Cognos Administrator License

[Newb]

Hi all,

Using 11.2.4 here
Trying to check if we are using more admin license than what was purchased.
We are using license roles: Analytics Administrator, Analytics User, Analytics Explorer, Analytics viewer
We have performed the steps to add an admin user into the system administrator role and remove 'Everyone' from it.

We noticed that under 'People'>'Account'>'Cognos',  there is no 'Analytics Administrator' role, but user, explorer and viewer are available, and also under License UI, we found an absurd number of users utilizing administrator license. We tried refreshing it and also restarted Cognos as advised by support to 'Refresh' the content store with hope that the count of license will reflect accordingly, but it didn't work.

Questions:-
1) How is administrator license utilized? Since we cannot find 'Analytics Administrator' role and there is only 1 user assigned under 'System Administrator' role
2) There are other kind of administrator roles, i.e., Tenant Administrator, Mobile Administrator. We were thinking that any user account that are assigned to these roles will utilize administrator license, but we did a count of user and still doesn't tally with the license count displayed in the license UI
3) The other suspect we had is capabilities, since there are some capabilities under 'Administrative Task' parent capability, but again, we did a count of user under all the roles that have access and it still doesn't tally with the license count

Much appreciated

[MFGF]

Hi all,

Using 11.2.4 here
Trying to check if we are using more admin license than what was purchased.
We are using license roles: Analytics Administrator, Analytics User, Analytics Explorer, Analytics viewer
We have performed the steps to add an admin user into the system administrator role and remove 'Everyone' from it.

We noticed that under 'People'>'Account'>'Cognos',  there is no 'Analytics Administrator' role, but user, explorer and viewer are available, and also under License UI, we found an absurd number of users utilizing administrator license. We tried refreshing it and also restarted Cognos as advised by support to 'Refresh' the content store with hope that the count of license will reflect accordingly, but it didn't work.

Questions:-
1) How is administrator license utilized? Since we cannot find 'Analytics Administrator' role and there is only 1 user assigned under 'System Administrator' role
2) There are other kind of administrator roles, i.e., Tenant Administrator, Mobile Administrator. We were thinking that any user account that are assigned to these roles will utilize administrator license, but we did a count of user and still doesn't tally with the license count displayed in the license UI
3) The other suspect we had is capabilities, since there are some capabilities under 'Administrative Task' parent capability, but again, we did a count of user under all the roles that have access and it still doesn't tally with the license count

Much appreciated

Did users log in to the Cognos portal during the period when the 'Everyone' group belonged to the 'System Administrators' role? If so, their user profiles (stored in the content store) will be tied in to the list of users the system considers to be Analytics Administrators.

To remove the users from the list, you will need to delete the user profiles of the users within your Cognos instance, then refresh the licenses page in the Admin console, then have them log back in again to set up new profiles. You will need to make sure everything in their My Content area has been saved elsewhere, plus you will need to set up their preferences etc again.

https://www.ibm.com/support/pages/how-remove-used-license-when-user-will-no-longer-be-accessing-cognos-analytics

Cheers!

MF.

[Newb]

Hi MF,

Thanks for the reply. This is to reflect the correct license count in the license interface right?
As long as there are not more than x user assigned to the System Administrator role, is it safe to say we are in compliance? Unless the role 'System Administrator' is not the only role that admin license get measured. Would you be able to advise on this? Because I can see tons of other standard administrator-like roles like tenant, mobile, directory, server etc.

Thanks!

[MFGF]

Hi MF,

Thanks for the reply. This is to reflect the correct license count in the license interface right?
As long as there are not more than x user assigned to the System Administrator role, is it safe to say we are in compliance? Unless the role 'System Administrator' is not the only role that admin license get measured. Would you be able to advise on this? Because I can see tons of other standard administrator-like roles like tenant, mobile, directory, server etc.

Thanks!

Hi,

When IBM undertakes a Software License Review (SLR - their name for a license audit), one of the many things they look at is the license count reflected in the license UI, as well as the memberships of the security groups and roles. If they find users have (or have historically) been given access to Admin capabilities, they come down very hard on you, and can force you to pay the license fees as though those users were real Analytics Administrators.

If I was you, I would check every role that has any admin privileges, and make sure that the memberships of those roles are empty. Obviously you can't remove all members of the System Administrators role, but for that one, make sure that just the real Admin users are included as members.

Then go through the process of clearing out the license count for Administrators in the UI - as I detailed above.

