Data Sources
Create a connection definition in Cognos
Step 2:
Create a Cognos Account on Each Data Source
Step 1:
Import MetadataStep 3:
Publish PackageStep 4:
iMac
Report Author
Create Report from Package
Step 5:
Report Consumer
Consumer Runs ReportStep 7:
Framework Manager
Developer
Publish the Report
Step 6:
Cog
nos
SECURITY
S
S
S
S
S
SS
Returning…
Create a Cognos Logon
The Cognos logon can be given as much or as little access as needed.The access given to this logon completely controls what can be provided through Cognos. The access can be sub-divided based upon user and role, but cannot be expanded.It is possible to work with existing logons.It is possible to work with multiple logons, each granted access to part of the data; each logon would go through the following steps; can create access duplication and problem-solving difficulties
Return
Create a Connection with Cognos ReportNet
Creating a connection is done by a Cognos administrator. (Brian and Clif for now)The connection uses the logon/password defined for Cognos.The Cognos administrators are the only people who know the logon/password. No users interact directly with this logon.The administrator will then grant permission for this connection to an approved person or group to do the metadata for the data.
Note: The connection could be defined to require the user to enter a login/password. However, each subsequent step may then get a different result based on the logon supplied.
Return
Import Metadata into Framework Manager
Done by a Cognos data modeler (25 licenses available)Uses the named connection created within CognosThe developer does not need the logon/password or connect string in order to use the connection.Cognos lists all of the tables/views/synonyms available to the logon/password, and the developer chooses which definitions to bring in.Cognos has the ability to import table relationships, if they are defined in the database.Packages are defined by grouping tables together. In DSS this corresponds to star-join models.
Return
Publish Datamodel Packages
Done by a Cognos data modeler (25 licenses available)Packages are saved to the Cognos server and access is granted to approved report author / consumer roles
Return
Create Reports from Datamodels
A Report Author is defined as someone who has been given a license to run Report Studio and Query Studio (200 licenses)A Report Author creates a report based on the datamodel packages published from Framework ManagerA Report Author is shown only packages they are granted access toThe Author needs to be aware of column-based and row-based security that is embedded in the datamodelThe Author first tests the report, and then saves the report in a defined folder so that the QA process can be conducted
Return
Cognos Account Security
When the Cognos account is created, the tables and files it has access to should include all of the tables needed by your data consumersAs an example, on the data warehouse (DSS), the Cognos account has complete access to Student, Financial and Employee dataUsers are granted access to a subset of the data available to the account, and Cognos does not show other dataFor instance, a user with the role DSS_Financial_Complete sees only packages and reports granted to that group
Return
Connection Definition Security
A connection to the data source is created using the Cognos account. Based on a data modeler’s access permissions, they will be shown only the data sources they have been granted access to If a data modeler has not been granted access to access a particular data source, the data source will not be shown and cannot be chosen by the user. The connection information (username and password) is encrypted using MD5 and stored on the Cognos application server, which is protected by an F5 firewall router. Connections to the Cognos server are restricted to a select number of fixed IP addresses.
Return
Framework Manager Table Security
Tables can have column or row-based restrictions defined For instance, the Employee table has Object Security defined for fields restricted from “general” access; these fields are allowed only for “complete” roles. The table is allowed for both “complete” and “general” users, but “general” users see only part of the fields and get an error if they try to run a report which includes restricted fields The Account Balance table has a Security Filter applied. “Complete” and “general” users see all the columns, but “general” users see fewer rows, based on the rows allowed by the security filter
Return
Package Security
A package is an individual or set of data models that a report author can use to create reports. When a data modeler publishes a package, access to that data is granted to author and report viewer roles Column and row security can be specified within the tables based on a user’s role.
Return
Report Authoring Security
Report author sees only data they have been granted access to via roles they have been assigned to Report author must also be granted role to use an authoring tool (QueryStudio or ReportStudio)
Return
Report Security
When a report is published, a hyperlink is created on the Cognos portal, in the defined folder structure, with default roles assigned to the folder If a user is granted permission to run a report, this hyperlink is visible. If a user is not granted permission to run a report, the hyperlink is not visible. Even if the user is sent the hyperlink, the user will get an error when they attempt run the report Administration of this access can be done centrally, or it can be distributed to the security administrators for a particular area. For example, Cheri Rawles has been given access to publish reports for Financial and Employee DSS data, and to give data access to those users who have been authorized by the data stewards.
