Best Practice - Cognos Security groups

[eonze]

We currently use AD for our authentication provider, in our existing security model we map all AD groups to Cognos groups then use Cognos groups for object security etc.  Taking a step back before beginning a new reportin solution, does anyone know if this is considered best practice?  or have any documentation to back that up?  The alternative would be to skip the step of mapping AD groups to corresponding Cognos groups.  The theory with assigning AD groups to Cognos groups is that you are more insulated from changes to AD. 

Thank you for your input!

[Raghuvir]

We currently use AD for our authentication provider, in our existing security model we map all AD groups to Cognos groups then use Cognos groups for object security etc.  Taking a step back before beginning a new reportin solution, does anyone know if this is considered best practice?  or have any documentation to back that up?  The alternative would be to skip the step of mapping AD groups to corresponding Cognos groups.  The theory with assigning AD groups to Cognos groups is that you are more insulated from changes to AD. 

Thank you for your input!

Hi All,

Even i am having the same query.

Request the experts to comment on this and guide us with our query.

Thanks in advance.

Regards

[bdbits]

That is a really old post, Raghuvir, but...

Here we do assign AD groups directly to Cognos objects, mostly because whoever originally set it up here did it that way. In retrospect, I wish we had done what is recommended - assign AD objects to Cognos groups and use those for securing objects.

From http://www.ibm.com/developerworks/analytics/library/ba-pp-security-cognos_bi_platform-page651/:
"The security best practice for IBM Cognos BI is to base off object security (authorization) on groups and roles from the Cognos Namespace only. This provides flexibility and portability since all authorization is only indirectly linked to external objects from the authentication sources."

And from http://www.ibm.com/developerworks/data/library/cognos/security/cognos_bi_platform/page602.html
"All references in permissions, capabilities and secured functions should only be made to groups and roles from the Cognos namespace."

[Raghuvir]

That is a really old post, Raghuvir, but...

Here we do assign AD groups directly to Cognos objects, mostly because whoever originally set it up here did it that way. In retrospect, I wish we had done what is recommended - assign AD objects to Cognos groups and use those for securing objects.

From http://www.ibm.com/developerworks/analytics/library/ba-pp-security-cognos_bi_platform-page651/:
"The security best practice for IBM Cognos BI is to base off object security (authorization) on groups and roles from the Cognos Namespace only. This provides flexibility and portability since all authorization is only indirectly linked to external objects from the authentication sources."

And from http://www.ibm.com/developerworks/data/library/cognos/security/cognos_bi_platform/page602.html
"All references in permissions, capabilities and secured functions should only be made to groups and roles from the Cognos namespace."

Hi bdbits,

Thanks a lot for this information :)

Regards