How Cognos Grants/denies Access to users

[biworld]

Hi Gurus!

We have AD groups which we imported in Cognos to implement Cognos Security.

Scenario is like : There are three Active Directory Groups ADG1, ADG2 and ADG3.

They are made members of Cognos Groups : CADG1, CADG2 and CADG3.

Three Folders according to diff departments: FADG1,FADG2, FADG3.

I need to implement security where users who are part of ADG1, becomes part of CADG1 and hence can Access FADG1..and like wise.

if they are member of more than one AD group (ADG1 and ADG2) they will be part of both CADG1 and CADG2 and could see both FADG1 and FADG2.



I have assigned Each CADGs Traverse on their respective FADGs and Read, execute and Traverse on Reports and Packages which belong to that department.

Have defined One Consumers role for them of which all of them are members. and Added that role to Report Studio,Query Studio,Analysis Studio Capabilites with (Read, execute and Traverse) permission.

Issue: When trying to Implement above scenario I do not see expected outcome. Some users can see more than one folders that they were supposed to see, because they were part of more than one ADG group.
That would still be fine but some of they do not see the stuff they were supposed to see. Some do not see folders, some do not see reports, some see reports but can not execute them.

My question is I can understand if they see more stuff that what they were supposed to see. But why are they denied permission on the stuff. Because as part of Best Practices Implementing security Policy we have not denied any thing to any one. Just granted access per required. so where in this implementation
Cognos decides to deny permission to users?

Any Inputs/Suggestions Welcome,

[Yunus]

One thing to understand about Cognos security is that Deny takes precendence over allow.  So if you have any groups specifically denied access to something that will override the fact that they are a member of a group allowed to see an object.

Another interesting security feature is that object owners can still access objects even if they are denied.  So if someone is seeing a report in a folder they shouldn't you may want to check if they are the owner of that report.  That shouldn't override folder security but we have had issues with owners being able to edit reports we thought were locked down.

[biworld]

hi Younus,

Thank you for your response. Thats also I am wondering about at why user can not see things when we have not denied any thing. We have not used deny at all.
What could be the reason they are not able to see these reports.

Do you think conflicts at Active Directory level can get reflected here any how?

[MFGF]

Is it possible your users belong to other groups/roles (that belong to other groups/roles etc) that may have a Deny capability set somewhere?

It's often useful to check the memberships of every Cognos group and role to see how they link together - I usually end up drawing a mini-map on a piece of paper. I find it a great way of debugging issues like these.

Cheers!

MF.