Security in Cognos is composed of a just a handful of object types, but understanding these objects and how they work together is critical in implementing a manageable and secure Cognos environment.

Namespaces in an IBM Cognos Environment

There are at least two namespaces in every Cognos environment: the internal Cognos namespace plus external security namespace(s).

The Cognos namespace is integral with the Cognos BI application. The objects it contains of security interest are Groups and Roles which can optionally be organized into Namespace Folders. (Other objects in this namespace which are not directly used in security are data sources, printers, contacts and distribution lists.) External namespaces (also called Authentication Providers) are defined in the Cognos Configuration program and can be of a variety of types, including Active Directory and LDAP among others. Once configured, the complete external security hierarchy of objects is available to Cognos consisting of Groups and Accounts organized into Namespace Folders.

Groups and Roles in an IBM Cognos Environment

Though different object types, Groups and Roles behave identically. They are containers which hold references to Accounts along with other Groups and Roles. These references are called members of the group/role.

Only the Groups/Roles in the Cognos namespace can be modified to add or remove members. The external namespace Groups must be managed using the namespace’s editing tool, such as the Active Directory Users and Computers program. The organization of members into the Groups/Roles is the most important factor in setting up an effective security system since they are commonly used to define permissions to Cognos content store objects.

Accounts in an IBM Cognos Environment

Authentication to the Cognos applications is performed through the external namespace. A user must provide valid credentials for an account object in the namespace to gain entry to the application.

Once authenticated, the user’s visibilities to objects and actions that can be performed are completely controlled by the memberships of the account and the security applied to both the content store objects and capability objects (to be covered later in the series).

Mastering IBM Cognos Security

A user’s permissions in Cognos are determined by memberships of the Account object used for authentication. But the calculation of these memberships can become complicated.
Read More >

Understanding Cognos Access Permissions Settings on Cognos Objects

Cognos Access Permissions settings on Cognos objects are use to grant or deny access or actions for specific security objects, usually Groups or Roles. There are five access permissions which are described briefly here.
Read More >

Key Insight into Cognos Security

If you’re a Cognos administrator there’s lots of key information you just need to have access to, especially in the area of security. Here we’re going to focus on what some consider among the top needs. These are:

• Groups, Roles, Memberships and Members
• Security profile of a role, group or account
• Inherited security
• Object security
• User permissions - licensing

Read More >

5 Biggest Mistakes with IBM Cognos Security

The biggest issues in the area of Cognos security as seen by Cognos administrators, collected informally from a series of questions responded to over the past 14 months.
Read More >