Understanding Cognos Access Permissions Settings on Cognos objects
(A series of blogs on understanding and managing security in the IBM Cognos environment - see Cognos Security, Part 1)
Cognos Access Permissions settings on Cognos objects are use to grant or deny access or actions for specific security objects, usually Groups or Roles. There are five access permissions which are described briefly here.
Detail information is available in the IBM Cognos Documentation: IBM Cognos Administration and Security Guide 8.4.0
Cognos Access Permissions
|Read||View all properties including output
Create a shortcut to an object
|Write||Modify properties of or delete an object
Create objects in a container such as a package or folder
Modify an object’s specification in a studio: Report Studio, Query Studio, etc.
Create new outputs for a report
|Execute||Run objects such as reports, report views, events and metrics|
|Set Policy||Read and modify the security settings for an object|
|Traverse||View the contents of a container such as a package or folder|
In addition to these access permissions there are other important rules which influence a user’s access to and available actions on an object.
Cognos Group / Role Membership
A user assumes the combined access permissions of all the groups and roles defined for an object of which the user is a member (explicit or implicit)Granted and Denied Access in Cognos
Denied Access has precedence over Granted Access
Traverse Access in Cognos
To access an object a user must have Traverse access permission on all of the ancestors of the object.Ownership of Objects in Cognos
The owner of an object has full access permissions to the object (but still requires traverse access).Cognos System Administrators
Users which are members the System Administrators Role in the Cognos namespace have full access permissions to all objects.Access Permission Inheritance in Cognos
Access permissions on a content store object are by default inherited by its parent. To assign different permissions on an object then check the ‘Override the access permissions acquired from the parent entry’ option on the permissions form.
If you want clear any overridden permissions on the descendants of an object then check the ‘Delete the access permissions of all child entries’ option on the permissions form.
The inheritance of security settings in Cognos makes administration easier when dealing with a large number of objects. With well thought out organization of the content store objects only a single ancestor’s security will need to change.
However, when security is overridden at lower levels in the object hierarchy it becomes difficult to determine where these overrides exist and what impact they have. This is another case where third party software tools are useful.
The next part of this series will explore management of IBM Cognos Capabilities and the impact on license compliance.