If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Contents in "My Contents folder"

Started by Vineet, 12 Dec 2021 07:16:17 PM

Previous topic - Next topic

Vineet

Hello All,

We recently made a deployment in Cognos Production from QA. A developer made some changes in QA security which got moved over to production. We realized this mistake after 1 week so cannot go back to the restore.

The issue is all the non admins users have lost  write access to the reports in "My Content folder". users can view the report and can run it but they have lost access to delete it or schedule it or any other operations. Basically the three dots beside the reports or folders is doing nothing .

we tried different options but nothing seems to be working. Any help will be appreciated.
Thank you 

MFGF

Quote from: Vineet on 12 Dec 2021 07:16:17 PM
Hello All,

We recently made a deployment in Cognos Production from QA. A developer made some changes in QA security which got moved over to production. We realized this mistake after 1 week so cannot go back to the restore.

The issue is all the non admins users have lost  write access to the reports in "My Content folder". users can view the report and can run it but they have lost access to delete it or schedule it or any other operations. Basically the three dots beside the reports or folders is doing nothing .

we tried different options but nothing seems to be working. Any help will be appreciated.
Thank you

Hi,

This isn't easy to recover from, but it can be done.  First let's see what permissions are set for a regular user within your security namespace:
Logged in as an Administrator, do the following:
- Manage
- Administration Console
- Security tab
- Users, Groups, and Roles
- Navigate into your security namespace
- Navigate into one of your regular users in the list
- Press the "Set Properties" button in the top right corner
- Permissions tab

What permissions are set for the user in question, and for Directory Administrators? Out of the box, all permissions are granted for both.

If you fix the permissions for this user here, and check the "Delete the access permissions of all child entries" checkbox, these permissions should then flow through to the user's My Folders and all content within them.

Doing this on a user-by-user basis would be a big task, though. It might be worth looking at the Security Blaster tool from BSP to automate permissions changes like this? I'm sure one of the Admins will be along shortly to offer help with this.

Good luck!

MF.
Meep!

Eric.Pleiss

Hi Vineet,
as MF mentioned, a special tool to solve this problem will save you loads of time.  MetaManager can help you make a change for all of your users (admin and otherwise), with just a few clicks. 

I'll reach out via email and get you a free trial so you can tackle this problem, and see if it will be helpful for you with this and many other Cognos updates.

-
Eric

Vineet

Hello MF

I did checked the user's profile through LDAP and it has all the rights same as directory administrator. any where else I can look into?
I cannot use any custom tool for security in my environment .

Thanks
Vineet

MFGF

Quote from: Vineet on 14 Dec 2021 02:39:03 PM
Hello MF

I did checked the user's profile through LDAP and it has all the rights same as directory administrator. any where else I can look into?
I cannot use any custom tool for security in my environment .

Thanks
Vineet

Hi,

So you're saying the user has all privileges granted? Traverse, Read, Execute, Write and Set Policy? Have you tried checking the "Delete the access permissions of all child entries" checkbox to force these permissions to be inherited by everything below (including My Folders)? If you do this, does it fix the issue for that user?

If this doesn't change anything, then we need to start looking for any privileges which are explicitly denied above this in the hierarchy. Explicit denies override granted privileges, so it's likely this is what's going on. Before you start changing things in your Production system, it's probably best to go back to your QA system to understand how things are configured there. If you can find a Deny, then go and look for it in Production and figure out what it is there for and what effects it is having.

Cheers!

MF.
Meep!