Return
Report Viewing Security
Reports are run using a standard web browser The system will only accept requests using the Secured Sockets Layer (SSL) protocol, which encrypts all of the data during transmissionThe report viewer user can only run reports they have been granted access to, as Cognos shows only these reports in the web portalThe report viewer user will get an error if they try to run a report they were granted access to, if the report contains data they are not granted access toThe report viewer cannot see or determine a report’s data source, the data connection used, or the logon / password used to access the data, except as that information is documented in metadata descriptions of the report
Return
DatabaseObjects
StarSchemas
FrameworkManager
Framework ManagerSecurity Layer
Framework ManagerPackage
Published ToReportNet
FrameworkManager
Security Layer
Presentation of reportto user is controlledby multiple ReportNetRoles
ReportNetSecurity
LayerDatabases
Security Model for Cognos ReportNet
Note: B
ReportNetRoles
ReportNet Security Layer
Note: A
Notes: Each “security layer” ring represents use of ReportNet roles (or groups) to protect the innercontents. Where there are multiple rings, all rings must be satisfied to allow access.
Note: A - Each data connections is protected by a role assigned only to (a) data modeler(s), people whoare systems-developer level, and who are completely familiar with the data and how it fits together.
Note: B - When publishing models from Framework Manager, the security layer must include all roles /groups that will need to access the data in this package, or broader roles. ReportNet cannot overrule thesecurity restrictions set in Framework Manager. Publisher must have IP address registered in the F5firewall / router which guards the Cognos servers.
Note: C - ReportNet roles also control what tools a user is permitted to use; QueryStudio to createsimple queries/reports; ReportStudio to create sophisticated queries/reports; or neither to only runreports others have created.
ReportNetModel
SecurityLayer
ProducesData Model
DBConnec-tion
Note: C
Report createdin ReportNet
DBConnec-tion
DBConnec-tion
CognosPortal
Next
DataWarehouse
(or anysource)
FrameworkManager;
packages table(s)to be report source
ReportAuthorcreatesreport
Predefined ReportEmployee
DataPackage
(data model)
DW granted to followingroles:
DSS_Employee_CompleteDSS_Employee_GeneralDSS_Financial_CompleteDSS_Financial_GeneralDSS_Student_CompleteDSS_Student_GeneralDSS_Systems_Developer
Framework Manager toollimited to 25 licenses;systems developer typeswho are completely familiarwith the data tables / files,and how they need to beseparated or grouped forreporting purposes
Joins between tables aredone here, either importedfrom database definitions ormanually
Limits on columns / rows forroles within a table aredefined here
In order to publish packages,Framework Manager usermust have a static IPregistered with the F5firewall / router that protectsthe Cognos servers
StudentData
Package(data model)
FinancialData
Package(data model)
Employee package(s)granted to following roles:
DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer
Package can have built-inlimits on columns / rows thatcertain roles can access (ie,general)
Financial package(s) grantedto following roles:
DSS_Financial_CompleteDSS_Financial_GeneralDSS_Systems_Developer
Ditto on limits
Student package(s) grantedto following roles:
DSS_Student_CompleteDSS_Student_GeneralDSS_Systems_Developer
Ditto on limits
Predefined Report
Predefined Report
This report granted only to:
DSS_Employee_CompleteDSS_Systems_Developer
This report granted to:
DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer
No restricted data used, soreport shows same results toboth ‘complete’ and ‘general’user
This report granted to:
DSS_Employee_CompleteDSS_Employee_GeneralDSS_Systems_Developer
Restricted data (rows)present, so ‘complete’ usersees more results than‘general’ user
Example of Cognos Security Levels
Ditto onreports
Ditto onreports
There is no limit to howpackages can be brokendown by role access
A folder structure(with default securityapplied) can simplifyassigning security
Report author must begranted role to accessdata, plus be grantedrole to use authoringtool
Return
Data Sources
Create a connection definition in Cognos
Step 2:
Create a Cognos Account on Each Data Source
Step 1:
Import MetadataStep 3:
Publish PackageStep 4:
iMac
Report Author
Create Report from Package
Step 5:
Report Consumer
Consumer Runs ReportStep 7:
Framework Manager
Developer
Publish the Report
Step 6:
Cog
nos
SECURITY
S
S
S
S
S
SS
Top Related