Permissions issue

sandeeppenmetsa246 · 02 Apr 2012 02:00:58 AM

Hello One and All,

For a particular user say 'X', I want to deny Report Studio. For that I am going to IBM Cognos Administration --> Security --> Capabilities. In the list of Capabilities, I found Report Studio. For that, I am going to set properties --> Permissions tab. Here I am adding a user named 'X' and gave deny for all(i.e. Read, Write, Execute, Set Policy and Traverse) and saved it. Later on if I login as 'X' and try to launch report studio, I am able to create a report and save it even though the access is denied. May I know why is this happening. Thanx in advance.

cognoslearner1 · 02 Apr 2012 09:00:42 PM

Hi,

Please remove "every one" group. Because of that your able to access.

sandeeppenmetsa246 · 02 Apr 2012 11:59:31 PM

Thanks for the reply. If I try to delete the group, I am getting a message saying 'The object "/Directory/Cognos/Everyone" cannot be deleted.'

MFGF · 03 Apr 2012 03:50:44 AM

Yikes! No!! Don't try to delete the Everyone group!! Simply go into the properties of the Report Studio capability and remove the permissions of the Everyone group from this capability. You will need to make sure that all other users/groups who require access to Report Studio are added and granted permissions or else you run the risk of other users losing their access to Report Studio too.

Regards,

MF.

cognoslearner1 · 03 Apr 2012 07:53:58 AM

Hey thanks for your reply its working.

monica · 10 Apr 2012 12:17:36 AM

HI Friends,

I have tried to delete "Everyone " but its not getting deleted but even i have tried to deny access to report
studio to some users by going to report studio capablities and denying access from there....But still the denied user is able to access report studio...Please some one suggest and any alternate approach.

MFGF · 10 Apr 2012 03:31:44 AM

You should not attempt to delete the Everyone group. Simply remove the permissions of the Everyone group in the Report Studio capability. You should also check the other groups/roles which have permissions too - see who belongs to each group/role. It's possible that the Everyone group belongs to one of these other groups/roles, which have permissions granted.

MF.

surendra.e · 10 Apr 2012 10:44:23 AM

Hi,

Please try to remove the users from report studio capabilities and test it once.
make sure that everyone group is not available in the report studio capabilities.

Thanks,
surendra

monica · 13 Apr 2012 03:59:30 AM

Hi All ,

I have tried everything. I will just tell the steps please correct me where i have gone wrong.

Firstly, I logged in as admin and created a new user (Authentication used NTLM).
next....

1) cognos administration > security > capablities > report studio > set properties
from here i have removed every one group also and once tried denying permissions.
2) logged out and again logged in as newly created user still
the user can access Report studio..Whats wrong in this ?

MFGF · 13 Apr 2012 05:06:40 AM

There may be other groups or roles which have permissions granted in the Report Studio capability. It is possible that your user (or one of the groups or roles you user belongs to) is a member of one of these groups or roles. You need to make a note of each group or role with permissions granted in the Report Studio capability, then go to the Cognos namespace and look at each of these groups and roles to see who is defined as a member. My guess is that the everyone group belongs to one of these other groups or roles.

MF.

simon.hodgkiss · 13 Apr 2012 05:08:51 AM

Quote from: monica on 13 Apr 2012 03:59:30 AM
...
1) cognos administration > security > capablities > report studio > set properties
from here i have removed every one group also and once tried denying permissions.

Important: I would strongly recommend to never deny permissions for the "Everyone" group on any secured functions or features within capabilities, unless you fully understand the impllications.

Remember that a "deny" will always override a "grant". Then think about the set of users who are encompassed by the "Everyone" group... As All Authenticated Users are typically members of the "Everyone" group, then you are denying RS to everyone. Including Authors, Administrators and any user who should genuinely have the RS capability.

Regarding your issue (as MFGF has previously noted) - if the test user can still use Report Studio, and the everyone group has been removed from the RS capability, then perhaps the everyone group is also a member of the "Authors" role in the cognos namespace (which I suspect will also have RS capability). Try removing "Everyone" from membership of the "Authors" role in the directory > Users, Groups and Roles. Let us know how you get on! :)

All the best,

Simon

monica · 16 Apr 2012 01:57:58 AM

Thanks everybody...I got it. :) :) :D

BSP Software	Resources	About Us
MetaManager	BSP Software Training	BSP Software
Integrated Control Suite	YouTube Channel	Micro Strategies Inc
Security Migration		IBM Cognos
Integrated Management Suite

If you are unable to create a new account, please email support@bspsoftware.com

COGNOiSe.com - The IBM Cognos Community

News:

Permissions issue

sandeeppenmetsa246

cognoslearner1

sandeeppenmetsa246

MFGF

cognoslearner1

monica

MFGF

surendra.e

monica

MFGF

simon.hodgkiss

monica