Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cognos 8 Security Admin 1

Status
Not open for further replies.

derdor

MIS
Jul 11, 2006
21
US
I am having trouble setting up Cognos Connection to disable the "studios" from users. Basically just want them to be able to run the reports the devlopers put out there. I have Cognos knowledge base that tells me to remove the group "Everyone" from Authors, Directory Administrators, Report Administrators, and Query Users... but that has no effect. I suspect it has something to do with us using TAM (Tivoli Access Mgr) as our ldap. I've tried all sorts of combinations of adding groups/roles and allowing/denying rights to them, to no avail. Any thoughts?
 
One more thing to check - is everyone a member of the 'system administrators' role? If so, then everyone gets all capabilities, regardless of what you do with your other groups and roles.

Just a thought...

MF.
 
Thanks, but nope, that's not it. I found and was able to take the studios from the title bar using an option in the URL and/or editing the system.xml file. But I want to control it via user logins/permissions. I have tried all kinds of combinations of grant/deny and/or groups/roles... I can never get it to dissappear or deny access.
 
hello derdor,

i have been facing a very similar problem in reportnet 1.1 mr2. i tried taking out everyone folder from directory admins, system admins and all but of vain. can you please explain exactly the solution you proposed with the system.xml???

Thanks,
Venkat
 
The other thing to check, then, is in Tools/Capabilities. My guess is that everyone has traverse and execute privileges to each of the studios.

You should not have to resort to hacking the system.xml file to remove privileges to see studios - the capabilities to do this are in the user interface. Let us know how you get on.

Best regards,

MF.

 
I've checked the tools/capabilities and Everyone is not there for any of the studios. I've tried taking all roles off a studio and nothing. I think there is an option there to "Disable this entry" (or something like that) and that doesn't seem to do anything. As for editing the system.xml file, the Administration and Security guide (page 252) explains what and how to do it. I agree that this is not the way I want to do it and it only removes the studios from the title bar, not from opening up a studio from an application.
 
OK - let's just follow this through logically for one of the studios - Query Studio for example.

First, in Tools/Capabilities, go into the properties of the Query Studio capability, go to the Permissions tab and make a note of which users/groups/roles have traverse and execute privilege.

Second, in Tools/Directory, on the 'Users, Groups and Roles' tab, go into the Cognos namespace and for each group/role having capabilites to Query Studio (above), go into properties and onto the Members tab, and make a note of which users/groups/roles are members. Repeat this process for each new group and role you come across during this process.

By the time you finish this process, you should have a list of which users/groups/roles belong to which others, and which have access to run Query Studio.

Things to look out for are the Everyone group belonging to another, and/or the All Authenticated Users group belonging to another.

Lastly, check the memeberships of the following roles:

System Administrators, Directory Administrators, Portal Administrators, Report Administrators, Server Administrators. Make sure that Everyone/All Authenticated Users do not belong to any of these.

This may take you a while to complete, but it's better to get your security sorted out now rather than risk people getting priviliges they should not be entitled to later on.

Good luck!

MF.
 
OK - I am getting somewhere.

Query Studio capability permissions = Query Users

User Jim permissions = himself and Query Users role

I thought this would be sufficient for setup - Query Studio requires Query Users role and Jim has Query User role permissions. Once I set Jim as a "member' of Query Users role then it seems to work as expected.

I guess now my question is, what is the purpose of having to give Jim permission to a role, and then having to set the role to include Jim - seems extra steps?
 
If Jim is a member of a group or a role, he doesn't specifically need permission to it. The role he belongs to, however, does need read and execute permission to the Query Studio capability.

Best regards,

MF.
 
Derdor,

Did you also make sure that the users you're trying to control don't belong to the Authors role?

Changing the system.xml is not such a big deal either. You can then control who sees what on the connection server.
Sorry I'm a little vague right now but I'm currently working in Version 8.

JP
 
Sub-Administrators should see only the users which he create in oid

----------------------------------------
Another throw closer to a win ... ???
----------------------------------------
 
have Jim log in, go to my preferences and you will see what groups/roles he is a member of and what capabilities he has. if he is a member of more than one group role, tehn there could be a conflict. try to give the group an explicit deny on hte capability. although i think an explicit grant takes precedence over an explicit deny in reportnet.. cna't remember.. i always forget which way it works.
 
It's the deny that takes precedence over the grant :)

Regards,

MF.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top