If you are unable to create a new account, please email support@bspsoftware.com

 

Stop Database Modifications through Update Query

Started by jimpixel, 18 Dec 2023 09:46:03 PM

Previous topic - Next topic

jimpixel

Hi

I need advice on Cognos security measures. We have several published packages, each associated with a distinct business entity. According to business rules, users assigned to a specific publish package should only be able to work within that assigned package. However, a challenge arises when users create a report using their designated publish package, as they can write direct update queries in the SQL query area, potentially allowing them to modify data in the database. This poses a significant risk of data breach. What security or permission configurations can I implement to prevent users from writing update queries and modifying the database directly?

MFGF

Quote from: jimpixel on 18 Dec 2023 09:46:03 PMHi

I need advice on Cognos security measures. We have several published packages, each associated with a distinct business entity. According to business rules, users assigned to a specific publish package should only be able to work within that assigned package. However, a challenge arises when users create a report using their designated publish package, as they can write direct update queries in the SQL query area, potentially allowing them to modify data in the database. This poses a significant risk of data breach. What security or permission configurations can I implement to prevent users from writing update queries and modifying the database directly?

Hi,

I don't believe update/insert/delete is syntax allowed within the SQL object of a Cognos report. I just attempted it against one of the sample databases to be sure, and see a message saying "...'update GOSALES.XGOREV set GO_OBJ_NAME = 'ALL' where GOREV_ID = 5020' is not a valid subquery or table reference."

I think the only way to update a database from within a report is to call a stored procedure. It is the stored procedure that would making the update, so if no such procedure is available, there is no mechanism to update.

Cheers!

MF.
Meep!