Cognos Administration test quiz question

[oscarca]

Hello community,

I am doing some test quizes and wonder if anyone knows the answer for the following questions:

1.
Which of the following is a correct example of a security policy rule in IBM Cognos Analytics?
Select one:
A. Group inheritance: Permissions assigned to a member of a group are automatically assigned to the group
B. Implicit deny: After access is granted for specific users, groups, or roles, all others automatically have no access.
C. Acquired policies: If a policy has not been explicitly defined for an object, then the child objects will be evaluated to determine access to the object
D. Group preservation: Access permissions based on a group or role that has been deleted can be restored by recreating the group or role using the same name

2.
Which of the following statements about credentials in IBM Cognos Analytics are TRUE?
Select one or more:
A. Trusted credentials cannot be used on scheduled tasks that run overnight when users are not logged in.
B. A user must create them manually after logging into the system.
C. Users can use trusted credentials to authorize other users to run activities.
D. If a user's credentials change, all trusted credentials are invalidated.
E. They are created in IBM Cognos Analytics under the Data sidebar.

3.
You are updating access permissions to a feature in the Capabilities section of the Security tab in IBM Cognos Administration. Currently, the Everyone group has been granted access to the feature. You create a group called Employees, and add this group to the access list for the feature. Which of the following statements about who has access to the feature is TRUE?
Select one:
A. Only members of the Employees group have access. Adding users to the group will not grant them access to the feature, and users removed from the group will lose access.
B. Everyone still has access.
C. Only members of the Employees group have access. Adding users to the group will grant them access to the feature, and users removed from the group will retain access.
D. Only members of the Employees group have access. Adding users to the group will also grant them access to the feature, and users removed from the group will lose access.

4.
You have an Executive Managers group that contains both Directors and Managers. As the security administrator, you need to secure content using the Executive Managers group, but approximately 10% of the content being secured is of a sensitive nature, and should only be accessed by Directors. How could you ensure Managers do not have access to the sensitive content?
Select one or more:
A. Remove individual users categorized as Directors from the Executive Managers group. Create a separate group containing only Directors called Upper Management. Secure non-sensitive content including both Executive Managers and Upper Management, and secure sensitive content including only Executive Managers.
B. Remove individual users categorized as Managers from the Executive Managers group. Create a separate group containing only Managers called Management. Secure non-sensitive content including both Executive Managers and Management, and secure sensitive content including only Executive Managers
C. It is not possible to secure the data in such a way that Managers do not have access to a subset of the content.
D. Secure all data using Executive Manager, and then apply explicit denies for each Manager on the permissions list of the sensitive entries.
E. Add security logging to the sensitive content and schedule an automated task to scan the log and notify security if a Manager attempts to access sensitive content.

For question 1, I answered C.
For question 2, I answered C, D.
For question 3, I answered B.
For question 4, I answered A, B.

But not sure if this is correct.

Best regards,
Oscar

[MFGF]

Hello community,

I am doing some test quizes and wonder if anyone knows the answer for the following questions:

1.
Which of the following is a correct example of a security policy rule in IBM Cognos Analytics?
Select one:
A. Group inheritance: Permissions assigned to a member of a group are automatically assigned to the group
B. Implicit deny: After access is granted for specific users, groups, or roles, all others automatically have no access.
C. Acquired policies: If a policy has not been explicitly defined for an object, then the child objects will be evaluated to determine access to the object
D. Group preservation: Access permissions based on a group or role that has been deleted can be restored by recreating the group or role using the same name

2.
Which of the following statements about credentials in IBM Cognos Analytics are TRUE?
Select one or more:
A. Trusted credentials cannot be used on scheduled tasks that run overnight when users are not logged in.
B. A user must create them manually after logging into the system.
C. Users can use trusted credentials to authorize other users to run activities.
D. If a user's credentials change, all trusted credentials are invalidated.
E. They are created in IBM Cognos Analytics under the Data sidebar.

3.
You are updating access permissions to a feature in the Capabilities section of the Security tab in IBM Cognos Administration. Currently, the Everyone group has been granted access to the feature. You create a group called Employees, and add this group to the access list for the feature. Which of the following statements about who has access to the feature is TRUE?
Select one:
A. Only members of the Employees group have access. Adding users to the group will not grant them access to the feature, and users removed from the group will lose access.
B. Everyone still has access.
C. Only members of the Employees group have access. Adding users to the group will grant them access to the feature, and users removed from the group will retain access.
D. Only members of the Employees group have access. Adding users to the group will also grant them access to the feature, and users removed from the group will lose access.

4.
You have an Executive Managers group that contains both Directors and Managers. As the security administrator, you need to secure content using the Executive Managers group, but approximately 10% of the content being secured is of a sensitive nature, and should only be accessed by Directors. How could you ensure Managers do not have access to the sensitive content?
Select one or more:
A. Remove individual users categorized as Directors from the Executive Managers group. Create a separate group containing only Directors called Upper Management. Secure non-sensitive content including both Executive Managers and Upper Management, and secure sensitive content including only Executive Managers.
B. Remove individual users categorized as Managers from the Executive Managers group. Create a separate group containing only Managers called Management. Secure non-sensitive content including both Executive Managers and Management, and secure sensitive content including only Executive Managers
C. It is not possible to secure the data in such a way that Managers do not have access to a subset of the content.
D. Secure all data using Executive Manager, and then apply explicit denies for each Manager on the permissions list of the sensitive entries.
E. Add security logging to the sensitive content and schedule an automated task to scan the log and notify security if a Manager attempts to access sensitive content.

For question 1, I answered C.
For question 2, I answered C, D.
For question 3, I answered B.
For question 4, I answered A, B.

But not sure if this is correct.

Best regards,
Oscar

Hi,

It would be wrong to publish answers to a certification test in a public forum like this, but in the spirit of being helpful let's look at your suggested answers and make some comments.

1. You answered C, which implies that if an object doesn't have any security rules defined, the rules of its child objects are evaluated to see how to secure it. This is a kind of reverse-inheritance. What happens if an object has no child objects, or if its child objects also have no security rules defined? Is that how security works in Cognos?

2. You answered C and D, so we assume a multi-answer question, and these are always more tricky because you can never be 100% confident about how many answers to select. Things to research to check your answers are 1. Can one user's trusted credentials be stored and used automatically when a report is run by another user? 2. Would it make sense for a stored set of trusted credentials to remain valid if the user's credentials change (eg the password changes)?

3. You answered B, which implies that the Everyone group remains in the access list with access granted. Is this correct or does adding one group to the list remove other groups from the list?

4. You answered A and B, so again we assume it's a multi-answer question. I'd advise you to read the answers very, very carefully, and if necessary draw a diagram of what is happening for each answer on a sheet of paper. Pay close attention to who remains in each group and what security is being defined for each group. Then compare this with the original directive in the question. You might also notice there is a typo in one of the answers which might confuse things a little. The other thing to consider is how implied deny vs explicit deny differs. Implied deny is where a user doesn't have a privilege granted in any of the groups they belong to. Explicit deny is where a user or group has the deny box checked for a specific privilege. Are they the same? If a user has a privilege granted in one place and explicitly denied in another, what is the final result?

If you want to discuss further, drop me a PM :)

Cheers!

MF.

[oscarca]

Thank you MF, I'll write an PM to you.

Best regards,
Oscar