Access Manager - Administrator Help

ACCESS MANAGER ADMINISTRATOR GUIDE

IBM(R) COGNOS(R)
Access Manager

ACCESS MANAGER ADMINISTRATOR GUIDE

Product Information
This document applies to Access Manager 7.4 and may also apply to subsequent releases. To check for newer versions of this document, visit the Cognos Software Services Web site (http://support.cognos.com).

Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. Portions of Cognos ULC software products are protected by one or more of the following U.S. Patents: 6,609,123 B1; 6,611,838 B1; 6,662,188 B1; 6,728,697 B2; 6,741,982 B2; 6,763,520 B1; 6,768,995 B2; 6,782,378 B2; 6,847,973 B2; 6,907,428 B2; 6,853,375 B2; 6,986,135 B2; 6,995,768 B2; 7,062,479 B2; 7,072,822 B2; 7,111,007 B2; 7,130,822 B1; 7,155,398 B2; 7,171,425 B2; 7,185,016 B1; 7,213,199 B2; 7,243,106 B2; 7,257,612 B2; 7,275,211 B2; 7,281,047 B2; 7,293,008 B2; 7,296,040 B2, 7,318,058 B2; 7,325,003 B2; 7,333,995 B2. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries or both. Other company, product, or service names may be trademarks or service marks of others. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. U.S. Government Restricted Rights. The software and accompanying materials are provided with Restricted Rights. Use, duplication, or disclosure by the Government is subject to the restrictions in subparagraph (C)(1)(ii) of the Rights in Technical Data and Computer clause at DFARS 252.227-7013, or subparagraphs (C) (1) and (2) of the Commercial Computer Software - Restricted Rights at 48CFR52.227 as applicable. The Contractor is Cognos Corporation, 15 Wayside Road, Burlington, MA 01803. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos.

Table of Contents
Chapter 1: Security and Access Manager 7 Access Manager Components 8 Available Security Options 9 Apply Security in Other IBM Cognos Applications 10 How IBM Cognos Applications Use Authentication Data 11 Configuration Options for Access Manager Authentication Components 12 Configure an Authentication Source 12 Secure Sockets Layer (SSL) Security 12 Identify Users: Overview 13 Access Manager Namespaces 13 Basic Signons 14 External Signons 14 Common Logon or Single Signon 15 Integrated Windows Authentication 15 Users 16 User Classes 17 Store Connection Information for IBM Cognos Servers 17 Store Signon Information for Secured Databases 17 Store Signon Information for Secured Cubes 18 Store Signon Information for Third Party Cubes 18 Delegate Administration 18 Automate Administration 18 Chapter 2: Set Up An Authentication Source 21 Save Authentication Source Connections 21 Access a Directory Server: Overview 22 Connect to a Directory Server 22 Modify a Directory Server Connection 23 Test a Directory Server Connection 23 Configure Secure Sockets Layer (SSL) on a Directory Server 24 Set Up a Namespace: Overview 25 Add a Namespace 26 Log On to a Namespace 27 Log On to a Namespace as Another User 28 Add a Namespace Administrator 29 Provide Summary Information for a Namespace 29 Set Up Anonymous Access to a Namespace 30 Set Up Guest Access to a Namespace 31 Set Signon Properties for Users in a Namespace 31 Use Variables for Namespace OS Signons for Web Users 32 Set Password Properties for Users in a Namespace 33 Define Regional Settings for Users in a Namespace 34 Set a Default Namespace for a Directory Server 34 Export a Namespace for Remote Users 35 Transfer Namespace Information Between Directory Servers 36 Identify All Out of Date Namespaces 37 Upgrade Namespaces 38 Enable External User Support 39 Enable Audit Logging 40

Access Manager Administrator Guide 3

Alternate Authentication Sources: Overview 41 Local Authentication Export Files: Overview 41 Add a Local Authentication Export File 42 Import a Local Authentication Export File into a Namespace 42 Chapter 3: Set Up Authentication Data 45 Set Up Users: Overview 45 Add a User 46 Provide a User With a Signon 47 Assign a User to a User Class 48 Provide Access to a Data Source or Application Server 49 Provide Auto-Access for a User 50 Display the User Classes and Accesses for a User 51 Define Regional Settings for Users of Web Products 51 Define User Access to Upfront 52 Link External Users 52 Set Up User Classes: Overview 53 Add a User Class 54 Set Up a Public User Class 54 Set User Class Access Times 55 Set User Class Permissions 56 Display Users Belonging to a User Class 57 Set Up a Data Source: Overview 57 Add a Database 58 Add an OLAP Server Database 58 Set Up Auto-Access for a Database 59 Add a Cube 60 Add a Cube Stored in a Database 61 Add Metadata 61 Set Up a Server: Overview 62 Add a Transformer Server 62 Set Up Auto-Access for a Transformer Server 63 Add a PowerPlay Server 63 Search for Authentication Data 64 Sort Authentication Data 64 Chapter 4: Set Up Security Across Applications 67 Access Manager and Architect 68 Access Manager and Transformer 69 Access Manager and PowerPlay 70 Access Manager and PowerPlay Enterprise Server 71 Access Manager and Impromptu 72 Access Manager and Impromptu Web Reports 73 Access Manager and IBM Cognos Query 73 Access Manager and Upfront 74 Access Manager and IBM Cognos Visualizer 74 Access Manager and NoticeCast 75 Ticket Services 75 Audit Ticket Service Activity 77 Frequently Asked Questions and Troubleshooting 79 Why can't I log on as a user? 79 Why can't I delete a user? 79 Why can't I delete a user class? 79 Why can't I open a secured resource after merging namespaces? 79 When does the cut command behave like copy command? 79 Why can’t I connect to a directory server that is configured for SSL communication? 80 4 Access Manager .

Error Message When Adding Objects Containing the Same Basic Letter Configuration Using Active Directory Server 80 How Do I Determine Why the Access Manager Server Won’t Start? 80 Appendix A: Access Manager Utilitites 81 AM_NamespaceReport Utility 81 AM_NamespaceCorruptionDetect Utility 83 amADUpdate Utility 84 Glossary 85 Index 93 Access Manager Administrator Guide 5 .

6 Access Manager .

you must identify and create users. such as PowerPlay Enterprise Server and Transformer Server. 8) Access Manager Administrator Guide 7 . Related Topics • • • • • • • • • • • "Automate Administration" (p. and local cubes. You must use Access Manager with: • Architect • IBM Cognos Query • Upfront • Impromptu Web Reports • Visualizer • NoticeCast You can choose to use Access Manager with: • Impromptu • PowerPlay • Transformer You should plan your security strategy and implement it in Access Manager before you start using other IBM Cognos products. you apply that information in the other IBM Cognos products. 21). First. see "Set Up An Authentication Source" (p. In one central location. you can store authentication data in one of the following sources: • a namespace on an LDAP directory server • a local authentication export file (. After you set up your security information in Access Manager. and give them memberships in user classes. 18) "Delegate Administration" (p. you can set up and maintain secure user access to data. With Access Manager.Chapter 1: Security and Access Manager Access Manager provides a centralized environment to define. 14) "Identify Users: Overview" (p. and maintain security information for IBM Cognos business information applications. that are created in other IBM Cognos applications. 15) "External Signons" (p. Then you must decide how you want to group users with similar needs for access to information. 17) "Users" (p. you can also set up and maintain user signon information and auto-access privileges for the data sources and servers that contain the required data. 25) "Basic Signons" (p. 15) "User Classes" (p. 14) "Common Logon or Single Signon" (p. In this version of Access Manager. These user classes are given access privileges to the required application servers. Sybase. such as Oracle. 18) "Set Up a Namespace: Overview" (p. 13) "Integrated Windows Authentication" (p. and data sources.lae) For information about each type of authentication source. such as cubes and reports. 16) "Access Manager Components" (p. store.

Chapter 1: Security and Access Manager • • • • • • • • • "Apply Security in Other IBM Cognos Applications" (p. server connection information. several Access Manager components are available: Access Manager Administration Administrators use this Windows-based tool to set up and maintain user classes. An Access Manager Server can be configured as a ticket service or an authentication service. users. There are also two automation interfaces. For more information about Sun Java System Directory Server. 9) "Configure an Authentication Source" (p. The tickets are issued for a specified period so that users can access multiple IBM Cognos applications without having to reenter authentication data. We recommend that you install it on the same computer as the directory server. Access Manager Server The Access Manager Server is an IBM Cognos security component that manages two services: • a ticket service The service that issues tickets used to maintain single signons for users of Web-based IBM Cognos applications. By default. and OLE Automation. and access to data sources. For more information about directory server configuration. see the installation and configuration guide for your product. 17) "Store Signon Information for Secured Cubes" (p. 18) "Store Signon Information for Secured Databases" (p. 12) "Store Connection Information for IBM Cognos Servers" (p. 17) "Store Signon Information for Third Party Cubes" (p. see the installation and configuration guide for your product. You can use a directory server to store and distribute your security information. Sun Java System Directory Server is distributed with Access Manager. 8 Access Manager . At least one Access Manager Server is needed for each IBM Cognos application. this service is not enabled. To implement failover and load balancing for the Access Manager Server. Access Manager Trusted Services Plug-in Software Development Kit This software development kit (SDK) allows you to extend Access Manager functionality so you can use your existing security infrastructure with Access Manager. 11) "Secure Sockets Layer (SSL) Security" (p. Although not an IBM Cognos product. Access Manager Batch Maintenance. Sun Java System Directory Server Access Manager supports Sun Java System Directory Server. 12) "How IBM Cognos Applications Use Authentication Data" (p. or both. • an authentication service The service used for authenticating users of Web-based IBM Cognos applications. which is an LDAP-compliant data store. 18) Access Manager Components When you install an IBM Cognos product. Directory Server Configuration Use Configuration Manager to configure your directory server to work with your IBM Cognos product. 10) "Available Security Options" (p. install additional Access Manager Servers and configure load balancing in Configuration Manager.

53). You do not need Access Manager to implement password protection. 12) Available Security Options Access Manager provides user class protection for and auto-access to data sources and servers. Setting up user classes helps you to specify what information users may access and to prevent unauthorized users from accessing the information.lae). For example. Access Manager Administrator Guide 9 . see "Set Up User Classes: Overview" (p. a Transformer administrator protects a cube by applying user classes (created in Access Manager) to specific dimensions in the cube.Chapter 1: Security and Access Manager Configuration Manager All users can run Configuration Manager when they work in a secured environment to specify the source for their security information. "Configure an Authentication Source" (p. they are given access. For more information about auto-access. For more information about user classes. see "Provide Auto-Access for a User" (p. 11) "Secure Sockets Layer (SSL) Security" (p. Windows Common Logon Server A server that records information about the users of a Windows-based application so that they can log on once and access multiple data sources. For more information see. the application prompts them for user ID and password information depending on the combination of security options you define. You can combine these with any security options you may already have. 12). If the user is a member of the user class that has access to the data source. Password Protection Password protection is a type of security that prevents a user from viewing a data source (such as a cube or catalog) unless the user enters a password when prompted by the application. They can specify whether they will use a directory server or a local authentication export file (. batch processes can run without interruption. 9) "Configure an Authentication Source" (p. 10) "Available Security Options" (p. 50). User Class Protection User class protection is a type of security that prevents a user from viewing a data source unless the user provides a user name and password when prompted by the application. such as • password protection for data sources provided by the application • relational database management system (RDBMS) passwords • server passwords When users select a data source. database. Access Manager works with your application to implement auto-access. or server without being prompted for logon information. The advantages of using auto-access are that it eliminates the need to remember and enter user IDs and passwords for multiple locations. 12) "How IBM Cognos Applications Use Authentication Data" (p. PowerPlay users who access the cube are able to view only those dimensions that their user class has access privileges to. Related Topics • • • • • "Apply Security in Other IBM Cognos Applications" (p. and it is easier to update user signon information because you store the information in one central location. Auto-Access Auto-access is a method of accessing a password-protected cube. The advantages of using password protection as a form of security are that it is easy to implement and it provides more secure data.

