Envisn's IBM Cognos Blog

Cognos Security – Why It’s So Hard to Get It Right

Written by Rick Ryan | April 30, 2012

By Rick Ryan - Envisn, Inc.
Of all the Cognos subject related searches that are done on the web the one that usually tops the list is security. That subject is also number one in terms of the most viewed subjects in our blog archive. Our ebook on Cognos security gets a large number of downloads on a daily basis. And our customers tell us security is the most difficult part of Cognos to manage over time. Why is it so hard to get it right?


Well, for one thing, while the subject of Cognos security is conceptually simple it can be complex in its implementation and administration. The goals are:

  • Secure sensitive data from unwarranted access but enable it to be available to authorized users.
  • Control access to Cognos BI capabilities so that content is created and distributed by approved authors and Cognos license limits are respected.

Actually designing a Cognos security model around these goals while meeting the organization’s needs is a challenge. The best practices on how to do this are covered in our ebook on this subject. But even when these are followed rigorously you will still end up with a security model that is sub-optimized in practice. Why? Because while your model is created with the best knowledge and input available, it gets implemented in an imperfect world. Things will always be different in varying degrees from what the model assumes about the reality of BI security for a given environment. That said, you should work to get the best security model that fits your needs because in this area, where you start determines where you end up.

Design versus reality

The divergence between the original Cognos security model and reality will increase over time. Some of the things behind this are:

Flawed security model – A security model that’s out of date in terms of working effectively for the organization’s needs is not uncommon. You will know this when you arrive at the point where you are dealing more with exceptions to the model rather than new additions that fit right into it. It may have been a model that was flawed from conception or one that has evolved past its ability to manage changing needs.

No single point of control – Security is often managed by multiple people, particularly in large environments. This is not a problem when those managing security clearly understand the model and how it should be used. But in reality they may not be applying the same rules the same way. Someone creates a new group or role for one purpose and it ends up being applied in a different way by other administrators. And in an attempt to correct the problem they create more groups or roles which only compounds the problem.

Disconnected security - An example here is when security is administered external to an operational group such as an autonomous division. Ideally, those managing security know enough about the organization and its needs to be able to plan for and accommodate the BI security model. But even here routine turnover on the part of administrators could make this problematic over time.

Organizational change – Most organizations change and evolve to meet changing market needs. But when there are major structural changes it may quickly become obvious that the current model just won’t work. You cannot fit the new organization into the current security model. More often, however, it changes in a way that the fact that it no longer works sort of creeps up on you. Suddenly it seems that exceptions to the model are the rule and you have no alternative but to create a new model and migrate to it.

Summary

Cognos security has to work with models that were developed for one set of needs and are being forced over time to deal with another set. The hardest part is to keep the security model rationalized over time as you work to meet changing needs. If you can do this without having to create too many exceptions and compromise the model then consider that success. In a future blog we will share some real world example from some Cognos administrators who have done this. If it was easy everyone would do it, and they don’t.

 

 

Image by Yaacov Apelbaum

© 2012 - Envisn, Inc. - Cognos Security Management – All rights reserved.