Namespaces, Groups, Roles and Accounts in an IBM Cognos Environment
(A series of blogs on understanding and managing security in the IBM Cognos environment)
Security in Cognos is composed of a just a handful of object types, but understanding these objects and how they work together is critical in implementing a manageable and secure Cognos environment.
Namespaces in an IBM Cognos Environment
There are at least two namespaces in every Cognos environment: the internal Cognos namespace plus external security namespace(s).
The Cognos namespace is integral with the Cognos BI application. The objects it contains of security interest are Groups and Roles which can optionally be organized into Namespace Folders. (Other objects in this namespace which are not directly used in security are data sources, printers, contacts and distribution lists.)
External namespaces (also called Authentication Providers) are defined in the Cognos Configuration program and can be of a variety of types, including Active Directory and LDAP among others. Once configured, the complete external security hierarchy of objects is available to Cognos consisting of Groups and Accounts organized into Namespace Folders.
Groups and Roles in an IBM Cognos Environment
Though different object types, Groups and Roles behave identically. They are containers which hold references to Accounts along with other Groups and Roles. These references are called members of the group/role.
Only the Groups/Roles in the Cognos namespace can be modified to add or remove members. The external namespace Groups must be managed using the namespace’s editing tool, such as the Active Directory Users and Computers program.
The organization of members into the Groups/Roles is the most important factor in setting up an effective security system since they are commonly used to define permissions to Cognos content store objects.
Accounts in an IBM Cognos Environment
Authentication to the Cognos applications is performed through the external namespace. A user must provide valid credentials for an account object in the namespace to gain entry to the application.
Once authenticated, the user’s visibilities to objects and actions that can be performed are completely controlled by the memberships of the account and the security applied to both the content store objects and capability objects (to be covered later in the series).
The next part of this series will explore the calculation of an account’s memberships and the problem this causes for Cognos administrators.