Access Manager and PowerPlay Enterprise Server You can apply security to a PowerPlay Enterprise server to prevent unauthorized access. Transformer. These restrictions apply in addition to any cube. You can also specify in Access Manager whether or not you want your users to have a personal NewsBox. Access Manager and Impromptu You can use pre-defined user classes to restrict access to portions of data in a catalog. and then restrict user classes from accessing specific dimensions of the cubes created from those models. 11) "Secure Sockets Layer (SSL) Security" (p. 12) 10 Access Manager . Access Manager and Upfront You can apply restrictions on NewsBoxes and NewsItems in Upfront using the pre-defined user classes. Access Manager and Visualizer You secure the database or cube that the Visualization file references. Access Manager security works in IBM Cognos applications in the following ways: Access Manager. You can then add cubes to the server. 12) "How IBM Cognos Applications Use Authentication Data" (p.or report-specific restrictions that you applied in other IBM Cognos applications. 8) "Available Security Options" (p. Access Manager and Architect You use pre-defined user classes to restrict access to portions of and allowable activities on specific models. you apply it from within IBM Cognos applications. their view is restricted. 10) "Configure an Authentication Source" (p. Related Topics • • • • • "Access Manager Components" (p. which is used to secure cubes. When users subsequently view the cubes in PowerPlay reports. Access Manager and NoticeCast You use pre-defined user classes to restrict access to your alerts and email lists. and to the model after it is exported to other IBM Cognos applications for report or query creation. 12) Apply Security in Other IBM Cognos Applications After you plan your security strategy and implement it in Access Manager. 11) "Secure Sockets Layer (SSL) Security" (p. 9) "Configure an Authentication Source" (p. Related Topics • • • • • "Access Manager Components" (p. and specify the source of security. 12) "How IBM Cognos Applications Use Authentication Data" (p. specified in Transformer. You can secure the data source using Access Manager Administration.Chapter 1: Security and Access Manager For more information about the available password protection options in an application. These restrictions apply to the model in Architect. and PowerPlay You can use Access Manager user classes within Transformer to apply restrictions to Transformer models. see the online help for that application. 8) "Apply Security in Other IBM Cognos Applications" (p. based on the security applied in Transformer.

Access Manager identifies which user class the user belongs to and what access privileges the user has in accordance with the OS signon. or if there is no valid basic signon. 8) Access Manager Administrator Guide 11 . If the IBM Cognos product is using a basic signon. For products that support the union of user classes. 67). If the Access Manager namespace authentication is configured for OS signons. as defined in the authentication source. If the source is a local authentication export file (. 41). it uses the default namespace specified in Access Manager Administration. the application uses the default namespace specified in Configuration Manager. if the user belongs to more than one user class. For more information about using Access Manager with IBM Cognos applications. If there is a match. Related Topics • "Access Manager Components" (p. it considers the user not valid. the user’s access rights are the union of all of the rights of the user classes to which the user belongs. Access Manager prompts the user for basic signon information. For products that do not support the union of user classes. or you have not defined an OS signon for that user. Process The user selects a secure data source. the application looks to see if you specified a particular namespace to use. If it does not find a default namespace there.lae) the user must have access to the file before the application can open it (p. The application denies the user access to the data source. If there is no match.Chapter 1: Security and Access Manager How IBM Cognos Applications Use Authentication Data Each IBM Cognos application that uses Access Manager follows the same process to identify a user's access to secure data. Access Manager identifies which user class the user belongs to and what access privileges the user has in accordance with the basic signon. It then grants or denies the user access to the data source. If Access Manager does not find a match for an OS signon. Details The application reads user and user class information from an authentication source which you have defined to the application: If the source is a namespace. Access Manager prompts the user to specify which user class they want to use during the current session. If you did not specify a namespace. It then automatically grants or denies the user access to the data source without the user having to provide a user ID or password. they must exit the data source and then reopen it again using a different user class. Access Manager prompts the user for a user ID and password and compares them to the basic signon defined in the authentication source. If there is a match. If the user needs to change user classes. Access Manager prompts the user for basic signon information. such as a cube or report. and then grants or denies the user access to the data source. Access Manager compares system information to the OS signon defined in the authentication source. Access Manager identifies the access privileges for the user class. see "Set Up Security Across Applications" (p.

the Access Manager server acts both as an Authentication Service and Ticket Service. Users specify the authentication source by using the Access Manager . 9) "Configure an Authentication Source" (p. In a single machine deployment. the Access Manager login and run-time components communicate directly with the directory server to authenticate users. In a multi-machine installation. 11) "Secure Sockets Layer (SSL) Security" (p. Configure an Authentication Source To use the security information stored in Access Manager. Otherwise. the products will not be able to locate and validate user privileges at runtime. 10) "Available Security Options" (p. the Access Manager login and run-time components communicate with the Common Logon Server on Windows and for administration tools on UNIX and web applications. users must indicate to their IBM Cognos products what they intend to use as an authentication source. 8) "Apply Security in Other IBM Cognos Applications" (p. multiple Access Manager Servers can be configured for either service. 12) Secure Sockets Layer (SSL) Security Access Manager supports SSL for the following types of communication: 12 Access Manager .lae) Related Topics • • • • • "Access Manager Components" (p. The Access Manager Server then communicates with the directory server to authenticate the user and to an Access Manager Server configured as a Ticket Service to maintain session information. which is installed with all IBM Cognos Series 7 products. There are two main types of authentication sources: • a directory server • a local authentication export file (.Chapter 1: Security and Access Manager • • • • "Apply Security in Other IBM Cognos Applications" (p. To maintain session information. 9) "How IBM Cognos Applications Use Authentication Data" (p. You may wish to set up more than one Authentication Service or Ticket Service for fail over and/or load balancing. both services communicating on different ports. Client and Default Web Authentication By default. 10) "Available Security Options" (p. you can configure the Access Manager login component to communicate to an Access Manager Server configured as an Authentication Service. Alternate Web Authentication In web deployments. 12) Configuration Options for Access Manager Authentication Components Access Manager Components can be configured in different ways to interact with other components when authenticating users. the Access Manager run-time component communicates with an Access Manager Server configured as a Ticket Service. 12) "Secure Sockets Layer (SSL) Security" (p.Runtime component in Configuration Manager. please refer to IBM Cognos Planning Advanced Installations Guide. For more information.

the information for your users must exist in both namespaces. This approach will decrease maintenance effort. Sun Java System Directory Server is included as part of the Access Manager installation. A signon strategy can use basic signons. or both. Except for testing purposes. 8) "Apply Security in Other IBM Cognos Applications" (p. or in a local authentication export file (. For more information about setting up SSL for your web server. • • For more information on configuring your directory server and Access Manager Server Authentication Service for SSL. Communications that exchange confidential information to and from the Access Manager Server Authentication Service. 13). For alternate web authentication configurations. • For alternate web authentication configurations. 11) Identify Users: Overview Access Manager allows different signon strategies for identifying users. 12) "How IBM Cognos Applications Use Authentication Data" (p. 14) "Integrated Windows Authentication" (p. see the installation and configuration guide for your product. 10) "Available Security Options" (p. 9) "Configure an Authentication Source" (p. SSL can be used to secure the communication from the Access Manager Server Authentication Service to the directory server. operating system (OS) signons. Local authentication export files are appropriate for single-user operations. For more information. if you use one namespace for PowerPlay Enterprise Server and another namespace for Upfront. If more than one signon strategy is chosen at the namespace level. Using a directory server eliminates the need to distribute separate files to each user to enforce security. Related Topics • • • • • "Access Manager Components" (p. Signon strategies can be identified at the namespace or user level. SSL can be used to secure the communication from the login process and Access Manager runtime to the directory server. and user ID preferences using namespace and user properties. 15) Access Manager Namespaces A namespace in Access Manager contains the security information for one or more IBM Cognos applications. 15) "External Signons" (p. You can also define logon attempts. use one namespace for all applications in your business enterprise platform. SSL can be used to secure the communication from the login process to the Access Manager Server Authentication Service. see "Access Manager Namespaces" (p. users within that namespace can be assigned either strategy. Related Topics • • • • • "Access Manager Namespaces" (p.lae). Communications of confidential information to and from a directory server. 24). Local authentication export files are generally used in situations where a user does not have access to a network. Use namespace properties to define rules for passwords. lockout durations. For example. 14) "Common Logon or Single Signon" (p. • For client and default web authentication configurations. Access Manager Administrator Guide 13 .Chapter 1: Security and Access Manager • Communications that use secure hypertext transfer protocol (HTTPS) between a browser and the Web server. see "Configure Secure Sockets Layer (SSL) on a Directory Server" (p. Namespaces can be stored on a directory server. or in a demonstration environment. 13) "Basic Signons" (p.

For more information. When users open a secured application. 15) External Signons If your users already have signons for operating systems or other applications. please note that if the same user exists in more than one namespace. For Web Users If your users access secure applications through the Web. To use the environment variable. When a user opens a secured application. they are prompted for their assigned user ID and password. Related Topics • • • • • "Set Up a Namespace: Overview" (p. Access Manager stores and manages both the user ID and password for each user. For Windows Users If your users sign on to Windows. In addition. 14) "Identify Users: Overview" (p. 13) "Integrated Windows Authentication" (p. You choose and enter basic signon information in Access Manager Administration. 13) "Integrated Windows Authentication" (p.Chapter 1: Security and Access Manager If more than one namespace is being used. 14 Access Manager . 14) "Common Logon or Single Signon" (p. Access Manager can take advantage of Integrated Windows Authentication as well as credentials stored in an environment variable or cookie. the Access Manager trusted services plug-in software development kit (SDK) can help address external authentication requirements. 14) "Identify Users: Overview" (p. changing any of the following fields will cause the change to appear in all namespaces: • description • surname • given name • mail • telephone # • preferred language Related Topics • • • • • • "Set Up a Namespace: Overview" (p. 15) Basic Signons For basic signons. you may not want to assign them additional signons for Access Manager. 15) "External Signons" (p. There are several ways to use existing signon information with Access Manager. Access Manager matches the OS signon for a user to the value the environment variable or cookie returns. Access Manager looks for the Windows signon information and compares it to the signon information entered for each user in Access Manager Administration. you can enter the Windows signon information for each user in Access Manager Administration. see the Access Manager Trusted Services Plug-In Software Development Kit Guide. 25) "Common Logon or Single Signon" (p. 25) "Basic Signons" (p. If a match is found. 15) "External Signons" (p. the user is granted access to the secured application.

