regards,
Alexis

[RobsWalker68]

Hi Mark,

I would very much agree with Alexis on this and avoid where possible basing folder security directly on users in the underlying security provider. 

It may not be on your horizon yet but there is likely to come a point when your company wishes to change security providers.  If you have based your Cognos security on users instead of Cognos roles or groups then you will be in the unenviable position of setting up folder/report security from scratch.  If you use groups or roles then it's the much easier task of re-adding users to your groups.

Kind Regards

Rob