Sunday, March 31, 2013

How to implement a robust and flexible Cognos security

As a generic guideline of Cognos security implementation is too general to follow, it is proposed to have 4 steps concepts to implement the most popular security architecture.


These 4 steps are:

  1. Use enterprise active directory for user authentication via SSO
  2. Use Local active directory namespace for user authorization
  3. Use Cognos namespace to assign permissions to corresponding capabilities, such as report studio, metrics studio
  4. Use Cognos namespace to assign permissions to individual object, such as folders, packages and reports


Use enterprise active directory for user authentication via SSO



Most of Cognos implementation needs a single sign-on for business user. It can be configured in Cognos configuration as below



If a user is setup in Local AD for Cognos, then user don’t need to login again in Cognos. However, if this user is not setup in Local AD for Cognos, then user will be asked for user name and password (given the fact that Anonymous is disabled).   

In case when you want to test user permission in term of portal page access, or row-level security, then we can create a synonymous user that has the same security setup in Local AD:
  1. User from enterprise AD
  2. Synonymous user mirrored to user from enterprise AD
  3. Then we can login as Synonymous user to test the Cognos functions for  User from enterprise AD


Use Local active directory namespace for user authorization

AD is most used, where all Cognos users and different groups are defined.  

The whole idea is to define all groups, and then these groups will be assigned to Cognos name space. It is the best practices to not assign individual users to Cognos namespace, in order to make security easy to maintain.

More important, we don’t assign any user and groups from local AD to Cognos capacities and objects. There are two reasons: a)  there could be more than one AD name spaces, and b) easy to migrate security when changing AD, and c) have a clear picture for security assignment.


Use Cognos namespace to assign permissions to corresponding capabilities, such as report studio, metrics studio

Assign roles from Cognos namespace to .corresponding capabilities


Use Cognos namespace to assign permissions to individual object, such as folders, packages and reports


No comments:

Post a Comment