Windows products use common logon. It does not affect access to administration utilities. Integrated Windows Authentication is a feature of the Microsoft Internet Information Server (IIS) that enables users who are already logged on to open other applications without typing their user ID and password again. A reference to the ticket is stored in a cookie in the user's Web browser. Common logon or single signon maintains user authentication data so users who have access can open multiple secure data sources using different IBM Cognos products. 14) "External Signons" (p. or has logged off the Windows Common Logon server. even if they drill through different IBM Cognos applications or navigate from one IBM Cognos application to another. 13) "Integrated Windows Authentication" (p. It can be used with your Web products to simplify user logon. 15) and "Use Variables for Namespace OS Signons for Web Users" (p. common logon or single signon tracks the user and controls their access to multiple data sources. For Windows Users In Windows. 14) "Identify Users: Overview" (p. 15) "Identify Users: Overview" (p. Access Manager Administrator Guide 15 . and to enforce any security restrictions. 15) Common Logon or Single Signon Users can access multiple secured IBM Cognos applications in one session using common logon or single signon. the Windows Common Logon server identifies the user and stores relevant security information locally on the user's computer. After a user opens a secure data source. For Web Users For Web users. When the user's browser session ends. 25) "Basic Signons" (p. see the installation and configuration guide for your product. 32). the ticket service issues a ticket when a user is identified. see "Integrated Windows Authentication" (p. and Web-based products use single signon. 13) "Integrated Windows Authentication" (p. 25) "Basic Signons" (p. the cookie is deleted. When the user opens another IBM Cognos application. and to enforce any security restrictions. 15) Integrated Windows Authentication Integrated Windows Authentication is also known as Windows NT Challenge Response. Related Topics • • • • • "Set Up a Namespace: Overview" (p. if the user has installed the Windows Common Logon server. Related Topics • • • • • "Set Up a Namespace: Overview" (p. For more information about common logon or single signon. When the user opens another IBM Cognos application. This means users only have to provide a user ID and password once. the second application uses the stored information to identify the user. a key icon appears in the system tray of the Windows taskbar. The information to identify the user remains in the Windows Common Logon server until the user has closed all IBM Cognos applications. 14) "Common Logon or Single Signon" (p. When a user invokes authentication for any Windows-based component of the IBM Cognos platform.Chapter 1: Security and Access Manager For more information. the application uses the stored ticket information to identify the user.

rather than create them in the namespace. depending on which user classes they belong to. For more information about Integrated Windows Authentication. For more information.x and 4. Because named users do not share the same restrictions to information. see "Provide a User With a Signon" (p. If you choose to have anonymous users in a namespace. or named users with guest users. 15) "External Signons" (p. see the installation and configuration guide for your product. 25) "Basic Signons" (p. For Microsoft Information Server (IIS) 5. You do this by setting up your namespace for named users.x. You can choose to link to users defined elsewhere in the directory server. 47). they must enter their user ID and password. For more information about linking users. and share the same security restrictions. regional settings. Because anonymous users are considered as a group. Users are added and managed with the Access Manager administration interfaces. Those security restrictions are determined by the user classes that the guest user belongs to. user class memberships. If users connect with a different Web browser. Because guest users are considered as a group. they must be identified using one of the various signon strategies available. such as Netscape. all users are considered as a group. All Users Have the Same Restrictions You may want to give all of your users the same restrictions to secured information. 14) "Common Logon or Single Signon" (p.Chapter 1: Security and Access Manager Integrated Windows Authentication works by allowing the Microsoft Internet Information Server (IIS) to get a user’s Windows Domain Login Name from an Internet Explorer Web browser. connection information for PowerPlay and Transformer servers. Notes Access Manager supports Integrated Windows Authentication or Windows NT Challenge Response.x it is called Windows NT Challenge Response. Related Topics • • • • • "Set Up a Namespace: Overview" (p. Guest users are similar to anonymous users because they are considered as a group. see "Enable External User Support" (p. signon preferences. you do not need any other types of users except administrators. and have different security restrictions. Those security restrictions are determined by the user classes that the anonymous user belongs to. and personal NewsBox availability in Upfront. and can belong to many. no signon information is required to identify individual users. for IIS 3. You do this by defining an anonymous user for your namespace. no signon information is required to identify individual users. You can also provide users with traditional signons. Users have properties that allow you to enter personal information. Named users are considered individually. If your namespace is set up for anonymous users. 13) Users Namespaces contain users. All Access Manager users must belong to at least one user class. 16 Access Manager . 39). Users Have Different Restrictions You may want to give different users different restrictions to secured information. such as basic or operating system signons. this method of authentication is called Integrated Windows Authentication. You can adopt one of two basic strategies when defining the types of users you want. 14) "Identify Users: Overview" (p. and share the same security restrictions.

You can restrict access to reports. When you secure information against the public user class. and is essential for running batch jobs that access a secured database. 17) "Store Signon Information for Third Party Cubes" (p. if you have a user who runs batch jobs after regular business hours using a secured database. and commonly reflect your company's organizational structure. 16) Store Connection Information for IBM Cognos Servers You can store connection information for PowerPlay Enterprise and Transformer servers. User classes are arranged hierarchically. When the batch job runs and accesses the secured database. and so on with user classes. see "Available Security Options" (p.Chapter 1: Security and Access Manager If you choose to have named users. 18) Access Manager Administrator Guide 17 . Related Topics • "Users" (p. User class security is different and separate from application-specific security such as a filter on a cube in PowerPlay. 17) User Classes User classes represent groups of users with identical authorization rights. All users are automatically included in this user class. Access Manager supplies the necessary signon information. you may not want users to have to supply signon information every time they access the databases. using user class properties. When users access a Transformer server. Then you apply security for other IBM Cognos products based on the existing user classes. You can then associate the stored signon information with individual users. you can designate an existing user class to be the public user class. If you have information that everyone needs access to. Related Topics • • • "Store Connection Information for IBM Cognos Servers" (p. Related Topics • • • "Store Signon Information for Secured Cubes" (p. You can set time restrictions for system access and delegate administration duties for each user class. 9). NewsItems. 18) Store Signon Information for Secured Databases If you have secured databases. You can store information about secured databases in Access Manager. including the required signon information. 18) "Store Signon Information for Secured Databases" (p. Storing connection information creates a list of valid servers for users to choose from when using Transformer or PowerPlay client applications. For more information. You then associate the information with the user who runs batch jobs. 18) "Store Signon Information for Third Party Cubes" (p. you cannot have anonymous users. or named users with guest users in a namespace. You can also store signon information for Transformer servers in Access Manager. For example. cubes. This is convenient for users. all users have access to this information. you can store the required signon information in Access Manager. 17) "Store Signon Information for Secured Cubes" (p. Access Manager supplies the necessary signon information. Related Topics • "User Classes" (p. Access Manager applies security at the user class level. You create user classes and add users to those user classes in Access Manager.

add. 17) "Store Signon Information for Secured Cubes" (p. You can store the required signon information and other information about secured data in Access Manager. Access Manager supplies the necessary signon information. For example. including the required signon information. You can store information about secured PowerPlay cubes in Access Manager. and PowerPlay and Transformer servers. You can store the required signon information in Access Manager. user classes. 17) "Store Signon Information for Third Party Cubes" (p. These administrative rights are carried forward to Access Manager's Web-based administration in Upfront. Access Manager supplies the necessary signon information. 18) Store Signon Information for Third Party Cubes IBM Cognos applications work with third party data that may be secured by the third party application. Use the batch command processor for simple automation tasks when ease of use is a consideration. you may have a PowerPlay cube that is secured. For example. You then associate the information with individual users. and remove users. You can then associate the stored signon information with individual users. Related Topics • • "Automate Administration" (p. Related Topics • • • "Store Connection Information for IBM Cognos Servers" (p. Related Topics • • • "Store Connection Information for IBM Cognos Servers" (p. 18) "Set User Class Permissions" (p. You then associate the stored signon information with individual users. users. You then associate the information with individual users. you may have an Hyperion Essbase cube that is secured. and to set the properties of namespaces. 17) "Store Signon Information for Secured Databases" (p. data sources. Use OLE automation for more complex automation tasks that require a knowledge of computer programming. User classes have properties that allow you to define whether or not members of a user class can see. 17) Delegate Administration You can allow members of selected user classes to perform administrative tasks within Access Manager Administration. you may not want users to have to supply signon information every time they access the cube. You can also specify whether or not the member of a user class can change various personal settings in Upfront. When those users access the secured cube. and data sources. Batch Maintenance Windows and UNIX users can use the batch command processor in Access Manager to create or delete users and user classes. You can store the required signon information in Access Manager. 56) Automate Administration You can automate the administration tasks you perform in Access Manager Administration. user classes. 18 Access Manager . PowerPlay and Transformer servers. When those users access the secured cube. You may not want users to have to supply signon information every time they access the data. 18) "Store Signon Information for Secured Databases" (p.Chapter 1: Security and Access Manager Store Signon Information for Secured Cubes If you have secured PowerPlay cubes.

For more information about batch maintenance.Chapter 1: Security and Access Manager The batch command processor can set values. With OLE automation. Related Topics • "Delegate Administration" (p. For more information about OLE Automation. and you can set and return values for conditional processing. This means that conditional processing is not possible. The batch command processor can only execute scripts in which all object names are known. you can use collections of objects. see the Access Manager Batch Maintenance Guide. 18) Access Manager Administrator Guide 19 . see the Access Manager Macro Reference Guide. OLE automation allows access to all functionality in the Access Manager Administration user interface. OLE Automation Windows users with a knowledge of computer programming can use object linking and embedding (OLE) automation. but cannot return them. It cannot process collections of objects.

Chapter 1: Security and Access Manager 20 Access Manager .

Tip • To automatically open a specific IBM Cognos security administration file (.csa) automatically opens and is ready for use. 21) "Set Up a Namespace: Overview" (p. Access Manager prompts you to save the file before you exit. If you add new connection information to the file. 3. 4. click Set As Default. Use this file to store connection information for all your authentication sources. and you have not saved it. 41) "Save Authentication Source Connections" (p. regardless of whether the user is connected to the network (p. In the Save In box. 2.csa) contains all the connection information for directory servers and . With the appropriate . type the name of the file. 21). Related Topics • "Set Up An Authentication Source" (p.csa file open in Access Manager. For more information about saving connection information. You can also use . 41).lae files when you have users who are not connected to the same network as the directory server. and the servers and data sources that users can access. see "Save Authentication Source Connections" (p.lae files as an alternate source. You store connection information about your authentication sources in an IBM Cognos Security Administration file (. Access Manager supports the following types of authentication sources: • a namespace on an LDAP directory server • a local authentication export file (.Chapter 2: Set Up An Authentication Source An authentication source contains security information about users. 21) Access Manager Administrator Guide 21 .csa file as the default. click Save As. Click Save. user classes. 25) Save Authentication Source Connections Description The first time you use Access Manager.lae files. from the File menu.csa). set the appropriate . select the location where you want to store the file. The IBM Cognos Security Administration file (. Related Topics • • • • "Access a Directory Server: Overview" (p. such as remote users or users working offline. Use . From the File menu. an empty IBM Cognos security administration file (. Steps 1.lae) Use namespaces on a directory server when you have a large number of users who are connected to the same network as the directory server. 22) "Alternate Authentication Sources: Overview" (p. In the File Name box.csa) each time you open Access Manager.

22) "Modify a Directory Server Connection" (p. you can use your existing authentication database. After you connect to a directory server. 23). click the Directory Servers folder. For more information. Notes It is recommended that you do not store the same authentication data in multiple directory servers. you should test the connection to ensure that it is working properly. The directory server installation assigns this port to LDAP servers. 22 Access Manager . By default. in the Host box. 80). For information about setting up a directory server. After you define a connection. You need to install and configure a directory server. On the General tab. see "Test a Directory Server Connection" (p. the port is 389.Chapter 2: Set Up An Authentication Source Access a Directory Server: Overview Access Manager uses an LDAP directory server as the main location for storing your authentication data. you have to make the same modifications in every directory server. Steps 1. you need the required connection information. In the Port/SSL Port box. In the Authentication Information pane. 21) "Configure Secure Sockets Layer (SSL) on a Directory Server" (p. Using one directory server for all your security information not only guarantees that the information is always up-to-date. 2. 23) "Test a Directory Server Connection" (p. user class. the port name distinguishes between the two servers. and data source information. you must use Access Manager to set up a connection to the directory server. you can create namespaces in which to store your user. contact your directory server administrator. you must create a connection to each directory server you intend to use. type the port the directory server uses. The troubleshooting section includes information to help you correct problems connecting to a directory server configured for SSL (p. From the Action menu. 3. If you are already using a directory server to deploy authentication data for PowerPlay. Impromptu Web Reports. 4. Sun Java System directory server can be obtained from your product installation. you will have to extend the server schema to include the object classes and attributes that Access Manager uses. click Add Connection. To store authentication data on a directory server. Otherwise. Whether you use an existing directory server or install a new one. 24) Connect to a Directory Server Description Before you can create namespaces in which to store your authentication data. If you have more than one server on a computer. or PowerPlay Web. but also requires less maintenance. metadata source. application server. To successfully connect to a directory server. see the installation and configuration guide for your product. such as the server • host (name or IP address) • port • base distinguished name (DN) If you do not have this information. if you have to make modifications to the authentication data. type the name or IP address of the server where the directory server is installed. Related Topics • • • • • "Connect to a Directory Server" (p. 23) "Set Up An Authentication Source" (p.

