If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Best Practice - Cognos Security groups

Started by eonze, 26 Oct 2009 02:33:46 PM

Previous topic - Next topic

eonze

We currently use AD for our authentication provider, in our existing security model we map all AD groups to Cognos groups then use Cognos groups for object security etc.  Taking a step back before beginning a new reportin solution, does anyone know if this is considered best practice?  or have any documentation to back that up?  The alternative would be to skip the step of mapping AD groups to corresponding Cognos groups.  The theory with assigning AD groups to Cognos groups is that you are more insulated from changes to AD. 

Thank you for your input!

Raghuvir

Quote from: BiGirl on 26 Oct 2009 02:33:46 PM
We currently use AD for our authentication provider, in our existing security model we map all AD groups to Cognos groups then use Cognos groups for object security etc.  Taking a step back before beginning a new reportin solution, does anyone know if this is considered best practice?  or have any documentation to back that up?  The alternative would be to skip the step of mapping AD groups to corresponding Cognos groups.  The theory with assigning AD groups to Cognos groups is that you are more insulated from changes to AD. 

Thank you for your input!

Hi All,

Even i am having the same query.

Request the experts to comment on this and guide us with our query.

Thanks in advance.

Regards

bdbits

That is a really old post, Raghuvir, but...

Here we do assign AD groups directly to Cognos objects, mostly because whoever originally set it up here did it that way. In retrospect, I wish we had done what is recommended - assign AD objects to Cognos groups and use those for securing objects.

From http://www.ibm.com/developerworks/analytics/library/ba-pp-security-cognos_bi_platform-page651/:
"The security best practice for IBM Cognos BI is to base off object security (authorization) on groups and roles from the Cognos Namespace only. This provides flexibility and portability since all authorization is only indirectly linked to external objects from the authentication sources."

And from http://www.ibm.com/developerworks/data/library/cognos/security/cognos_bi_platform/page602.html
"All references in permissions, capabilities and secured functions should only be made to groups and roles from the Cognos namespace."

Raghuvir

Quote from: bdbits on 01 Dec 2014 03:47:39 PM
That is a really old post, Raghuvir, but...

Here we do assign AD groups directly to Cognos objects, mostly because whoever originally set it up here did it that way. In retrospect, I wish we had done what is recommended - assign AD objects to Cognos groups and use those for securing objects.

From http://www.ibm.com/developerworks/analytics/library/ba-pp-security-cognos_bi_platform-page651/:
"The security best practice for IBM Cognos BI is to base off object security (authorization) on groups and roles from the Cognos Namespace only. This provides flexibility and portability since all authorization is only indirectly linked to external objects from the authentication sources."

And from http://www.ibm.com/developerworks/data/library/cognos/security/cognos_bi_platform/page602.html
"All references in permissions, capabilities and secured functions should only be made to groups and roles from the Cognos namespace."

Hi bdbits,

Thanks a lot for this information :)

Regards