If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

(Solved) Multiple company User access/structure (CC)

Started by cognosjon, 26 Sep 2006 08:21:05 AM

Previous topic - Next topic

cognosjon

Firtsly, apologies if the subject line baffled you. I couldn't think of what else to title this post........

Could anyone shed any light on how they handle user access when you have multiple companies that require access but are only allowed to view/run their own reports and dashboards.
We are soon to kick off a new project that will eventually see approximately six sites using C8.

At present we have only one company using the Cognos applications and the users at this site are detailed as a group within Active directory such as 'Cognos Consumers' and this group has then beenÃ,  added as a member of the default Cognos Consumer name space.

Should we be considering creating new instances of the Default Cognos namespaces such as Consumer, Report Administrator, Query Users and prefix them with say the company name, for example ABC Consumer, ABC report Administrators and then add our groups to these new instances.

Any help suggestions orÃ,  appreciated I'm just a little baffled ??? as to the best way forward as I can see a massive amount of admin work if we aren't careful.

Thanks
Jonathan

MFGF

Hi Jonathan,

I'd be tempted to leave the Cognos Roles in the Cognos namespace as they are, and have your role-based access (Consumer, Query User, Analysis User, Report Author etc) dependent on these.

Aside from this, you can use the Company-based groups (and users) in your Active Directory namespace to define things like visibility rights and security filters.

So, for example, John Doe belongs to the ABC company group in Active Directory.  In Cognos Connection, you can allow the ABC group to see the relevant folders and reports, and in Framework Manager you can define security filters on the data for the ABC group.  In addition, if John Doe should have only consumer priviliges (ie he can view/run reports, but not create new ones), add his userid to the Consumers role in the Cognos namespace.  Alternatively, if John Doe needs access to Query Studio to create new queries, add him to the Query Users role in the Cognos namespace.

In this way you define data and report-based security using the existing Active Directory groups, and you define function-based security (which studios etc) by adding the relevant AD users to the existing set of Cognos roles.

This would seem to be the simplest way of doing things and reducing the maintenance overhead later.

Best regards,

MF.
Meep!

clelkinsBERRY

Trust me you're not the only one baffled at the task of setting up seperate Namespaces and Cognos Connection Security it's tough ...

I hope this will help with direction ...

Each of the 'Default Cognos Namespaces' you named below (i.e. Consumer, Report Administrator, Query Users) are 'Roles' not Namespaces.

I would suggest determing what users will do:

- Only Dashboard usage and/or possibly searching in Cognos Connection to be able to only 'Execute' reports to be able to view the report straight from Cognos Connection
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã, These users will need to have access to a specific Package then be able to access a folder
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã, this package that should only be seen by this user and the other members in their group.
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã, +They will need only Read, Execute, and Traverse Capabilities.

- Then if you have what we call 'Super Users' within our Company that will do all the above but also have the freedom to write their own reports and save the report.
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã, + They would need to have the ability to Read, Write, Execute, and Traverse Capabilities.

I would suggest (unless you're going to provide your end user's with a general training package) just to include every End User under the 'Consumers' Role you have and develop seperate groups according to your business.

For Example,

We have Sales and Logistics Departments (our sales department has 3 diff. divisions (100, 200, 300):

We have under our '<Company Name> Consumers' Role:

We have GROUPS: Ã, Sales - Authors - 100
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Sales - Authors - 200
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Sales - Authors - 300
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Sales - Consumers - 100
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Sales - Consumers - 200
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Sales - Consumers - 300
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Logistics - Authors
Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Ã,  Logistics - Consumers

This helps us distinguish what users we plan on allowing to Read, Write, Execute, Traverse and those we plan on only allowing to Read, Execute, Traverse (like Dashboard only users).

The actual Security these Groups receive at the Package level is defined at the Package level (and trinkles down through the folders) Ã, SO IF YOU WANT TO ADD SPECIFIC SECURITY TO THE FOLDERS UNDERNEATH A PACKAGE BE SURE TO APPLY GROUP SECURITY AT THE FOLDER LEVEL UNDER THE PACKAGE ALSO.

As far as the seperate locations you have. Ã, We have 26 different locations and namespaces. Ã, If your companies all exist on seperate domains which each of ours do. Ã, You will need to define and create namespaces. Ã, I handle our security within Cognos Connection but do not create our namespaces but I will get with our Server Admin. guy and see what he does to get new Namespaces to occur. Ã, Research this in your Cognos Software boxes and booklets OR contact Cognos Customer Support. Ã, They may be able to point you in the right direction. Ã, But I will try and get information to you.




cognosjon

Thanks to both MFGF and clelkinsBERRY, for your quick replies, never expected such a speedy response.

I've printed off your replies and I've decided to arrange an internal meeting to discuss the best way forward.
I'll let you know how we get on and what option we decided to take. ;D

cognosjon

Just a quick one to close off this post.

After much deliberation we decided to go the way detailed mostly by by MFGF. So we shall be creating groups within Active Diretory for each of our sites and within these, subdirectories for departments.
We shall secure our packages using these and then use the Cognos Roles simply as they are intended, to provide the relevant access to the relevant applications within Cognos. ;D