by Elwood Philbrick - Envisn, Inc.
At one time or another many Cognos BI managers or administrators are faced with the task of upgrading their security model. This article will focus on a best case scenario for moving from LDAP to Active Directory (AD) for managing security in Cognos BI.
Why Active Directory?
Most large Cognos BI environments move to Active Directory sooner or later. There are a number of reasons for this, but simply stated it’s because: Active Directory is a stable, scalable, secure and proven identity management and control system whereas a custom developed LDAP solution is not. Custom LDAP solutions lack these attributes and are cumbersome to manage.
How this often plays out is that Cognos BI managers are given a timeline for moving to Active Directory and then left to figure out how best to do this. It’s generally not a pain free process.
The Challenge for Cognos BI
What you’re trying to do here is to take your Cognos content from an existing access structure and migrate it to a new one. While this is conceptually a simple task, there are some things that make actually doing this somewhat difficult. The major one is that the new environment causes a new CAMID to be created for every user. When this happens there is no linkage back to the users My Folders, distribution lists, etc. It’s as if every user is new user. Obviously, current users expect to have access to what they have today, particularly their personal content.
Create a Plan
You will first need to create a plan that covers mapping your existing LDAP structure to Active Directory and then re-linking users My Folders back to the new environment. The steps are:
- Create a map of your current LDAP structure - Here you need a map of your current groups and roles and all the users associated with them. This can be difficult to create but someone well versed in the Cognos SDK could automate the creation of this map. Alternatively, you could use a Cognos Security tool like NetVisn and its Security Report to give you a complete view of all groups, roles and user accounts. This report needs to look into groups to see the specific users and how they are placed in groups that reside within the LDAP itself.
- Preserve users My Folders from the current environment - You’ll be backing up this content in order to reconnect it to users in the new environment. Remember that each user will be given a new CAMID in the AD environment.
- Create the new structure of groups and roles for the AD environment - This is the perfect time to give some careful thought to how you can make the new environment better reflect your current and future needs. Once you have created the new structure, then use the map created in step 1 to assign users to the new groups and roles. Once you have done this then re-associate groups and roles with folders and public content.
- Re-map the My Folders into the new environment - In this step you are re-linking the personal My Folders from step 2 back to their owners. This is the ‘fun’ part and may take some time. IBM Cognos has a utility that provides some help in doing this but it is not automated and it is not a supported utility. But here again, NetVisn can greatly simplify this by using its Cognos promotions feature to do both step 2 and step 4 with significantly less effort. It also makes it easier to validate that this whole process has been done accurately.
- Validate & test new AD environment – The final step is to do some testing to insure that everything from the old environment has been accounted for and is where it should be in the new environment.
Migrating from LDAP to Active Directory offers a lot of advantages but needs to be done with careful planning and execution. This should be treated as a separate project and not made part of any upgrade. IBM Cognos recommends that you not change security models during a version upgrade within C8 or C10 or from one to the other.