LDAP Authentication in Cognos 8

Using Cognos Series 7 Authentication with Cognos 8 BI: Common pitfalls to look out for.

Owais Bashir Ahmed Dated: 22nd June 2007

Using an established LDAP Server in conjunction with Cognos Series 7 Authentication has been made easy with Cognos 8 BI.LDAP Authentication in Cognos 8 Abstract: This short article discusses some precautions we need to take when designing and deploying Cognos Security using LDAP/Cognos Series 7 Authentication.g. Security in Cognos Environment is a very important design decision and early planning and awareness of deployment and integration related issues with correct selective removal of such design flaws can help reduce the total time of deployment. while moving your tested solution from a testing environment to a production one. The configuration is made even easier with a few simple steps in Cognos Configuration. However there are some early design decisions that need to be taken into account much before you begin development and integration of security to your reporting solution. These standards if not followed could lead to rework and repeated code deployments from one environment to the other e. This article presents some common traps that security designers can fall into when using LDAP/Cognos Series 7 in combination with Cognos 8 BI. It aims at providing an elimination checklist to avoid such design flaws. The functionality might well be all fine but security might completely fail! .

In Cognos Connection  Directory Administration tool you may have to add “Everyone” group to a System Administrator and/or Directory Administrator till the time you have shifted Authentication to Cognos Series 7(as explained below) and then remove “Everyone” from the list and include instead only designated users/user classes into System and Directory Administrators. Open up Cognos Configuration. 2. At the beginning the Configuration has only Cognos Authentication mode . 3.LDAP Authentication in Cognos 8 Set up Cognos Series 7 Authentication in a standalone environment To set up Cognos Series 7 Authentication all we need is: A preexisting Namespace in an established LDAP server. 1.

LDAP Authentication in Cognos 8 4. right click Authentication and add new resource . To add the Series 7 Authentication.

LDAP Authentication in Cognos 8 5. Select Cognos Series 7 and name the Authentication source as “Cognos Series 7” .

port and other information. . Enter the information for the Namespace ID. Host.LDAP Authentication in Cognos 8 6.

Authorization is still done by Cognos Namespace. b. But this is not all!! . Under SecurityCognosAuthentication node set the “Allow Anonymous Access” to False. 8. You are now ready to: a. The configuration is done and you are ready. Save the configuration and restart the service.LDAP Authentication in Cognos 8 7. so after your LDAP authentication is working you would need to add users and user classes from Cognos ConnectionDirectory Administration to relevant Cognos Groups. Have authentication done by the LDAP Server (Host:Port specified).

The modelers set up the data and object security inside the framework manager and publish the package for the reports developers to create the reports. Runtime security filtering will fail in test environment. . But then as the time comes to deploy the package and reports from this development environment to test environment (which is expected to have same hierarchy of user classes and users).. The approach is therefore: Export LAE File from Test Server LDAP2Import LAE File into LDAP1Create Security filters in Framework ManagerPublish PackageCreate ReportsExport Content to Test Server Extending the same concept to Production Scenario: Export LAE File from Production Server LDAP3Import LAE file into LDAP2 and LDAP1  Create Security filters in Framework Manager …. the security fails. When a user class or user is created manually in the access manager Cognos assigns an internal Id. The security works fine and all seems to be ok.LDAP Authentication in Cognos 8 A) You need to have the same internal ids across environments for Security to work: Suppose you have one LDAP server (LDAP1) for development environment where your modelers create the framework manager model. the user classes and users in LDAP server of development server have not to be created independently from the LDAP server of test server but by exporting the LAE file from test server and importing the LAE file in the development environment using Access Manager. The IT folks having set up LDAP1. If this other environment doesn’t have the same LDAP as the one for development. the system admin of the development server creates Users classes and create users directly in the development LDAP using Cognos Series 7 Access Manager Administration tool. which Cognos uses to recognize objects and is particularly important for security. even though the same user classes and hierarchy is same for LDAP server of development environment (LDAP1) and LDAP server of test environment(LDAP2). The reason for this is CAMIDs. the report authors create the reports and unit test reports. So users and groups created individually and independently in LDAP1 and LDAP2 will not share common ids. The report developers create reports and then login as various users created by the system admin to test the security. This ensures that CAMIDs are same. Only once this step is done can the System Administer release the system for the modelers to define security on objects and data. To prevent this from happening. security filtering will not work.

A product and a demography.LDAP Authentication in Cognos 8 B) For security filtering you need to have one group(user class) for each combination of dimensional elements required for filtering : Suppose you have two hierarchies:. Australasia. Japan. Examples of elements of Product Group are: Hypnotics. etc 2. 3. 4. Add individual users to required Product Group and Cluster Group required. N= no. So user classes created might be clsHypnotics. So if John is required to be seeing data of only Middle East Sales of Antibiotics. of User Classes that would be required => M+N where M = no. Thus the no. The design decision that a modeler/System administrator might face is whether: Approach A 1. So if we follow approach A. Or in other words the filter that should have been applied should have been Product Group = Antibiotics AND Cluster = MiddleEast This behavior is achievable only if designers apply approach B. To create one User Class per Product Group. of distinct elements of Product Group. clsAntibiotics_MiddleEast.etc 2. etc The business requirements needs security filtering based on combination of Product Group and Cluster only. of distinct elements of Cluster 4. of distinct elements of Cluster 5. clsSedatives. To create one User Class per combination of valid Product Group – Cluster combination. and John wishes to execute a sales report. Some examples of user classes would be clsHyponotics_Japan. The product hierarchy has a level Product Group and Demography has a level Cluster(consisting of a group of countries). clsJapan. In other words create a combination group. Thus the maximum no. Antibiotics. of distinct elements of Product Group. clsAustralasia. the data that he would see is Product Group = Antibiotics OR Cluster = MiddleEast This is not what was intended. To create one User Class per Cluster. Sedatives. C) Namespace IDs should be same across environment : . So user classes created might be clsMiddleEast. of User Classes that would be required => M*N where M = no. he would be added to clsAntibiotics_MiddleEast From an instant it is obvious that Approach A is better in terms of ease of maintenance. clsAntibiotics. Add individual users to required Combination group.etc Examples of elements of Cluster are: Middle East. N= no. he would be added to clsAntibiotics and clsMiddleEast Approach B 1.etc 3. However by design Cognos applies an “OR” filtering and not “AND” filtering. John was expected to see the MiddleEast and Antibiotics data only. So if John is required to be seeing data of only Middle East Sales of Antibiotics.

the Namespace ID should be same in the target Configuration environment and the one where security is implemented.LDAP Authentication in Cognos 8 This is an extension of the item A) above. Just like the internal ids. In the below example if Namespace ID is not Cognos S7 in target configuration then security will not work after deployment . There are cases when the LAE export from final target environment and import to the development environment is done correctly before the security implementation in the model is begun but the namespace Ids are not the same across the environments.

Sign up to vote on this title
UsefulNot useful