Back when I worked for IBM, the SLR team would occasionally use members of our team to give them technical assistance in specific reviews of client licenses. I remember one instance where I was the one they brought in, and the client had included their AD Domain Admin group as a member of one of the Cognos Admin roles. It turns out that AD Domain Admin group had hundreds of people included (I was very surprised). The outcome of that audit was not something the client was happy about, and I believe people at the client got fired as a result. I'm mentioning this because I saw first-hand what a big impact a small mistake like that can have. Don't give the SLR team anything to get hold of that even hints at you not being in license compliance - that's my advice.

Cheers!

MF.

[dougp]

This thread caught my interest because I have worked through some of these issues before.  In particular, I went through a complete review of capabilities with IBM staff to try to understand why I had hundreds of users consuming an Analytics Administrator license.  The review was needed because I did not use the standard roles.  I assigned capabilities in a more restrictive manner.  The answer, however, was that in 11.0 and 11.1 -- until 11.1.7 -- the license counting in CA was just wrong.  I managed to finally get everything corrected.  My Analytics Administrator license was correctly 3 (Technically, 2 of those were me -- 1 for me performing admin tasks and 1 for a service account to fire triggers.  So, according to the IBM Cognos license specialist I had been working with, I was working within my 2 licenses.)

So, here I am in 11.2.4.  This thread spurred me to check license usage.  Admin license usage is climbing again.  Somehow the Licenses tool is showing admin licenses being used by users who last used Cognos 4-5 years ago.  (before I got this all cleaned up)  Notable are a service account that has not touched Cognos for years and a user who left in 2018 and is no longer in Active Directory.

Any clue how I can remove a user from the counts if I can't find them in Cognos Administration?

[MFGF]

This thread caught my interest because I have worked through some of these issues before.  In particular, I went through a complete review of capabilities with IBM staff to try to understand why I had hundreds of users consuming an Analytics Administrator license.  The review was needed because I did not use the standard roles.  I assigned capabilities in a more restrictive manner.  The answer, however, was that in 11.0 and 11.1 -- until 11.1.7 -- the license counting in CA was just wrong.  I managed to finally get everything corrected.  My Analytics Administrator license was correctly 3 (Technically, 2 of those were me -- 1 for me performing admin tasks and 1 for a service account to fire triggers.  So, according to the IBM Cognos license specialist I had been working with, I was working within my 2 licenses.)

So, here I am in 11.2.4.  This thread spurred me to check license usage.  Admin license usage is climbing again.  Somehow the Licenses tool is showing admin licenses being used by users who last used Cognos 4-5 years ago.  (before I got this all cleaned up)  Notable are a service account that has not touched Cognos for years and a user who left in 2018 and is no longer in Active Directory.

Any clue how I can remove a user from the counts if I can't find them in Cognos Administration?

Hmmm. Interesting that it's counting users who no longer exist. Have you tried running a content maintenance task? Maybe first do a consistency check, then a content removal task. I'm wondering if there might be content somewhere still tied to the CAMIDs of those users?

Cheers!

MF.

[dougp]

Maybe a schedule?  I'll poke at the Content Store database and see if I can find anything owned by the user.

If there's content in the user's profile...  In 11.2.4, there's no good way to know.  In 11.1.7, I was able to form a URL based on a query from the Content Store (it used the StoreID).  As an administrator, I could go look at the My Content folder of any user, edit and delete content, etc.  It even worked for users who no longer appeared in Cognos Administration.  But in 11.2.4, the user accounts are now protected from an administrator who may want to manage the system.

[MFGF]

Maybe a schedule?  I'll poke at the Content Store database and see if I can find anything owned by the user.

If there's content in the user's profile...  In 11.2.4, there's no good way to know.  In 11.1.7, I was able to form a URL based on a query from the Content Store (it used the StoreID).  As an administrator, I could go look at the My Content folder of any user, edit and delete content, etc.  It even worked for users who no longer appeared in Cognos Administration.  But in 11.2.4, the user accounts are now protected from an administrator who may want to manage the system.

I was thinking of the content store maintenance tasks in the Admin Console - might be easier?

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=tasks-content-store-maintenance-external-namespaces

Cheers!

MF.

[dougp]

I have run content maintenance | consistency check | find & fix a few times since this person left.  I suspect it's not removing the user's profile completely because of object ownership.  Looking in the Content Store I see that this user owns 319 objects - mostly reports (according to a relationship involving CMREFNOORD2).

One major concern is the consistency check may be being blocked by something like this:

Team Content/<folders>/Report Name/2017-01-31T16:50:26.270Z

That's a "history" object.  Apparently in January of 2017 this user ran this report.  Now they own an object outside of My Content and their profile can't be removed.  And I don't see a way in the UI to see this object so I can change ownership or delete it.  Is there a way to see this history object?  I'm also seeing parameterCache objects.

