By Gary Larsen - Envisn, Inc.
The purpose of this article is to help the Administrator determine how many users have access to licensed capabilities in IBM Cognos and identify who they are.
A common practice in the sales cycle is to be presented with bundled license options. The bundle names can change but are used to simplify the calculation of your license requirements. For example, a BI Professional Author might have access to the Query Studio and Report Studio. A BI Professional Analyst might have access to those studios plus the PowerPlay8 Studio.
The first step in managing Cognos licenses is to translate the various bundle names into a count of the actual capabilities (if this has not already been done in the Cognos license agreement).
Using the simple examples above, 10 Pro Authors and 5 Pro Analysts would translate to the following capability counts:
Query Studio 15
Report Studio 15
PP8 Studio 5
Access to IBM Cognos capabilities is defined in the security tab of IBM Cognos Administration. Within the Capabilities section is a list of Secured Functions, some of which will relate to the license types (Analysis Studio, Cognos Viewer, etc.) and others which do not, such as the ability to Schedule objects.
Some Secured Functions have children of type Security Features for more fine grained control. The Report Studio function, for example, has a Bursting feature to control who can edit and run burst reports.
Access permissions are defined in the properties page of the function or feature. A user must have both Execute and Traverse permissions in order to perform the feature or function.
While it is possible to grant individual users (accounts) access to capabilities, groups and roles are generally used for this purpose as it makes the management easier. Using the earlier example, a Pro Authors role could be created and granted access to the Query and Report studios. Accounts added to the Pro Authors role would gain access to both studios.
This is a rather simple example as security in most IBM Cognos environments use a combination of both Cognos and external namespace groups and roles and can get complicated very quickly. This is described in detail in a series of blogs:
http://www.envisn.com/envisn-cognos-blog/bid/43351/Mastering-IBM-Cognos-Security-Part-1
So there must be an easy way to get a list of all the accounts which have access to Report Studio, right?
Well, this really depends upon the complexity of your security environment, but generally answer is no. Let’s look at a few scenarios to get an idea.
a) A single external group contains all the accounts which should have Report Studio access. In this case we could just view all the members of the group in IBM Cognos Administration.
b) A second external group also needs this access. We can view those members also, but there could be accounts which are members of both groups which should not be double counted.
c) A Cognos role is created and used to set access to the Report Studio capability. The two external groups are then added as members to the Cognos role. Now the accounts are two levels removed from the capability making them even more difficult to count.
With some effort it is possible to navigate through all the hierarchies of groups, roles and accounts and manually build a list of account capability access. This approach may be manageable in some environments but in a large and/or changing one this would be tedious and time consuming.
One solution to automate some of the data gathering for license counting is to use the IBM Cognos SDK.
One example is to return members of a Cognos or external group/role. This is done using the query method with the search path of the group/role and setting ‘members’ as one of the properties to be returned:
query(searchPath, properties, sortBy, options)
There are also some very useful functions which can be used in the ‘searchPath’ parameter of the query method. One of these is the expandMembers() function which will recursively expand group and role memberships returning a list of accounts.
But none of these are easy or automated and can get progressively more difficult with growth and changes over time.
NetVisn is a comprehensive administration solution for all IBM Cognos BI environments. One of NetVisn’s many features is to dynamically keep track of changes and accurately report (real time) on all aspects of Cognos security including capability permissions and thus, Cognos license counts.
Photo by Serge Melki