You are on page 1of 13

Multitenancy or Multiple tenant environments support multiple customers or

organizations (tenants) by using a single deployment of an application, while

ensuring that each tenant can access only the data that it is authorized to use.
Such applications are called multitenant applications.

The benefit of Multitenancy is to minimize the extra costs associated with managing multiple
profiles and applications in multiple environments.
SS C 8l



l8M C 8 l M l8M C 8l
l8M C 8l

Once we decide a multitenant application is a requirement we need to determine how we will identify a
Before you can modify your configuration for Multitenant applications, you need to identify how tenancy
information (grouping) is determined in your environment for the individual users.
Then, you associate the tenancy information to specific Multitenancy properties.
To enable Cognos Multitenancy capabilities, you set advanced authentication properties on all the
computers where the Content Manager is configured, and then restart the IBM Cognos service.
Step 1 - To identify tenancy information - how will we determine this?
1) By the Organizational structure built in LDAP
2) By an attribute / parameter of the user
3) A variable being passed from a custom security provider
In the example here and within the demo, we use the l attribute of the users
Step 2 - To enable Multitenancy
Open IBM Cognos Configuration
Setup TenantID properties
Multitenancy properties that you specify for a specific namespace override any Multitenancy properties
that you set globally.
To configure the tenancy information for one namespace: In Cognos Configuration, in the Explorer
window, under Security, click Authentication. Click the namespace that you want to configure.
LDAP Advanced Properties
Multitenancy.TenantPattern = ~/parameters/tenantID
LDAP Custom Properties
tenantID = l (in this example l is for location)
Restart Services
For more information refer to the IBM Cognos BI v10.2 Administration and Security Guide
New, central UI for managing tenants within IBM Cognos Administration for
Tenant content deployment
Delete a tenant
Tenant on-boarding
Tenant user profiles
Tenant session termination
Content utilization reporting
Multitenancy Administration Actions can be accessed via the toolbars or using the down arrow next
to the tenant as shown here.
Tenant on-boarding
Tenant objects must now be created before a tenant's users can access the Cognos BI system
Ability to delete tenants using IBM Cognos Administration
System Administrators can now easily remove a tenant and all associated BI objects from a Cognos
BI platform using IBM Cognos Administration.
Optional deployment of public content
Administrators of multitenant applications can easily select all objects belonging to a tenant and
export them to a Cognos BI deployment archive and can now optionally include or exclude public
or non-tenanted content in the same deployment archive in order to easily move an entire
application from one Cognos BI platform to another.
Per-tenant default user profiles
Account profiles are used to customize the user experience within Cognos BI. System
Administrators can now define default account profiles that can be unique to each tenant's

Tenant user lock-out (disable a tenant)

When maintaining multitenant environments, it is often desirable to prevent
tenant users from accessing and modifying BI content. System Administrators
can now disable access to a Cognos BI application for a tenant; once disabled
no user belonging to the disabled tenant ID can access the BI application.
Tenant user session termination
System administrators can now terminate all of a tenant's active user sessions
from a Cognos BI application without impacting application availability for other
users on the system.
Content store utilization reporting
Service providers for multitenant applications require the ability to understand
how individual tenants are utilizing Cognos BI. System Administrators can now
easily export Cognos BI content store usage data to be used to fully understand
the number of BI objects associated with a tenant along with the size of those
objects stored within the Cognos BI content store.
will create a csv file containing content store utilization data within
(for example C:\Program
After Multitenancy is enabled, you can record tenant activities using an audit
logging database. IBM Cognos Business Intelligence provides sample audit
reports that show how to use the tenancy information to monitor certain user
Nothing new here since IBM Cognos BI v10.2
For information about how to use IBM Cognos Configuration to set up a logging
database, see the IBM Cognos Business Intelligence Installation and
Configuration Guide.

n l8M C 8l 1 8
8l S
W u

n C 1 n

W 1 lu

Tenancy checks during object access are evaluated before permissions associated
with an object.
Therefore, users in a multitenant application see only the objects that are associated
with their tenant and objects that are categorized as public.
An object with no tenant id is 'public
Public objects are visible by all users regardless of the user's tenancy, if the object
security policies permit access.
Note: Once TenantID set, children of the parent object can not be Public
Note: A user may not belong to multiple tenants. Two logins will be required . But
System administrators can impersonate a tenant if they want to create content on
behalf of that tenant or for testing purposes, which they could do in 10.2 also.
1. Ensure that you are logged off from IBM Cognos Connection.
2. Click the Log on link in IBM Cognos Connection.
3. In the Log on page, append the following parameters to the page URL:
For example, type &CAMTenantID=tenant1
4. Press Enter and continue the logon process.

Note: SystemAdministrators when creating content have to obey 'containment

rules' that constrain what content can be created by who and where.
Containment rules for multitenancy
Multiple tenants can co-exist in a single IBM Cognos content store. The tenant
containment rules maintain security and ensure isolation between tenants.
These rules dictate how the content is created and where it can be located.
Every object in the content store has a tenant ID value that indicates which
tenant the object belongs to. This value is based on the tenant ID associated
with the session of the user who created the object. Alternatively, system
administrators can set the tenant ID value in the user interface, or using the
software development kit.
The tenant ID of an object must be the same as the tenant ID of its parent,
unless the parent tenant ID is public. If the parent tenant ID is public, the
tenant ID for the child can be changed to any value.
System administrators can run a content store consistency check to detect
instances of violation of the tenant containment rules.

C 8l S A
C 8l
C 8l


To find more information on Multitenancy please read
IBM Cognos BI v10.2.1 New Features Guide
IBM Cognos BI v10.2.1 Installation and Configuration Guide
IBM Cognos BI v10.2.1 Administration and Security Guide