Apparently license counting in IBM Cognos Analytics is still a mess.  I hope I don't get audited by these clowns.

[Newb]

Hi,

When IBM undertakes a Software License Review (SLR - their name for a license audit), one of the many things they look at is the license count reflected in the license UI, as well as the memberships of the security groups and roles. If they find users have (or have historically) been given access to Admin capabilities, they come down very hard on you, and can force you to pay the license fees as though those users were real Analytics Administrators.

If I was you, I would check every role that has any admin privileges, and make sure that the memberships of those roles are empty. Obviously you can't remove all members of the System Administrators role, but for that one, make sure that just the real Admin users are included as members.

Then go through the process of clearing out the license count for Administrators in the UI - as I detailed above.

Back when I worked for IBM, the SLR team would occasionally use members of our team to give them technical assistance in specific reviews of client licenses. I remember one instance where I was the one they brought in, and the client had included their AD Domain Admin group as a member of one of the Cognos Admin roles. It turns out that AD Domain Admin group had hundreds of people included (I was very surprised). The outcome of that audit was not something the client was happy about, and I believe people at the client got fired as a result. I'm mentioning this because I saw first-hand what a big impact a small mistake like that can have. Don't give the SLR team anything to get hold of that even hints at you not being in license compliance - that's my advice.

Cheers!

MF.

Turns out that there are some users that have logged on before the 'Everyone' was removed from 'System Administrator' roles. To get the license UI to reflect correctly, will need to get these inactive users to log on. I guess the license UI is not the definite way to determine license usage after all...

Reading on the thread, it seems like there is still a concern on user that has been removed from the AD but still own objects in Cognos - it means that the user can no longer log in the reflect the correct license count right? But as long as we can prove that the user has left and ID is removed from AD to the auditors, the customer should be under compliance right?

Thinking out loud: Is it really difficult for IBM to enhance the license count UI to make life easier...

[MFGF]

Turns out that there are some users that have logged on before the 'Everyone' was removed from 'System Administrator' roles. To get the license UI to reflect correctly, will need to get these inactive users to log on. I guess the license UI is not the definite way to determine license usage after all...

Reading on the thread, it seems like there is still a concern on user that has been removed from the AD but still own objects in Cognos - it means that the user can no longer log in the reflect the correct license count right? But as long as we can prove that the user has left and ID is removed from AD to the auditors, the customer should be under compliance right?

Thinking out loud: Is it really difficult for IBM to enhance the license count UI to make life easier...

It's not as easy as the user just logging on, sadly. The content store holds a flag against their user profile that they logged in with administrative privileges previously, and this doesn't get cleared. The way to clear it is to remove their user profile, then get them to log in and set it up again - the link I included in my first reply takes you through the steps. You'll need to make sure they don't have anything saved in their "My Content" areas - this will get wiped when you remove their user profile.

Cheers!

MF.

[dougp]

This link?

https://www.ibm.com/support/pages/how-remove-used-license-when-user-will-no-longer-be-accessing-cognos-analytics

That doesn't work if the user can't be found through Cognos Administration because they are no longer in Active Directory.

And these...
https://community.ibm.com/community/user/businessanalytics/discussion/remove-licence-for-ad-deleted-user
https://www.ibm.com/support/pages/how-remove-old-users-content-store-cognos-analytics-11
...say to use Consistency Check | Find & Fix.  That clearly didn't work the last few times I ran it since the user left in 2018.  And I know that process does something.  After we fired over 400 employees in October 2021, that process significantly reduced my report count.  I assumed that was from deleting profiles, including all reports in My Content.

I thought there were instructions (other than a Consistency Check) somewhere about nuking a user profile when they can no longer be found in Cognos Administration, but I'm not finding it.  I can absolutely run a query against the Content Store and get the user's CAMID -- I just can't find those instructions.

https://www.ibm.com/support/pages/manually-retrieve-contents-myfolder
mentions a tool called CM_tester.htm.  But the article is for Cognos 10.  I'm not finding that in Cognos 11.

Isn't there a desktop app to inspect and manage the Content Store within the Cognos Analytics install on the server?  I thought I had seen that, but I'm not finding it.

Then, of course, there's this wonderful example of web page design:  https://www.ibm.com/support/pages/ibm-cognos-analytics-content-store-cleanup.
All of the content uses style="cursor: pointer;" to fool the reader into believing there are links to something helpful.