22) "Modify a Directory Server Connection" (p. Testing the directory server connection will help you determine if the problem is connection-related. c=CA). you perform this task immediately after you set up or modify a new connection. you won’t be able to use the connection. type the DN for the root of the directory according to the LDAP standard. Typically. 24) Test a Directory Server Connection Description You can test a directory server connection to verify whether it is working properly. 22) "Test a Directory Server Connection" (p. there may be times when you have trouble working with namespaces. such as the base distinguished name (DN). After you modify a directory server connection. In the Base Distinguished Name (DN) box. Click Log On. Related Topics • • • • "Access a Directory Server: Overview" (p. However. In the Authentication Information pane. click Properties. you should test the connection to ensure that it works properly. If you did not install the directory server. Select the appropriate directory server. Steps 1. 23) "Test a Directory Server Connection" (p. 2. In the Timeout box. double-click the Directory Servers folder to list the contents. contact the administrator for the required DN. Unless you make the same change to your directory server connection. type the maximum amount of time (in seconds) the user has to establish a connection to the directory server. 6. 3. Steps 1. Access Manager Administrator Guide 23 . 24) Modify a Directory Server Connection Description You may occasionally have to modify your directory server connection. 23) "Configure Secure Sockets Layer (SSL) on a Directory Server" (p. This DN is the name you typed in the Directory Suffix box when you installed the Sun Java System directory server (for example. o=Cognos. Modify the connection properties as required. double-click the Directory Servers folder to list the contents. 23) "Configure Secure Sockets Layer (SSL) on a Directory Server" (p. 7. Related Topics • • • • "Access a Directory Server: Overview" (p. click Properties. see "Test a Directory Server Connection" (p. 3. 8.Chapter 2: Set Up An Authentication Source 5. 4. In the Authentication Information pane. 2. 22) "Connect to a Directory Server" (p. From the Edit menu. Select the appropriate directory server. or view the connection properties. the directory server administrator may have changed the properties of the server. Click OK. 23). From the Edit menu. For example. For more information.

Access Manager supports SSL for exchanging confidential information to and from your directory server.db file. In Configuration Manager. Refer to the documentation provided by the third-party certificate authority for additional information. configure the Access Manager runtime for SSL communication to the directory server on all computers that use IBM Cognos security. On the General tab. 24) Configure Secure Sockets Layer (SSL) on a Directory Server Description Secure Sockets Layer (SSL) is a standard protocol for providing a secure environment for communications over networks. 3. Related Topics • • • • "Access a Directory Server: Overview" (p. and ensure that the CA used in step 1 is trusted in this certificate database.Chapter 2: Set Up An Authentication Source 4. Certificates are stored in a certificate database. and type the SSL port number. 22) "Connect to a Directory Server" (p. 24 Access Manager . To configure an SSL connection. 4. By default. This stops all communication over the directory server’s non-secure port (by default 389). click Properties. 2.db file format be used for the certificate database. select Enable SSL.db file. Use a tool such as Netscape Navigator 4. ensure that the primary key location contains a valid key store. contact your directory server administrator. double-click the Directory Servers folder to list the contents. you must either purchase certificates from a third-party certificate authority.db). see your directory server documentation. • Select the Require SSL for all connections if you want all communication with the directory server over an SSL port. directory server clients can not connect through a non-secure port. To administer the directory server in Access Manager Administration: • In the Authentication Information pane. and on the General tab. A message appears indicating whether your directory server is responding. or set up a certificate authority (CA) such as Netscape Certificate Server or Microsoft Certificate Server to issue and manage your own certificates. 22) "Modify a Directory Server Connection" (p. For more information.x to add or update certificates in the cert7. and click the appropriate directory server in the list. Enable SSL on the directory server. and then configure SSL between the Access Manager login process and the Access Manager Server Authentication Service: Steps to Configure SSL with a Directory Server 1. the SSL Configuration dialog box appears. and between the Access Manager login process and the Access Manager Server Authentication Service. For alternate web authentication configurations. configure SSL with the directory server. 80). see the Configuration Manager User Guide. The troubleshooting section includes information to help you correct problems connecting to a directory server configured for SSL (p. Also. You must enable SSL for the primary and all secondary authentication services. If the test is not successful. the port is 636. For more information. • From the Edit menu. • If the certificate database has not been configured. Obtain a cert7. 23) "Configure Secure Sockets Layer (SSL) on a Directory Server" (p. Note: If you select Require SSL for all connections. click Test. Access Manager requires that a cert7. Enter the location of your Netscape certificate database file (Cert7.

and ensure that the CA used in step 2 is trusted in this certificate database. such as user signons. Preparing a namespace for use with Access Manager involves adding. For more information about modifying the authentication data in a namespace. Related Topics • • • • "Access a Directory Server: Overview" (p. Import the certificate generated by the CA in step 2 into the keystore for the Access Manager Server.jar setenv CLASSPATH . you must repeat these steps for each service. 22) "Modify a Directory Server Connection" (p. Note: If you install more than one Access Manager Server Authentication Service. and setting the properties for the namespace.Chapter 2: Set Up An Authentication Source Steps to Configure SSL Between Access Manager Login Process and the Access Manager Server Authentication Service 1.4 or 1.bcprov-jdk13-113. 26) "Add a Namespace Administrator" (p.AmKeyTool. see the Configuration Manager User Guide. 29) Access Manager Administrator Guide 25 .db file. user classes. refer to the Configuration Manager User Guide.5 on Windows JRE 1. Enable SSL on the Access Manager Server Authentication Service.:AmKeyTool. and access privileges to data sources. 23) "Test a Directory Server Connection" (p.5 on Unix • Environment variable set CLASSPATH=.. 21). For more information on the command line usage of AmKeyTool. type: java AmKeyTool -c -f <generated CSR file> -k <private key location> -p <private key password> -d <certificate dn> For more information about the command line usage of AmKeyTool. metadata. 3. see "Set Up An Authentication Source" (p. 6. For more information. 4.jar 2.jar. Use the CSR generated in step 1 to obtain a certificate from your CA. Note: Do not close this command line window until you complete the entire procedure.jar:bcprov-jdk13-113. 5. 22) "Connect to a Directory Server" (p. 23) Set Up a Namespace: Overview If you intend to use a directory server to store your authentication data. Generate the private key and certificate signing request (CSR) using AmKeyTool found in the Cognos_installation/bin directory on the computer that has an Access Manager Server installed: • Set your CLASSPATH environment variable: Environment JRE 1. and application servers. type AmKeyTool on the command line. Configure the Access Manager Web Authentication for SSL communication to the Access Manager Server Authentication Service on each computer with an installed IBM Cognos gateway. type: java AmKeyTool -i -f <certificate file> -k <private key location> -p <private key password>. type AmKeyTool on the command line. A namespace is where you actually maintain authentication data. For more information. Related Topics • • "Add a Namespace" (p. logging on to. you need to set up a namespace (also known as a directory) on the directory server.4 or 1. Obtain a cert7. On the command line. On the command line.

34) "Set Password Properties for Users in a Namespace" (p. 35) "Log On to a Namespace" (p. 8. 28) "Provide Summary Information for a Namespace" (p. type a description of the namespace if required. 29) "Set a Default Namespace for a Directory Server" (p. In the Name box. 5. In the Runtime Administrator Password box. 34) "Export a Namespace for Remote Users" (p. You can then import the . 31) "Transfer Namespace Information Between Directory Servers" (p.Chapter 2: Set Up An Authentication Source • • • • • • • • • • • "Define Regional Settings for Users in a Namespace" (p. type the name that you use to log onto the directory server. 42). Click Log On. Steps 1. 3. However. There is no limit to the number of namespaces you can create on a directory server. If you delete a namespace from a directory server.lae). 38) "Set Up An Authentication Source" (p. You can only delete those namespaces that you have access to as an administrator. type the password. Tip • To delete a namespace. 10. see "Import a Local Authentication Export File into a Namespace" (p. and the authentication data it contains. The new namespace appears in the directory server and contains a default user called Administrator. 6. 21) Add a Namespace Description You must create a namespace on a directory server before you can create users or user classes. double-click the Directory Servers folder to list the contents. In the Description box. 36) "Upgrade Namespaces" (p. you can create a namespace in a local authentication export file (. Click OK. from the directory server. 9. Click other tabs to set other namespace properties. type a name for the namespace. to simplify administration. 7. To set up a namespace and add authentication data to it before you add the namespace to the directory server. 33) "Set Signon Properties for Users in a Namespace" (p. Deleting a namespace permanently removes it. Notes You cannot have a space as the first character in the name of a namespace. In the Authentication Information pane. You cannot delete a namespace that is set as default. For more information. From the Action menu. 27) "Log On to a Namespace as Another User" (p. select it and click Delete from the Action menu. 26 Access Manager . 2.lae file into an empty namespace on the directory server. click Add Namespace. then the action cannot be undone and there is no means of recovering the data. 4. or before you can add signon information for application servers or data sources that users need to access. we recommend that you use one namespace for all applications in your business enterprise platform. Select the directory server you want to add a namespace to. In the Runtime Administrator Distinguished Name (DN) box.

29). 33) "Set Signon Properties for Users in a Namespace" (p. Tip • If you double-click a namespace. This user ID does not have a password and belongs to the root user class. you must be able to log on to the namespace. 33) Access Manager Administrator Guide 27 . 26) "Add a Namespace Administrator" (p. the IBM Cognos Logon dialog box appears and prompts you for a user ID and password. 27) "Log On to a Namespace as Another User" (p. You can also right-click the namespace and click Log On to open the IBM Cognos Logon dialog box. 29) "Set a Default Namespace for a Directory Server" (p. 2. 35) "Log On to a Namespace as Another User" (p. 29) "Define Regional Settings for Users in a Namespace" (p. click Log On. 28) "Provide Summary Information for a Namespace" (p. 31) "Set Up a Namespace: Overview" (p. Using Access Manager. each namespace contains an administrator user ID called Administrator. 35) "Log On to a Namespace" (p. Double-click the directory server that contains the namespace you want to access. 38) Log On to a Namespace Description To access and modify the contents of a namespace. After you log on to a namespace. 3. Use this default user ID to initially log on to the namespace. The contents of the namespace appear in the right pane of the Access Manager window. you remain logged in for the entire session (until you exit Access Manager). 34) "Export a Namespace for Remote Users" (p. see "Add a Namespace Administrator" (p. Steps 1. 34) "Set Password Properties for Users in a Namespace" (p. 25) "Transfer Namespace Information Between Directory Servers" (p. 29) "Set a Default Namespace for a Directory Server" (p. 5. In the Authentication Information window. 29) "Define Regional Settings for Users in a Namespace" (p. double-click the Directory Servers folder to open it. By default. 34) "Set Password Properties for Users in a Namespace" (p. Type your user ID and password. 34) "Export a Namespace for Remote Users" (p. you can only log on to a namespace if you have a basic signon and belong to a user class that has permissions to view or edit the contents of the namespace. 36) "Upgrade Namespaces" (p. and then click Log On. 28) "Provide Summary Information for a Namespace" (p. In the right pane of the Access Manager window.Chapter 2: Set Up An Authentication Source Related Topics • • • • • • • • • • • • "Add a Namespace Administrator" (p. 4. For more information about creating additional administrator user IDs. Related Topics • • • • • • • • "Add a Namespace" (p. Select the namespace.

