September 30, 2013, by Paul Hausser, Envisn, Inc.
Cognos security is a key foundation of every successful Cognos BI environment. And while no environment likely ever fails because of security, unless it’s from a major breach, administrators frequently get to the point where the security model they have in place just isn’t working. This article is focused on some of the things Cognos administrators encounter that tell them they probably need to start over with security. Some of these are:
- The Cognos namespace is at odds with the external namespace, typically Active Directory or LDAP. The Cognos namespace may have been initially been based on the external namespace which is a good practice whenever it can be done. But over time they may have begun to diverge from each other making it difficult to leverage the external namespace structure in the Cognos namespace. Does this mean you cannot have a different structure between the two namespaces? Not at all. But it’s more efficient and easier to maintain the Cognos namespace over time if it’s able to leverage the external namespace. As they become more dissimilar over time it’s likely to be more difficult to manage Cognos security.
The Cognos security model needs to be able to manage both growth and change over time and if it cannot do this effectively you may need to create a new one.
- The distinction between groups and roles has become muddled. Organizing members into groups and roles within Cognos is probably the most important factor in setting up an effective security model in Cognos. It’s best to use roles to control access to capabilities and groups to manage access to content. If this convention is not consistently followed security may become difficult to manage.
- Failure to understand access permission inheritance. Access permissions on content store objects are by default inherited from its parent. These of course can be overridden on an object and its descendants but security administration is easier when inheritance is enabled with a large number of objects. When security is overridden at lower levels it can be very hard to determine where overrides exist without specialized tools.
- Capabilities are not administered correctly. These are used within Cognos to control access to features and functions such as the reporting studios and the administrative tools. While it’s best to create new roles to manage user capabilities that match the distribution of your Cognos licenses, this is not always done making it very difficult to manage BI license compliance successfully.
- Too many people administering security. The real issue here is what often happens when there are too many people administering security inconsistently. Unless there is a common set of rules to use for Cognos security that are consistently applied then security problems are inevitable. For this reason it’s best to limit security administration to the fewest number of people practical and to make sure they clearly understand the security model and how it should be applied.
None of these issues are exclusive and there may be some overlap of these issues in any given Cognos environment. If you are running up against one or more of these issues on a regular basis you may want to think how to move to a security model that can better accommodate change and growth.