Sept. 28, 2012, By Elwood Philbrick, Envisn, Inc.
On any listing of topics related to Cognos BI, security is almost always at or near the top. This subject area consumes more time and effort of administrators than anything else. Part of this stems from the lack of transparency on security within Cognos BI itself. So to make your life easier, here are some things you want to avoid in the administration of Cognos security:
- Don’t administer Cognos security without an effective security model. Ideally your Cognos security model is able to leverage the external security model in use within your organization. But beyond that, you need a model of how you map your organization’s members into your Groups and Roles. This is the single most important factor in creating an effective Cognos security model since it is used to define permissions to Cognos Content Store objects and features available to BI users.
- Don’t confuse groups and roles in the Cognos namespace. Groups and roles in the Cognos namespace behave almost identically. The difference is that groups can contain only accounts and other groups, while roles can contain accounts, groups and other roles. Creating multiple groups in a role can easily get complicated very quickly, but it may make sense if you use the role for broad access control and the groups for limited access. A simpler approach would be to use roles to control access to capabilities and groups to manage access to content.
- Don’t over-apply security in Cognos BI. The goal is to secure sensitive data from unwarranted access while providing the necessary data to authorized Cognos BI users.
- Don’t combine the purposes of content security and feature permissions. Use one set of groups or roles to control access to content and another set to control access to features (Query Studio, Report Studio, etc.).
- Don’t give groups or roles names that have no obvious meaning. Using clear, simple names that denote its members or function will help insure that it is used consistently across the enterprise. Remember, names used need to survive their creator’s presence.
- Don’t think it will get simpler over time. Many security models fail because what may have started out to be a consistent approach to accounts, groups and roles became compromised and inconsistent over time. This happens because of changing organizational needs, untrained administrators and simple mistakes. Simply stated, it has outlived its usefulness.
Many organizations find that their Cognos BI security has gotten so complex and unwieldy over time that the only option for them is to start over. While on the face of it this may sound attractive, some of the challenges of mapping existing content, members, etc. into a new model (let alone creating one) may prove to be daunting. Still, for some, not moving to a new security model and structure is not an option. But it’s not an easy task especially without tools that can help you understand how your current security is implemented.