34) "Export a Namespace for Remote Users" (p. type the corresponding password. 31) "Set Up a Namespace: Overview" (p. you often need to log on to a namespace as the administrator. 33) "Set Signon Properties for Users in a Namespace" (p. This is usually the easiest way to make changes to a namespace. 26) "Add a Namespace Administrator" (p. double-click the Directory Servers folder. If the namespace uses operating system (OS) signons. Steps 1. In the User ID box. 29) "Define Regional Settings for Users in a Namespace" (p. 5. In the Authentication Information window. Select the namespace. since the administrator has full access to a namespace. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. The IBM Cognos Logon dialog box appears. 7. 36) "Upgrade Namespaces" (p. This allows you to check that you have given the user appropriate access permissions. 3. If the namespace uses basic signons. When you log on as a user other than the administrator. 25) "Transfer Namespace Information Between Directory Servers" (p. by default. 25) "Transfer Namespace Information Between Directory Servers" (p. 6. The administrator user ID belongs to the root user class and. To access the namespace as another user. then you can log on as any user using the Login As command. only the administrator or a member of the root user class can access the namespace with a basic signon. 2. type the user ID you want to log on as. then you are automatically logged on to the namespace with your network ID. you have that user's access rights. you must log off before logging in as another user. 29) "Set a Default Namespace for a Directory Server" (p. The contents of the namespace appear in the right pane of the Access Manager Administration window. 31) "Set Up a Namespace: Overview" (p. From the Action menu.Chapter 2: Set Up An Authentication Source • • • • "Set Signon Properties for Users in a Namespace" (p. use the Login As command to log in using a basic signon. 27) "Provide Summary Information for a Namespace" (p. Click Log On. 38) 28 Access Manager . You can also log on to a namespace as any user in the namespace. 34) "Set Password Properties for Users in a Namespace" (p. When a namespace uses only OS signons. click Login As. does not have a password. If you have already logged on to the namespace. Double-click the directory server that contains the namespace you want to access. 36) "Upgrade Namespaces" (p. 35) "Log On to a Namespace" (p. 38) Log On to a Namespace as Another User Description When you are using Access Manager Administration. In the Password box. 4. or both basic and OS signons.

27) "Log On to a Namespace as Another User" (p. Double-click the Users folder to list the contents. Drag the user that you want to add as a namespace administrator to the Root User Class icon. 5. 33) "Set Signon Properties for Users in a Namespace" (p. Log on to a namespace. see "Log On to a Namespace" (p. 28) "Provide Summary Information for a Namespace" (p. You can also use the Keywords property in your OLE automation scripts to access and use these keywords. 2. To properly set up a namespace administrator. 47). For more information about creating user signons. 34) "Set Password Properties for Users in a Namespace" (p. This information is optional. Click the Summary tab. 25) "Transfer Namespace Information Between Directory Servers" (p. Related Topics • "Add a Namespace" (p. see "Log On to a Namespace" (p. Steps 1. and they must belong to the root user class. For more information. 2. 3. 38) Provide Summary Information for a Namespace Description You can provide detailed information about each namespace. 29) "Set a Default Namespace for a Directory Server" (p. 34) "Export a Namespace for Remote Users" (p. 26) Access Manager Administrator Guide 29 . Click OK. Log on to a namespace. 31) "Set Up a Namespace: Overview" (p. This user ID does not have a password and belongs to the root user class. 36) "Upgrade Namespaces" (p. From the Edit menu. You can add keywords to use with a future version of Access Manager for keyword searches. 3. You can use this user ID to set up additional namespace administrators. which may be useful for other administrators or if you are administering a large number of namespaces. click Properties. The Namespace Properties dialog box appears. each namespace contains an administrator user ID called Administrator. 26) "Define Regional Settings for Users in a Namespace" (p. 35) "Log On to a Namespace" (p. Steps 1. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. see "Provide a User With a Signon" (p. It is the root user class that gives the administrator full access privileges to the namespace. 27). as well as your authentication data. For more information. Provide the required summary information. you must provide the administrator with a basic signon. 27).Chapter 2: Set Up An Authentication Source Add a Namespace Administrator Description By default. 4.

Anonymous users cannot change IDs or passwords for secure resources. Steps 1. 38) Set Up Anonymous Access to a Namespace Description You can set up anonymous access to a namespace so that users are never prompted for a user ID and password. other IBM Cognos products will not prompt users for a user ID or password. 3. 28) "Set a Default Namespace for a Directory Server" (p. click Properties. 51) "Provide a User With a Signon" (p. From the Edit menu. You can restrict access to a data source by setting user permissions for the anonymous users. 34) "Export a Namespace for Remote Users" (p. 36) "Upgrade Namespaces" (p. click Use the Following Account for Anonymous Access. For more information. 35) "Log On to a Namespace" (p. 50) "Set Up Guest Access to a Namespace" (p. 45) 30 Access Manager . Enter the name of the user account you want. 34) "Set Password Properties for Users in a Namespace" (p. 46) "Assign a User to a User Class" (p. as you would for any other user. In the Authentication box. The anonymous user • must be a member of at least one user class • can have auto-access • can exist in the public user class The administrator accesses the namespace by logging in as the administrator from other IBM Cognos applications. 27) "Log On to a Namespace as Another User" (p. 49) "Provide Auto-Access for a User" (p. 25) "Transfer Namespace Information Between Directory Servers" (p. 31) "Set Up a Namespace: Overview" (p. 2. Click OK. 31) "Set Up Users: Overview" (p. 5. such as access to Public folders. Log on to a namespace. 33) "Set Signon Properties for Users in a Namespace" (p. If you enable anonymous users in a namespace. Anonymous users are usually granted minimal access privileges.Chapter 2: Set Up An Authentication Source • • • • • • • • • • • "Add a Namespace Administrator" (p. 48) "Display the User Classes and Accesses for a User" (p. 47) "Provide Access to a Data Source or Application Server" (p. 6. Related Topics • • • • • • • • "Add a User" (p. 29) "Define Regional Settings for Users in a Namespace" (p. 27). 4. Click the Settings tab. see "Log On to a Namespace" (p.

which means that the user will be prompted for a basic signon if the OS signon is not recognized by Access Manager. The guest user • must be a member of at least one user class • can have auto-access • can exist in the public user class If you enable guest users in a namespace. For example. 6. If the correct capitalization is not used. 3. Access Manager Administrator Guide 31 . Basic signons are administered and maintained by Access Manager. if you specify a minimum of four characters. each user ID must contain at least four characters. Guest users do not have to provide a user ID and password. 47) "Provide Access to a Data Source or Application Server" (p. Enter the name of the user account you want. These properties offer an additional level of security. • the minimum number of characters that each user’s basic signon must have. then IBM Cognos products that support guest access will offer users the option of logging in as guests. Guest users cannot modify their user preferences. 51) "Provide a User With a Signon" (p. 30) "Set Up Users: Overview" (p.Chapter 2: Set Up An Authentication Source Set Up Guest Access to a Namespace Description You can set up guest access to a namespace so that users have the choice of logging in as named users or as unnamed (guest) users. 49) "Provide Auto-Access for a User" (p. From the Edit menu. Related Topics • • • • • • • • "Add a User" (p. Choosing an operating system (OS) signon means that the user can log on using their operating system or network logon information (user ID and password). 2. For example. Log on to a namespace. • whether user IDs are case-sensitive. 45) Set Signon Properties for Users in a Namespace Description You can set common signon properties for all the users that are defined within the same namespace. You can specify • the type of signons allowed for all the users. 50) "Set Up Anonymous Access to a Namespace" (p. 5. Choosing a basic signon means that the users will be prompted to provide a user ID and password for each secure object they access. see "Log On to a Namespace" (p. 48) "Display the User Classes and Accesses for a User" (p. click Properties. Click OK. 4. OS signons are only as secure as the operating system and network. For more information. the user will not be found and will not be authenticated. Steps 1. In the Authentication box. They log in as "guest". click Use the Following Account for Guest Access. 46) "Assign a User to a User Class" (p. Setting up guest users in a namespace allows you to set different levels of security for named users and for guest users. Click the Settings tab. 27). each user must use the correct capitalization to log on to secure data. with this option selected. You can also choose to use both.

or HTTP cookies to obtain user signon information. click Properties. click Properties. In addition. 2. From the Edit menu. 2. In addition. For more information. 28) "Provide Summary Information for a Namespace" (p. you can use a replace operation to edit the value returned by the variable or cookie. Steps 1. 25) "Transfer Namespace Information Between Directory Servers" (p. see "Log On to a Namespace" (p. The Namespace Properties dialog box appears. No processing is performed to the content of the variable. Click the Signons tab and set the signon properties to use for all users. 34) "Export a Namespace for Remote Users" (p. You can also apply limited expression editing to the variable or cookie used. 27). The Namespace Properties dialog box appears. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. 33). you can set common password properties for all the users that are defined within the same namespace. Click the Signons tab. 3. 27) "Log On to a Namespace as Another User" (p. Log on to a namespace.Chapter 2: Set Up An Authentication Source • the maximum number of times that users may attempt to log on to secure data. 4. 3. For more information. 27)."value1". For example: • ${replace(${environment("variable_name")}. 29) "Define Regional Settings for Users in a Namespace" (p. From the Edit menu. you can also specify the length of time before they can try to log on again. not restricted to REMOTE_USER. 4. see "Set Password Properties for Users in a Namespace" (p. For users who are denied access to the secure data."value2")} 32 Access Manager . 36) "Upgrade Namespaces" (p. Click OK. • ${cookie("cookie_name")} where the full content of the cookie is used to map into the namespace OS Signon database. No processing is preformed on the content of the cookie. 26) "Add a Namespace Administrator" (p. Log on to a namespace. You can use any of the following formats: • ${environment("variable_name")} where the full content of the environment variable is used to map into the namespace OS Signon database. 34) "Set Password Properties for Users in a Namespace" (p. see "Log On to a Namespace" (p. 33) "Set Up a Namespace: Overview" (p. Type the Web signon variable in the External identity mapping box. 29) "Set a Default Namespace for a Directory Server" (p. Steps 1. 38) Use Variables for Namespace OS Signons for Web Users You can use existing environment variables. 35) "Log On to a Namespace" (p. For more information.

• ${replace(${cookie("cookie_name")}. 34) "Set Signon Properties for Users in a Namespace" (p. "value1" is replaced with "value2". For example. you can enforce complexity requirements such as the inclusion of uppercase and lowercase characters. 38) Access Manager Administrator Guide 33 . 35) "Log On to a Namespace" (p. "value1" is replaced with "value2". and the final string result after replacement is used to map into the namespace OS Signon database. (. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. In addition. click Properties. 4. and the final string result after replacement is used to map into the namespace OS Signon database. "NetID1\". the result passed to the namespace OS signon database would be "NetID1-User1". Set Password Properties for Users in a Namespace Description You can specify minimum character lengths. expiration options. you can ensure that old passwords are not reused. such as $. ).Chapter 2: Set Up An Authentication Source where the provided values are replaced in the content of the variable. \. For example."value2")} where the provided values are replaced in the content of the cookie. 29) "Define Regional Settings for Users in a Namespace" (p. 28) "Provide Summary Information for a Namespace" (p. if you entered ${replace(${environment("REMOTE_USER")}. 34) "Export a Namespace for Remote Users" (p. Tip: The \ character is used to escape special characters. 36) "Upgrade Namespaces" (p. 31). 25) "Transfer Namespace Information Between Directory Servers" (p. For more information. 26) "Add a Namespace Administrator" (p. 29) "Set a Default Namespace for a Directory Server" (p. These properties offer an additional level of security. the result used would be "User2". "NetID1\". Also. you can set common signon properties for all the users that are defined within the same namespace. }. In this example. Click the Passwords tab and set the password properties that you want. From the Edit menu. 2. 31) "Set Up a Namespace: Overview" (p. {. Click OK. Log on to a namespace (p. >. and whether passwords must be case-sensitive for all the passwords that you defined within the same namespace. 27) "Log On to a Namespace as Another User" (p. "") and the value of environment variable REMOTE_USER is "NetID1\User2". To meet stricter security requirements in IT environments. In this example. 27). you can enforce additional password rules. If you entered ${replace(${environment("REMOTE_USER")}. <."value1". single quote. see "Set Signon Properties for Users in a Namespace" (p. "NetID1-")} and the value of the environment variable REMOTE_USER is "NetID1\User1". Steps 1. and double quote. 3.

