Cognos Analytics Security Best Practices

Overview

I am often asked what I consider to be the best way of securing IBM Cognos Analytics. Like most systems out there with connectivity to many authentication sources there is no defined correct way but making certain decisions early in the process will assist you in ensuring that ongoing maintenance can be kept to a minimum.

Firstly, you need to decide who is going to maintain memberships of groups and roles. Usually, this is a choice between the IT department and the Cognos Administrator. The IT department are unlikely to have access to Cognos Administration and likewise the Cognos Administrator is unlikely to be able to add users to Active Directory Groups and Users functionality.

Therefore, the following should apply:

• If the IT Department are responsible for Group membership, then ensure that a Domain Local Group is setup for each matching group and role in Cognos Administration. That way IT can easily add and remove members to those AD groups and the Cognos security will be implemented without intervention from the Cognos Administrator.
• If the Cognos Administrator is responsible for Group and Role membership, then ensure that the Cognos Administrator has browse access to all branches of the Active Directory Organisational Units that contain users.

Obviously, the same considerations above apply to LDAP, NTLM, Cognos Series7 and Custom Authentication Providers.

Consider the use of the ‘Everyone’ Group within Cognos security and its impact on allowing users who should not have access very carefully. You can easily have a situation whereby a new user can have surprisingly open access to information that they should not be able to see.

The top 10 things I consider important when implementing best practice in Security are as follows:

1… Use the Licence Roles to attach to your user community. That way you can easily collate the number of users to match to your licence agreement. This will save time and potentially a lot of money.

2… Properly secure the ‘Analytics Administrators’ role with at least two groups or users. One of those groups must be the ‘System Administrators’ role.

3… Remove the ‘Everyone’ Group from all roles (including System Administrators).

4… Always remember that Roles should be used for functionality and Groups for visibility.

5… Design your groups on paper or flowcharting software first, plan it out properly, it will save time in the long term.

6… Design a comprehensive test plan for your security model and don’t underestimate the time it takes to test security.

7… Use the optional security features in Cognos Configuration such as ‘restrict access to only users of the built-in namespace’ and ‘Valid Domains’.

8… Leave setting up single signon (SSO) until you have finished your testing unless you are going to have a gateway which doesn’t require SSO.

9… If you are providing access externally setup the gateway to run using Secure Socket Layer (SSL)

10.. Consider the information that is accessible. Plan the testing and security polices based on the data. If the business doesn’t require complex security, then you don’t need to implement it. In summary, keep it simple to save time triaging queries!

Roles

Roles are defined within the security module to control the functionality that a user has permission to use. There are two type of role, Licence and Legacy.

Licence Roles are defined to share the exact same name as those on your licence agreement / support renewal. The current list of these are:

• Analytics Administrators – Global Access to do everything.
• Analytics Explorers – BI Developer with the ability to create Frameworks, Data Modules, Transformer Models etc as well as all reporting and dashboarding capabilities.
• Analytics Users – BI Reporter with the ability to create reports, dashboards, stories and all BI content except for Metadata.
• Analytics Viewer – BI User who can execute content but cannot edit anything. Prior to version 11.1.4 this was known as Information Management

Examples of Legacy roles within Cognos Analytics are:

• Readers – This role allows a user to view or run a report that has no prompts and see the contents. This type of user is called a recipient.
• Consumers – This role allows a user to view or run a report and interact with it is the form of entering prompt values to change the results. This is the most common type of user.
• Query Users – This role allows a user to create or edit a report using Query Studio.
• Analysis Users – This role allows a user to create or edit a report using Analysis Studio.
• Authors – This role allows a user to create or edit a report using Report Studio, Analysis Studio or Query Studio. This type of licence is called a Professional Author.
• Directory Administrators – This is an administrative role that allows a user access to modify the security aspects of Cognos8 in the Administration section.
• Report Administrators – This is an administrative role that allows a user to administer the automation of reports into jobs etc.
• Server Administrators – This role allows a user to administer the server dispatcher settings, auditing etc.
• System Administrators – This is the top-level role allowing the user to do anything.

The above roles are in order and are cumulative, therefore an Analytics Explorer also has the capabilities of an Analytics Viewer and Analytics User. I strongly recommend that you attach your users to their respective licence roles as soon as you can so get an idea of the licence profile that you are using. Also, I often setup a test user and keep changing their memberships to ‘mimic’ users. This helps when testing security.

The Office of Finance products have their own defined roles within the list. In Cognos Controller this is a simple list called ‘Controller Users’ and ‘Controller Administrators’. It is considered best practice to ensure that all users in Controller are attached to the ‘Controller Users’ role and those defined within Controller as ‘Controller Administrators’ being to the role of the same name. Additionally, I always add the ‘Controller Administrators’ role to the list of members in the ‘Controller Users’ role to ensure that I don’t have to add the administrative users to the ‘Controller Users’ role.

With regards to the Enterprise Planning software, again there are two roles. These are ‘Planning Contributor Users’ and ‘Planning Rights Administrators’. The normal application is to ensure that all users who will contribute to plans are members of the ‘Planning Contributor Users’ role. Any user who needs access to the Contributor Administration application will need to be a member of the ‘Planning Rights Administrators’ role.

Groups

Cognos Groups are like Active Directory Groups in Windows, you make users members of groups and you can make groups members of other groups. Most companies look at groups by departmental or location discipline (Marketing, Sales, Finance, Account Receivable, Purchase Ledger, Customer Service, UK, France, Mexico etc). You can then create any specialist groups that you need for specific reasons outside of your standard groups.

The purpose of groups is to grant access to reports and folders, in Cognos BI Version 10 you had five permissions that you can specify.

These were:

 1.. Read – To be able to read the object, don’t confuse this with visibility.

2.. Write – To be able to save it, I never put write on folders only items.

3.. Execute – The most important, can you run the content. Useful for reports.

4.. Set Owner – Can you delete it, change the attributes and properties of the report.

5.. Traverse – Very useful, can you see through it. I will give an example below.

With traverse, it enables a group to be able to see through a folder to the objects underneath.

This is still the case with Cognos Analytics but the User Interface has been improved to group these into three specific settings and a custom option.

The three specific settings are:

• MANAGE – Allow Execute, Set Policy and Traverse.
•  ACCESS – Allow Execute and Traverse.
• ASSIGN – Allow Set Policy and Traverse

Summary

Setting application security can be a complex task but if you plan it correctly and have the correct information to hand you can do it quickly and easily. Review the top ten steps and keep your security model as simple as possible. Wherever possible set permissions on folders not individual objects and make sure you use your Licence Roles to aid understanding of how many licences you are using.

I would love to know how you are getting on planning your security model and I hope you find this information useful. Get it touch with us at Sempre Analytics if you need any assistance with your Cognos Analytics deployment.

Feel free to view other content from our experienced team of BI and Office of Finance professionals at our News Page