Impact on changing authentication method

[Yizi]

Hi all, not sure if this has been asked before (couldn't find anything via search) but I need to remove a LDAP authentication method and add a Active Directory instead. They will hold the same user/structure. What I need to know is what impact would that have on the environment as in will roles/groups/package links etc change?

Thanks in advance.

[AnalyticsWithJay]

Hi Yizi,

This is a big topic better covered in articles (I'll reference a couple below), but it's not a simple process. Objects in Cognos are secured against an ID called a CAMID. This is based on the authentication provider, and when you change providers all of those IDs will change, and security will need to be remapped.

IBM has a free (I believe) tool for this called Security Replication Application. You can read more about it below:
http://www-01.ibm.com/software/analytics/support/cognos_diagnostictools.html
http://public.dhe.ibm.com/software/data/cognos/DiagnosticToolsAndUtilities/flyers/ReplicationToolMarketingFlyer.pdf

Here's a snippet from Motio's website which summarizes the process well:

https://www.motio.com/products/cognosNamespaceMigration.do

About Cognos Security

In IBM Cognos, an authentication provider provides access to a (generally external) authentication source (e.g. Series 7 Access Manager, LDAP, Active Directory, etc). By configuring an authentication provider in IBM Cognos, you define an "authentication namespace."

Each user, group and role in an authentication namespace has a unique identifier in Cognos called a "CAMID".

Virtually all Cognos content will have references to one or more CAMIDs. Examples of this include:

    most objects in Cognos have :
        an owner property which will refer to the CAMID of the owning user.
        a policy set, which lists the CAMIDs of users, groups and roles are entitled to the Cognos object (and their level of access)
    all content in a user's My Folders area is associated with a user's CAMID
    each user's preferences and portal tabs are associated with their CAMID
    Framework Model Object Security - modelers may restrict access to Namespaces, Query Subjects and Query Items based on groups / roles (references their CAMID).
    Transformer Models may have Custom Views to enforce security on cubes. These custom views are configured as visible to certain users, groups & roles (references their CAMID).

When you migrate to a different authentication namespace, all users, groups and roles from that new namespace will have different CAMIDs (even if they are semantically the same user, group or role).

Here's an article from Motio that describes options generally. It's a bit promotional to their products, but you could get an idea of your options and the steps involved:
http://info.motio.com/blog/cognos-namespace-migration-methods-good-bad-ugly

[j33p2006]

The changes that are required to ensure a successful migration can be extensive and often impossible to identify. The Security Migration module in BSP Software's MetaManager tool now includes an impact analysis which checks every object in the content store and determines the changes required. A detailed report of all impacted objects is produced which includes a list of all the CAMIDs that require migrating, and it also provides an estimated migration time based on the response time of the content store and the number of objects.

Check out http://www.bspsoftware.com/products/metamanager/smss/.

The SMSS tool can then migrate users and update all references to the old LDAP CAMIDs in your content store, and the security in Framework Manager and Transformer Models if you have it, with new AD CAMIDs so that you can completely remove the old LDAP authentication from Cognos Configuration.