From the Edit menu. 2. Click the directory server that you want to set as default. metadata source. 36) "Upgrade Namespaces" (p. 2. click Properties. 4. 12). you must also set the directory server that contains the namespace as default. You can specify • the time zone associated with the namespace • whether daylight savings time is in effect for the namespace • the time format used for the namespace • the language associated with the namespace • the geographical location associated with the namespace Steps 1. If you want Configuration Manager to automatically use a default namespace. 38) Set a Default Namespace for a Directory Server Description Before a user can access a data source. 34) "Set Password Properties for Users in a Namespace" (p. Before you can set up a default namespace.Chapter 2: Set Up An Authentication Source Define Regional Settings for Users in a Namespace Description You can set the regional settings for all users that are defined within the same namespace. Typically users configure their IBM Cognos product by specifying the authentication source using the Configuration Manager. or application server. Click OK. 21) and "Set Up a Namespace: Overview" (p. 29) "Export a Namespace for Remote Users" (p. 27) "Log On to a Namespace as Another User" (p. Log on to a namespace. see "Configure an Authentication Source" (p. Click the Regional Settings tab and set the properties for the namespace. For more information. 25) "Transfer Namespace Information Between Directory Servers" (p. 27). 33) "Set Signon Properties for Users in a Namespace" (p. you must log on to the directory server where the namespace is located and be authenticated. 35) "Log On to a Namespace" (p. 31) "Set Up a Namespace: Overview" (p. 3. see "Set Up An Authentication Source" (p. double-click the Directory Servers folder. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. In the Authentication Information window. 28) "Provide Summary Information for a Namespace" (p. they must configure their IBM Cognos product so that it knows which authentication source to use at runtime. 25). For more information about namespaces and authentication data. Steps 1. For more information about using Configuration Manager. see "Log On to a Namespace" (p. 26) "Add a Namespace Administrator" (p. 34 Access Manager . 29) "Set a Default Namespace for a Directory Server" (p.

29) "Define Regional Settings for Users in a Namespace" (p. 4. you must specify whether to include the users in the export. or you can merge the data in the source namespace with the data in the . Log on to the namespace.lae file. 38) Export a Namespace for Remote Users Description When you need to create an authentication source for remote users. you can export the namespace to an .lae file into the original namespace on the directory server.Chapter 2: Set Up An Authentication Source 3. 28) "Provide Summary Information for a Namespace" (p.lae file and make the required changes. 27) "Log On to a Namespace as Another User" (p. When you are finished exporting the namespace to an . 33) "Set Signon Properties for Users in a Namespace" (p. 36). For information about namespace merging rules. In the Administrator Access dialog box.lae file with the data in the source namespace. 9. Steps 1. If you do not want to edit the data in a namespace while the namespace is in use. 2. From the Action menu. 39) for a directory server namespace and you export the namespace to an LAE file. indicating that it has been set as the default. Double-click the directory server. see "Import a Local Authentication Export File into a Namespace" (p. 27). click Set as Default. Select the namespace that you want to set as default. Notes If you merge namespaces. cubes that were built from either the source or the destination namespace may have to be rebuilt. 6. type the administrator distinguished name and password. From the Action menu. click Set as Default. 35) "Log On to a Namespace" (p. 29) "Set Password Properties for Users in a Namespace" (p. Click Log On. you can send the file to your remote users. see "Transfer Namespace Information Between Directory Servers" (p. The namespace you selected appears bold. 26) "Add a Namespace Administrator" (p. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. 5. You can either replace the data that already exists in an . click Export To . you can export the data from a namespace in a directory server into a local authentication export file (. 36) "Upgrade Namespaces" (p. indicating that it has been set as the default. Log on to a namespace (p. The directory server you selected appears bold. 8. 34) "Export a Namespace for Remote Users" (p.lae).LAE File. 7.lae file. 25) "Transfer Namespace Information Between Directory Servers" (p. Then you can import the modified namespace in the . 31) "Set Up a Namespace: Overview" (p. For more information. Access Manager Administrator Guide 35 . From the Action menu. If you enabled external user support (p. 42).

and you give precedence to the target namespace. type a name for the new . the precedence of objects and their property settings depends on the namespace to which you give precedence. 34) "Set Password Properties for Users in a Namespace" (p. 28) "Provide Summary Information for a Namespace" (p. type a name and a file path for the file. continue with step 5. select the Export users check box. • In the File Path box. 31) "Set Up a Namespace: Overview" (p. 29) "Define Regional Settings for Users in a Namespace" (p. For example. 33) "Set Signon Properties for Users in a Namespace" (p. clear the Export users check box. do one of the following: • To delete data in the namespace before exporting the authentication data. In the Export To LAE file dialog box. When the source namespace is merged into the target namespace. 7. In the Options box. D. You can then send that file to your remote users. 25) "Transfer Namespace Information Between Directory Servers" (p. the target namespace contains C. If no files are listed. Click Export. 29) "Set a Default Namespace for a Directory Server" (p.lae) • import the . the source namespace contains A. 5. To include users. 26) "Add a Namespace Administrator" (p. C. specify whether to include users in the export. or click Browse to locate an existing file. 38) Transfer Namespace Information Between Directory Servers Description To transfer namespace information between directory servers. If the external user support is enabled for the namespace. 27) "Log On to a Namespace as Another User" (p. the resulting namespace contains • A (from source) • B (from source) • C (from target) 36 Access Manager . • Click OK.lae file into a namespace on the target directory server When you merge one namespace into another. To exclude users. • To add the namespace data to the existing data. • In the Name box. E.Chapter 2: Set Up An Authentication Source 3. Otherwise. 6. 36) "Upgrade Namespaces" (p. select a local authentication export file into which you want to export the namespace. you must • set up a working connection to both directory servers • create a blank local authentication export file (. 4. click Empty the Target Namespace. In the Log file box.lae file. click Add and complete the following steps.lae) • export the namespace from the original directory server to the local authentication export file (. 34) "Log On to a Namespace" (p. click Merge Namespaces. Related Topics • • • • • • • • • • • • "Add a Namespace" (p. B. specify the location for your log file.

Click OK. then the namespace is out of date. 27) "Log On to a Namespace as Another User" (p. 28) "Provide Summary Information for a Namespace" (p. The Identify All Out of Date Namespaces command compares the creation times of all exported namespaces with the modification time of the source and then identifies namespaces that are out of date. Both namespaces store creation and modification times. 34) "Export a Namespace for Remote Users" (p. If a namespace is out of date. The LAE File Properties dialog box appears. In the File Path box.Chapter 2: Set Up An Authentication Source • • D (from target) E (from target) Notes • • You can have more than one namespace in an . Related Topics • • • • • • • • • • • • "Add a Namespace" (p. In the Authentication Information pane. Export the namespace from the original directory server to the blank .lae file by exporting from more than one namespace and choosing to merge namespaces in the Export LAE dialog box. 35). 6. Access Manager Administrator Guide 37 . see "Export a Namespace for Remote Users" (p. see "Import a Local Authentication Export File into a Namespace" (p.LAE File. For information. In the Name box. or an .lae file is imported to a namespace on a directory server.lae file. 3.lae). 34) "Set Password Properties for Users in a Namespace" (p. cubes that were built from either the source or the destination namespace may have to be rebuilt. you can update it by re-exporting the source namespace. 38) Identify All Out of Date Namespaces Description When a namespace on a directory server is exported to a local authentication export file (. type the path of the file or click Browse to specify the location where you want to store the file. 42). 29) "Set a Default Namespace for a Directory Server" (p.lae file. 25) "Upgrade Namespaces" (p. If you merge namespaces. 29) "Define Regional Settings for Users in a Namespace" (p. type a name for the local authentication export file. click the Local Authentication Export Files folder. 31) "Set Up a Namespace: Overview" (p. click Add . 35) "Log On to a Namespace" (p. 26) "Add a Namespace Administrator" (p. From the Action menu.lae file into the target directory server. For information. It also identifies namespaces that have been deleted from one authentication source but not from another. Steps 1. 5. 4. Import the . the exported namespace is linked to its source. 33) "Set Signon Properties for Users in a Namespace" (p. 2. You can also use the Is Namespace Up To Date? command for a namespace on a directory server or for an . 7. If the times are different. This verifies whether the creation time of the selected namespace is the same as the modification time of the source namespace.

2 1.2 before you can upgrade all namespaces to the current version.0 and earlier versions schema version.0 and earlier versions schema version. click Is Namespace up to date? Related Topics • • • "Add a Local Authentication Export File" (p. you can choose to remain at the Compatible with Series 7.lae). If you want your namespaces to be compatible with Series 7. If the schema version is not at least 15. and with any product that uses a namespace version 15. see "Export a Namespace for Remote Users" (p. During configuration. 27). A dialog box appears listing any namespaces in an . 42) "Local Authentication Export Files: Overview" (p. see "Log On to a Namespace" (p. Steps to Identify All Out of Date Namespaces • From the Tools menu. see "Log On to a Namespace" (p.Chapter 2: Set Up An Authentication Source For more information about exporting a namespace. Steps to Verify Up to Date Namespaces 1.lae file that have a creation time that is older than the modification time of the source namespace. you must use the Compatible with Series 7. click Upgrade Namespace. This enables you to build applications that are language-independent and universally accessible. you upgrade your namespaces to the most current version using the Access Manager Administration tool. select Identify all out of date Namespaces. Before you upgrade to the current schema version. From the Action menu.2 and lower. 27). and with Series 7. in Access Manager .1 that uses the namespace version 15.0. For more information. Note: For the namespace version 17. 2. or you can upgrade to the current version. Steps to Upgrade a Namespace to Schema Version 15. Log on to a namespace in a local authentication export file (. If you decide to upgrade your namespace schema during the configuration process. From the Action menu. see the installation guide. For more information. the external user information is not verified. the namespaces are no longer compatible with IBM Cognos Series 7. Note: After you upgrade your namespaces to the current schema version. You may have existing namespaces that were created by using older versions of the schema than the current schema version.2. 41) Upgrade Namespaces Description The structure and properties of a namespace are determined by the schema version of the LDAP directory server that was used to create it. 42) "Import a Local Authentication Export File into a Namespace" (p.2. go to the namespace properties. • you may have to upgrade your directory server schema For information about upgrading your directory server. The additional functionality provided by the current schema version includes improved performance for large deployments of users and user classes.0 and earlier versions.Administration. You can upgrade your namespace schema to the current version. 2. you must upgrade each namespace to version 15. • you must upgrade your namespaces To check the namespace version. General tab. For more information.0 and earlier versions of IBM Cognos products. 38 Access Manager . 35). Log on to the namespace you want to upgrade. and support for extended or non-ASCII characters in UTF-8 (UNICODE) format in the directory server through Access Manager. see Configure the Directory Server for IBM Cognos Products in your installation documentation.

