How are Users Granted/Denied Access In Cognos?

[biworld]

We have AD groups which we imported in Cognos to implement Cognos Security.

Scenario is like : There are three Active Directory Groups ADG1, ADG2 and ADG3.

They are made members of Cognos Groups : CADG1, CADG2 and CADG3.

Three Folders according to diff departments: FADG1,FADG2, FADG3.

I need to implement security where users who are part of ADG1, becomes part of CADG1 and hence can Access FADG1..and like wise.

if they are member of more than one AD group (ADG1 and ADG2) they will be part of both CADG1 and CADG2 and could see both FADG1 and FADG2.



I have assigned Each CADGs Traverse on their respective FADGs and Read, execute and Traverse on Reports and Packages which belong to that department.

Have defined One Consumers role for them of which all of them are members. and Added that role to Report Studio,Query Studio,Analysis Studio Capabilites with (Read, execute and Traverse)

permission.

Issue: When trying to Implement above scenario I do not see expected outcome. Some users can see more than one folders that they were supposed to see, because they were part of more than

one ADG group.
That would still be fine but some of they do not see the stuff they were supposed to see. Some do not see folders, some do not see reports, some see reports but can not execute them.

My question is I can understand if they see more stuff that what they were supposed to see. But why are they denied permission on the stuff. Because as part of Best Practices Implementing

security Policy we have not denied any thing to any one. Just granted access per required. so where in this implementation
Cognos decides to deny permission to users?

Any Inputs/Suggestions Welcome,

[Rahul Ganguli]

Just check if you have provifed sufficient priviliges to these groups in Capabilities->Report Studio. Also check in User Interface Profile. If You have given right privileges at these two places your reports should work.

If you still have the same issue, login as administrator and check the capability directly on the folder where you are facing these issues.

Regards,
Rahul

[biworld]

Thanks for your response Rahul. I checked every thing. Strange Yet it works for one user from the same group while doesn't work for another. It throws Error"package either doesn't exist or you do not have sufficient access permissions". Its works for other guy with same access permission.

also We have not denied any thing to users any where. so its " Implicit Allow" even if someone was not granted access. Then why this denial thats what I am trying to figure out.

[bdbits]

I don't know the answer to your problem, but have a suggestion. While logged in as a person of interest, go to My Preferences on the Personal tab (or have them do this and save/send the page to you). You may have to scroll down a bit, but you will see the Groups and Roles as well as the Capabilities as Cognos has determined them when they logged in. Compare two users who are getting different results to see what is different. If they are the same, then I would look at the permissions on the individual folders, reports, or packages.