Envisn's IBM Cognos Blog

Mastering IBM Cognos Security - Part 3

Written by The Envisn Team | July 19, 2010
  by Gary Larsen - Envisn, Inc.

Understanding Cognos Access Permissions Settings on Cognos objects

(A series of blogs on understanding and managing security in the IBM Cognos environment - see Cognos Security, Part 1)
Cognos Access Permissions settings on Cognos objects are use to grant or deny access or actions for specific security objects, usually Groups or Roles. There are five access permissions which are described briefly here.

Detail information is available in the IBM Cognos Documentation: IBM Cognos Administration and Security Guide 8.4.0

Cognos Access Permissions

Read View all properties including output
Create a shortcut to an object
Write Modify properties of or delete an object
Create objects in a container such as a package or folder
Modify an object’s specification in a studio: Report Studio, Query Studio, etc.
Create new outputs for a report
Execute Run objects such as reports, report views, events and metrics
Set Policy Read and modify the security settings for an object
Traverse View the contents of a container such as a package or folder

In addition to these access permissions there are other important rules which influence a user’s access to and available actions on an object.

Cognos Group / Role Membership

A user assumes the combined access permissions of all the groups and roles defined for an object of which the user is a member (explicit or implicit)

Granted and Denied Access in Cognos

Denied Access has precedence over Granted Access

Traverse Access in Cognos

To access an object a user must have Traverse access permission on all of the ancestors of the object.

Ownership of Objects in Cognos

The owner of an object has full access permissions to the object (but still requires traverse access).

Cognos System Administrators

Users which are members the System Administrators Role in the Cognos namespace have full access permissions to all objects.

Access Permission Inheritance in Cognos

Access permissions on a content store object are by default inherited by its parent. To assign different permissions on an object then check the ‘Override the access permissions acquired from the parent entry’ option on the permissions form.

If you want clear any overridden permissions on the descendants of an object then check the ‘Delete the access permissions of all child entries’ option on the permissions form.

The inheritance of security settings in Cognos makes administration easier when dealing with a large number of objects. With well thought out organization of the content store objects only a single ancestor’s security will need to change.

However, when security is overridden at lower levels in the object hierarchy it becomes difficult to determine where these overrides exist and what impact they have. This is another case where third party software tools are useful.

The next part of this series will explore management of IBM Cognos Capabilities and the impact on license compliance.

 


Download the Ebook:
Mastering IBM Cognos Security