Related Topics • • • • • • • • • • • • "Add a Namespace" (p. After the users are linked to one or more namespaces. 22). A message is displayed warning that upgrading namespaces to the Current schema version makes the namespaces incompatible with IBM Cognos Series 7.Chapter 2: Set Up An Authentication Source A message appears stating that you will be automatically logged out before the namespace can be upgraded. you must log on again. see "Add a Local Authentication Export File" (p. see "Connect to a Directory Server" (p. If a warning message is displayed stating that not all namespaces are at the 15. For information about adding a Local Authentication Export file connection. you must upgrade each namespace to that version before you can upgrade them to the current schema version. Before you enable external user support. we recommend that you back up the directory server data. Steps to Upgrade All Namespaces to the Current Version 1. 42). 31) "Set Up a Namespace: Overview" (p. 3. You are logged out and the namespace is upgraded. 2. 52). expand the Directory Servers or Local Authentication Export file folder. In the Authentication Information pane. You must enable external user support before you can link external users (p.0 and earlier product versions. Open Access Manager . For information about adding a directory server connection. 33) "Set Signon Properties for Users in a Namespace" (p. you add new users only in your directory server. Enable external user support if all users that access the Cognos namespace are defined and maintained in your directory server. and then link them to your Access Manager namespace. and then click Upgrade all namespaces to current version. Click OK. 26) "Add a Namespace Administrator" (p. 3. 34) "Export a Namespace for Remote Users" (p. 28) "Provide Summary Information for a Namespace" (p.Administration.2 schema version. 25) "Transfer Namespace Information Between Directory Servers" (p. If you attempt to add a new user with User Manager in Upfront. Please contact your administrator. 36) Enable External User Support Description External users are defined in a supported secondary directory servers and linked to an Access Manager namespace. 4. Access Manager Administrator Guide 39 . the changes made to these users in your directory server are automatically reflected in Access Manager. Right-click the directory server or LAE file for which you want to upgrade the existing namespaces. After you enable external user support. Click OK. 34) "Set Password Properties for Users in a Namespace" (p. you will get the following message: The "add user" is not supported when external user support is enabled. To access the upgraded namespace. 29) "Define Regional Settings for Users in a Namespace" (p. 35) "Log On to a Namespace" (p. 29) "Set a Default Namespace for a Directory Server" (p. 27) "Log On to a Namespace as Another User" (p.

they are automatically disabled in the Access Manager namespace. 2. 5. and the external user configuration is permanently enabled. LAE namespaces are not auditable. You must set up audit logging for one namespace at a time. You must have already configured your directory server for external user support by using Configuration Manager. and log on to the namespace (p. Right-click the directory server and click Enable External User Support. All the namespaces in the directory server are upgraded to version 17. You can log changes to namespace objects. 3. 4. 6. Click Properties. However. If not. and then click the Audit logging tab. Before you can enable audit logging. 40 Access Manager . you must remove the links to users who are no longer defined in your directory server. Start Access Manager . create a backup. click Cancel. If you already created a backup of the directory server data. 4. Type the runtime administrator distinguished name (DN) and password. 27). You can now link external users (p. Connect to the directory server that stores the namespace you want to audit.Chapter 2: Set Up An Authentication Source For information about removing the add user option from Upfront. changes to access to data source connections. 3.Administration. Changes to the user class membership. when you delete users from your directory server. you specify how and where the namespace changes will be logged. Log on to the namespace (p.Registration Wizard. 52) Enable Audit Logging Description Access Manager supports audit logging of security administration.2. Steps 1. and changes to data source signons are logged. Audit logging is supported for directory server namespaces only. and right-click it. you must • implement the audit logging API functions • register the audit logging API library using Access Manager . If the namespace version is 15. and begin again. Related Topics • "Link External Users" (p. if your primary directory server is a Microsoft Active Directory. double-click the Directory Servers folder to open it. right-click the directory server and click Upgrade all namespaces to the current version. 7. see the IBM Cognos Application Firewall Secure Deployment Guide. With external user support enabled. For more information. Click Log On. 8. see the Configuration Manager User Guide. click OK. For more information. Steps 1.Administration. Start Access Manager . see the Access Manager Trusted Services Plug-In Software Development Kit Guide. 2. you must run the amADUpdate utility (p. In the Authentication Information pane. Click the directory server that contains the namespace you want. 84) before you configure external user support in Configuration Manager and enable external user support in Access Manager Administration. Also. When you enable audit logging. 27).0. 52).

such as a PowerPlay cube. 9.lae).lae file. Access Manager Administration audit logs are saved to the installation_location\bin directory. enter custom configuration information required by your audit logging API library. 6. 25). Click OK. see the Configuration Manager User Guide. make a change to any user class in the namespace.lae files contain namespaces that store your authentication data. for the audit logging API sample provided with Access Manager. 21) Local Authentication Export Files: Overview Local authentication export files (.lae files on a computer running UNIX.lae files locally on a single computer.Chapter 2: Set Up An Authentication Source 5. By default.lae file • import an . which enable single users to access authentication data remotely. • select Stop to discard namespace changes. . and add connection information for servers and data sources are the same whether you use a namespace on a directory server or an . 77) Alternate Authentication Sources: Overview The main source of authentication data used by Access Manager is a namespace on an LDAP directory server. To test audit logging. You can use . This setting specifies that the auditable changes to the namespace are saved when a problem occurs. not on a network or with multiple users. If the tab is not active. The tasks required to create users. In the Administrator Access dialog box. and click Log on. 7. For example. Note: The Audit logging tab must be active. In the On failure box.lae) provide a portable authentication source for single users who want to open user class-protected data remotely. the trusted services plug-in is not registered. specify the action to take when a problem occurs. 41) "Set Up An Authentication Source" (p. click Enable. Web logon audit logs are saved to the installation_location\cgi-bin directory.lae file into a namespace on a directory server Similar to directory servers. see "Set Up Authentication Data" (p. Use . 8. Access Manager Administrator Guide 41 . or the audit logging service is not included in the plug-in. and then check whether the logging source previously specified recorded the change. For information about using . In the Custom Configuration box. you can also use local authentication export files (. type the star (*) character. log off the namespace before you start testing. type the administrator distinguished name and password.lae files on a computer running Windows or UNIX. In the Logging Option box. even though they are not connected to the same network as the directory server. 10. Related Topics • "Audit Ticket Service Activity" (p. For information about editing the properties of a namespace see "Set Up a Namespace: Overview" (p. 45).lae files to distribute and manage authentication data. You can only use . user classes. Note: If you test the sample audit logging plug-in. You can • export a namespace from a directory server to an . • select Continue to save the namespace changes. Related Topics • • "Local Authentication Export Files: Overview" (p. However. For information about editing the authentication data in a namespace.

lae file just as you would for a namespace on a directory server. In the Name box. 2.lae file. Tip • To add an existing .lae file. click Add . Click OK. The new file is created in the specified location and added to the Local Authentication Export Files folder. Related Topics • • • • • "Alternate Authentication Sources: Overview" (p. you can either replace the data that already exists in a namespace on the directory server with the data in the .lae file with the data in the namespace.lae) and then create namespaces for your authentication data. or you can merge the data in the . In the Authentication Information window. 42) "Identify All Out of Date Namespaces" (p. From the Action menu. see "Set Up a Namespace: Overview" (p. You must type the name of the new file in the File Name box. 4. do one of the following: • Type the path and file name for the new file. or you can create an .lae file when you export a namespace from a directory server. Regardless of how you create the . 5.lae file from a namespace on a directory server.lae) for the purpose of updating the authentication data in a namespace on a directory server. click Browse. 3. see "Export a Namespace for Remote Users" (p. type a name for the file. In the File Path box. Click Open to create the file and return to the properties dialog box. • To locate the folder in which you want to create the new file. 35).Chapter 2: Set Up An Authentication Source Note: An . you can create. 41) "Add a Local Authentication Export File" (p. For more information about adding authentication data to the namespace in the .lae file. Related Topics • • • Identify All Out of Date Namespaces Import a Local Authentication Export File into a Namespace Local Authentication Export Files: Overview Import a Local Authentication Export File into a Namespace Description If you use a local authentication export file (. and maintain namespaces in the . 25). select the Local Authentication Export Files folder. For more information about creating an .LAE File. Steps 1. 41) Add a Local Authentication Export File Description You can create a blank local authentication export file(. 37) "Import a Local Authentication Export File into a Namespace" (p. For more information. 45). log on to.lae file to Access Manager. The Open dialog box appears. specify the file in the Properties dialog box.lae file is not supported as an authentication source for multi-user server deployments. see "Set Up Authentication Data" (p. 42) "Alternate Authentication Sources: Overview" (p. 42 Access Manager .

specify whether to include users in the import. 42) "Identify All Out of Date Namespaces" (p. Log on to a namespace (p. Select the namespace that you want to import. select the Import users check box. 39). click Merge Namespaces. • To add the namespace data to the existing data. 27).Chapter 2: Set Up An Authentication Source For information about namespace merging rules. type a name and a file path for the file.lae file and then imported into a directory server namespace that is enabled for external user support. 2. In the Log file box.LAE File dialog box. specify the location for your log file. In the Import From . see "Transfer Namespace Information Between Directory Servers" (p. Importing from a local authentication export file to an empty namespace does not generate audit log entries. 6. clear the Import users check box. do one of the following: • To delete data in the target namespace before exporting the authentication data. • In the Name box. you can run the "AM_NamespaceReport Utility" (p. To include users. click Add and complete the following steps. Related Topics • • • "Add a Local Authentication Export File" (p. 5. they are not imported. select the required file. users may be manually added to a namespace in an . 41) Access Manager Administrator Guide 43 . • Click OK. click Import From . The namespaces that are contained in the file appear in the Namespaces In The File box. 36). If the external user support is enabled. click Empty the Target Namespace. To exclude users. 37) "Local Authentication Export Files: Overview" (p. 4. 7. If the users are not included in the import. continue with step 5. Otherwise. From the Action menu. If you enabled external user support (p. Click Import. or click Browse to locate an existing file. For example.lae file. If audit logging is enabled for the directory server namespace. type a name for the new . you may need to relink them. 81). • In the File Path box. 3. In the Options box. 8. Steps 1. To determine which users must be relinked. changes to the namespace are logged.LAE File. you must specify if you want to include users in the import. After you import users. If no files are listed.

Chapter 2: Set Up An Authentication Source 44 Access Manager .

which would require them to provide their logon information many times. such as a namespace in a directory server or a namespace in a local authentication export file (. Auto-access enables users to access secure cubes. see • "Set Up Auto-Access for a Database" (p. you can assign the users to any number of user classes. 45) "Search for Authentication Data" (p. 62) "Set Up User Classes: Overview" (p. OS signons. 64) Set Up Users: Overview A user is an object that represents an individual in an organization who uses secure data. which enables users to access user class-protected data. 63) • "Provide Auto-Access for a User" (p. For more information about setting up user classes. databases. and application servers that users need access to • giving users access permissions to the required data sources. Setting up auto-access for a user is useful if the user needs to access multiple data sources on a database or a server.Chapter 3: Set Up Authentication Data Authentication data is the security information that is stored in an authentication source. 57) "Set Up a Server: Overview" (p. For more information about auto-access. metadata. When you set up users. or servers without being prompted multiple times for a user ID or password. 53) "Set Up Users: Overview" (p. Setting up authentication data involves • creating user classes and assigning users to them • defining the data sources. 59) • "Set Up Auto-Access for a Transformer Server" (p. 53). you • add users • define basic signons. metadata. 64) "Sort Authentication Data" (p. You use Access Manager Administration to define and maintain authentication data.lae). you can also set up auto-access. Access Manager Administrator Guide 45 . 50) Related Topics • • • • • • "Set Up a Data Source: Overview" (p. see "Set Up User Classes: Overview" (p. and application servers Auto-Access When you set up user access permissions. or both for each user • assign the users to user classes • assign access to data sources and servers • assign auto-access to data sources and servers • define regional settings for users • determine user access to Upfront After you set up user classes and users. such as cubes and reports.

Chapter 3: Set Up Authentication Data

Users Assigned to Multiple User Classes
Users who belong to more than one user class may be prompted to select a user class when they log on. Some IBM Cognos applications, such as Impromptu Web Reports, require a single user class. Users who belong to more than one user class are prompted to select a user class each time they log on. Other applications, such as PowerPlay and Upfront, allow the user to log on with all the permissions of the user classes they belong to. This is referred to as a union of user classes. For example, a user belongs to user class 1 and user class 2. If the user is using Impromptu Web Reports, they are asked to select either user class 1 or user class 2 when they log on. If using Upfront or PowerPlay, users are not prompted for a user class. Instead, they log on with the combined permissions of user class 1 and user class 2.

