Unlike other content store objects, the only Access Permissions which affect the Capabilities are Traverse and Execute. Other than that, these permissions follow the same rules described in Part 3 of this series, including Group / Role Membership, Traverse Access, and Granted and Denied Access.
IBM Cognos BI licenses are usually based upon (in part) access to various Features, such as Query Studio, Report Studio, Analysis Studio, PowerPlay Studio, Cognos Viewer and Administration.
To monitor compliance it is necessary to determine how many Accounts have permissions to each of these features.
This is where the complexity of the security hierarchy (described in Part 2 of this series) can make this task difficult. You will usually be using Groups to control access to Features so this is where good organization or a third party program able to analyze the security hierarchy would be useful.
Starting with IBM Cognos BI 8.3, it is possible to define Capability permissions on individual Packages and Folders. Giving an Account, Group or Role permission at this level also requires permission in Global Capabilities.
In the case of Folders, Capability permissions are applied to all descendants.
When applied to Package objects however, the Capability permissions will be applied to all reporting objects created from that package regardless of where they reside in the content store. This is a useful feature that, for example, could deny access to Studios for all reports created from that package (for a specific Group), rather than denying Write access to all the individual reports.
Well, you can see from the blogs in this series so far that Cognos Security can get very complicated and confusing. Next, Mastering Cognos Security Part 5 will suggest some Cognos Best Practices that will help you maintain a manageable and secure Cognos environment.