Managing reports with Report Views

[cccschip]

We are wrestling with management of IT-generated reports for use across multiple user groups...each such report being appropriate only for certain user groups.  [We have lots of reports that are not IT-generated, but we don't manage those...so not of concern here.]

We are considering an approach based on report views that seems very intriguing, but are wondering if we are overlooking some dangers in this approach.

Bear in mind that your overall organization of Cognos Connection is oriented around business areas (Finance, HR, etc).  As a basic rule, we wish to expose the "reports" of interest to a given user population in the business area folder (or sub-folder) that is pertinent to their group.

Fundamentally, we envision publishing our reports to a hidden folder to which all users have Exec and Traverse permission, but the folder is hidden so that they cannot see or access it directly. 

Similarly, we would publish all of the underlying packages to separate folders and, again, grant users Exec and Trav perms to those packages.

We then publish report views of any given report in each folder where we want users to find that "report".  So, if we want all folks in Finance to be able to run a particular report as well as a few "special" folks in HR, we would create a report view in each of the following:
  Public Folders > Finance > Shared Reports > a-view-of-the-the-report
  Public Folders > HR > Shared Reports > Special Folder > a-view-of-the-report

That's the idea, at least.

Any thoughts, and especially warnings, about this approach would be much appreciated.

Thanks.

[cccschip]

Dang...no responses!  Just back from vacation and was really hoping to have stirred up some thoughts.  Any input will be appreciated.

[bi4u2]

Yes, I do this at all of my clients. You can remove Public Folders as part of the default menu. Create a portal page with different folders pertaining to different business area. Create your report views off the reports in the Public Folders and drop them in the Portal Page folders. The assign folder security to the Portal Page folders. For example create a Folder called 'Human Reources' and add to the permissions of the folder a group that you set up in Active Directory called 'Cognos Human Reosurces' for instance.

[cccschip]

Thanks, bi4u2, that makes us feel a bit better...providing some validation of the approach.

I suppose I should ask the question this way.  Why wouldn't everyone use this approach?  What reasons would make someone turn away from this approach?

[bdbits]

It's not so much that we "turn away" from your approach, as that we have no need for it. Nearly all of our departments are self-contained and are fine with having a department folder visible to themselves in Public folders (users with no access do not see the folder). I can only think of one that is sharing reports outside their group. For them we simply have a shared folder with subfolders for each outside group to see, and set permissions accordingly.

Also, if everyone has permissions to the folder with all your IT-generated reports and packages, and permissions to all the objects therein, from a security standpoint it is mostly security by obscurity. You can view the report view's properties, and from there view the base report's properties, where you can grab the action URL of the base report. This action URL could be passed to someone in another department to view the base report, even though they have no report view linked to that base report. So Sally in Sales does not have a report view to an HR report with everyone's wages, but has a boyfriend Joe in HR who is clever enough to share the action URL. Since everyone has permissions to the base report, Sally can use this to view the report.  An edge case to be sure, but something you would probably want to know.

[cccschip]

Excellent point bdbits...one we definitely had not thought of.  Not sure if it will swing the decision, but I will definitely pass it on.

[cccschip]

So, after all is said and done, we decided that the security hole identified by bdbits was unacceptable and have rejected this approach.

We have decided instead that we will publish reports normally and, when asked for access to the same report via another folder, use a Report View in that "special" case.

We are very, very grateful that bdbits raised that possibility for us.  We had not thought of it and likely would have put a lot of energy into a major conversion effort only to realize the error of our ways later.

That's exactly why I posted this to start with ... hoping someone would speak up with things we had not thought of.  The input was perfect.

[bdbits]

Kinda sorry and glad I could help at the same time.   :-\