Notes
An OS signon relies on the security of the operating system. Basic signons are controlled by Access Manager.

Related Topics
• • • • • • • • • • • • • • • • • "Add a User" (p. 46) "Assign a User to a User Class" (p. 48) "Display the User Classes and Accesses for a User" (p. 51) "Provide a User With a Signon" (p. 47) "Provide Access to a Data Source or Application Server" (p. 49) "Provide Auto-Access for a User" (p. 50) "Set Up Anonymous Access to a Namespace" (p. 30) "Set Up Guest Access to a Namespace" (p. 31) "Set Up An Authentication Source" (p. 21) "Add a User Class" (p. 54) "Define Regional Settings for Users of Web Products" (p. 51) "Define User Access to Upfront" (p. 52) "Display Users Belonging to a User Class" (p. 57) "Set Up a Public User Class" (p. 54) "Set Up User Classes: Overview" (p. 53) "Set User Class Access Times" (p. 55) "Set User Class Permissions" (p. 56)

Add a User
Description
For each individual who must access secure data, you must create a user with Access Manager Administration, assign the user to one or more user classes, and specify a signon for the user. Access to the secured data is defined for each user class in the client application. To open an authenticated application or data source, a user must belong to at least one user class. For more information about assigning users to user classes, see "Assign a User to a User Class" (p. 48). The user name only identifies the individual in Access Manager. The name used to authenticate the user in other applications depends on the basic or OS signon.

Steps
1. Log on to a namespace. For more information, see "Log On to a Namespace" (p. 27). 2. Double-click the namespace to list the contents. 3. Select the Users folder. 4. From the Action menu, click Add User.

46 Access Manager

Chapter 3: Set Up Authentication Data 5. Type a name in the Name box. This name will only appear in Access Manager Administration. 6. If you want, type a description of the user in the Description box. 7. Click other tabs to set other user properties. 8. Click OK.

Tips
• • To delete a user, select it and click Delete from the Action menu. You cannot delete yourself when you are logged on to a namespace. To add a folder to further group users, select the Users folder, click Add Folder from the Action menu, and then type the name of the folder in the Name box. If you want, you can add a description of the folder in the Description box. You can then drag users into this folder. To disable a user’s account select the User account is disabled check box on the General tab of the User Properties property sheet. The user will not be able to log on by any authentication method.

Related Topics
• • • • • • • • "Assign a User to a User Class" (p. 48) "Display the User Classes and Accesses for a User" (p. 51) "Provide a User With a Signon" (p. 47) "Provide Access to a Data Source or Application Server" (p. 49) "Provide Auto-Access for a User" (p. 50) "Set Up Anonymous Access to a Namespace" (p. 30) "Set Up Guest Access to a Namespace" (p. 31) "Set Up Users: Overview" (p. 45)

Provide a User With a Signon
Description
There are two types of signons you can set up for a user: • a basic signon • an operating system (OS) signon A basic signon consists of a user ID and password, both of which are defined and maintained using Access Manager Administration. Before a user with a basic signon can access secure data, they must enter a valid user ID and password during authentication. Alternatively, you can set up an OS signon if you want Access Manager to recognize a user's network ID for purposes of authentication. An OS signon uses the security of the operating system to give users access to secure data without an additional password. If a user has both a basic signon and an OS signon, which Access Manager uses is determined by the namespace settings. For more information, see "Set Signon Properties for Users in a Namespace" (p. 31).

Steps to Set Up a Basic Signon
1. Log on to a namespace. For more information, see "Log On to a Namespace" (p. 27). 2. Double-click the namespace to list the contents. 3. Double-click the Users folder to open it. 4. Select the user. 5. From the Edit menu, click Properties. 6. Click the User Signons tab. 7. Select the Basic Signon check box. 8. Type a name in the User ID box. Access Manager Administrator Guide 47

Chapter 3: Set Up Authentication Data The user must provide this user ID during authentication. 9. Type a password in the Password box. 10. Type the password again in the Verify Password box. 11. Click OK.

Tip
• • You can change a user's password by typing the new password in the Password and Verify Password boxes. Enhanced password management options are available. You can force a user to change their password at next logon, specify whether a user can change their password and permit a user’s password to never expire.

Steps to Set Up an OS Signon
1. Log on to a namespace. For more information, see "Log On to a Namespace" (p. 27). 2. Double-click the namespace to list the contents. 3. Double-click the Users folder to open it. 4. Select the user. 5. From the Edit menu, click Properties. 6. Click the User Signons tab. 7. In the OS Signons box, click the Add button. A dialog box appears prompting you for information about the domain and user ID. 8. Type the signon information using the format required by your third party authentication source. • use ''domain\userid'' for Windows and Web authentication using Windows integrated authentication • use ''userid'' for Unix authentication or client Windows authentication For more information, see "External Signons" (p. 14). 9. Click OK.

Related Topics
• • • • • • • • • • • "Add a User" (p. 46) "Assign a User to a User Class" (p. 48) "Display the User Classes and Accesses for a User" (p. 51) "Provide Access to a Data Source or Application Server" (p. 49) "Provide Auto-Access for a User" (p. 50) "Set Up Anonymous Access to a Namespace" (p. 30) "Set Up Guest Access to a Namespace" (p. 31) "Set Up Users: Overview" (p. 45) "Set Signon Properties for Users in a Namespace" (p. 31) "External Signons" (p. 14) "Use Variables for Namespace OS Signons for Web Users" (p. 32)

Assign a User to a User Class
Description
Assigning a user to a user class gives that user all the permissions of the user class. To open an authenticated application or data source, a user must belong to at least one user class. If a user is a member of more than one user class, during authentication they may be prompted to select the user class that they want to use for the current session.

48 Access Manager

or a cube. 50) "Set Up Anonymous Access to a Namespace" (p. Log on to a namespace. The user classes defined in the namespace appear in a hierarchical structure with the root user class at the top. Click the Access tab. 45) Provide Access to a Data Source or Application Server Description You provide access to a data source or application server to allow a user to connect to that source.Chapter 3: Set Up Authentication Data For more information about users assigned to multiple user class. Log on to a namespace. 2. 46) "Display the User Classes and Accesses for a User" (p. 45). For more information. Select the data sources or application servers that you want the user to have access to. Double-click the namespace to list the contents. see "Provide Auto-Access for a User" (p. A check mark appears in the box next to each user class that the user belongs to. An application server can be a PowerPlay or Transformer server. Select a user. click Properties. click the plus sign (+) next to each user class. Tip • • To remove a user from a user class. 50). 51) "Provide a User With a Signon" (p. 8. 31) "Set Up Users: Overview" (p. 6. 27). see "Set Up Users: Overview" (p. clear the check box next to each user class. 7. 5. To display the user classes. Double-click the Users folder to find the user. From the Edit menu. 47) "Provide Access to a Data Source or Application Server" (p. A data source can be a database. 2. For more information. see "Log On to a Namespace" (p. From the Edit menu. 6. Related Topics • • • • • • • • "Add a User" (p. see "Log On to a Namespace" (p. 4. You can also provide users with auto-access to databases and Transformer servers. Double-click the Users folder to open it. You can also assign a user to a user class by dragging the user icon from the Users folder to the user class. Click the Memberships tab. 27). 49) "Provide Auto-Access for a User" (p. 3. Select the user. 3. Steps 1. 5. Double-click the namespace to list the contents. Click OK. For more information. click Properties. Select the user class that you want the user to belong to. 7. Click OK. Access Manager Administrator Guide 49 . 8. Steps 1. 30) "Set Up Guest Access to a Namespace" (p. a metadata object. 4.

2. see "Set Up Auto-Access for a Database" (p. 3. 46) "Assign a User to a User Class" (p. 47) "Provide Access to a Data Source or Application Server" (p. Steps 1. 59). Not all data sources have signons. You can provide auto-access for a database or a Transformer server. 30) "Set Up Guest Access to a Namespace" (p. 9. 30) "Set Up Guest Access to a Namespace" (p. Select the user that you want to set up auto access permissions for. 4. From the Edit menu. 10. 7. Click OK. The auto-access signon appears beside the data source or server. Before you set up auto-access for a user. Double-click the Users folder to open it.Chapter 3: Set Up Authentication Data Related Topics • • • • • • • • "Add a User" (p. Click the Access tab. Select the signon you want to apply to the user. 47) "Provide Auto-Access for a User" (p. For more information about setting auto-access for a Transformer server. In the Signon box. see "Set Up Auto-Access for a Transformer Server" (p. 63). 50) "Set Up Anonymous Access to a Namespace" (p. click the Set button. Click OK. 11. 45) 50 Access Manager . see "Log On to a Namespace" (p. 48) "Display the User Classes and Accesses for a User" (p. Double-click the namespace to list the contents. signons for servers or databases must already exist. 45) Provide Auto-Access for a User Description You set up auto-access for users to allow them to access secure cubes. or databases without being prompted for a user ID or password. servers. click Properties. 51) "Provide a User With a Signon" (p. 27). 5. Log on to a namespace. 6. 46) "Assign a User to a User Class" (p. For more information about setting auto-access for a database. 31) "Set Up Users: Overview" (p. 51) "Provide a User With a Signon" (p. 31) "Set Up Users: Overview" (p. 8. Related Topics • • • • • • • • "Add a User" (p. 49) "Set Up Anonymous Access to a Namespace" (p. 48) "Display the User Classes and Accesses for a User" (p. For more information. Select the data source or server.

Click the Regional Settings tab. select the user's time zone. see "Log On to a Namespace" (p. For more information about assigning users to a user class. 2. Steps 1. In the Time Zone box. Log on to a namespace. Double-click the Users folder to open it. In the Language box. 3. Access Manager uses the ones that are defined for the namespace. 9. 5. click the user's language. click Properties. Each icon represents a reference to a user class to which the user belongs or a data source or server for which the user has access. see "Assign a User to a User Class" (p. 3. click the format in which the time appears. From the Edit menu. 4. 31) "Set Up Users: Overview" (p. 8. 27). 48). Steps 1. and locale settings that appear for users of IBM Cognos Web products. 47) "Provide Access to a Data Source or Application Server" (p. 49) "Provide Auto-Access for a User" (p. 30) "Set Up Guest Access to a Namespace" (p. Access Manager Administrator Guide 51 . Select the user. For more information. 50) "Set Up Anonymous Access to a Namespace" (p. see "Log On to a Namespace" (p. Tip • To view or edit the properties of a reference. 46) "Assign a User to a User Class" (p. Click the Daylight Savings Time Is In Effect check box if it applies. Log on to a namespace. 48) "Provide a User With a Signon" (p. language. The user classes and accesses assigned to the user appear in the right pane of the Access Manager Administration window. 2. Double-click the namespace to list the contents. Click the user you want. 7. 45) Define Regional Settings for Users of Web Products Description You define regional settings to determine the time. 27). In the Time Format box. 4. Double-click the namespace to list the contents. Related Topics • • • • • • • • "Add a User" (p. 6. If you don't specify regional settings for a user. Double-click the Users folder to open it.Chapter 3: Set Up Authentication Data Display the User Classes and Accesses for a User Description Access Manager Administration shows the user classes and accesses assigned to a user in the right pane of the Access Manager Administration window. select it from the right pane of the Access Manager Administration window and click Properties from the Edit menu. For more information. 10.

4. 54) "Define User Access to Upfront" (p. 53) "Set User Class Access Times" (p. Double-click the namespace to list the contents. From the Edit menu. 39). 52) "Display Users Belonging to a User Class" (p. 8. Related Topics • • • • • • • "Add a User Class" (p. 54) "Set Up User Classes: Overview" (p. Click OK. 57) "Set Up a Public User Class" (p. 54) "Set Up User Classes: Overview" (p. If you link users to more than one namespace.Chapter 3: Set Up Authentication Data 11. Related Topics • • • • • • • "Add a User Class" (p. you determine whether or not they have a personal NewsBox in Upfront. 51) "Display Users Belonging to a User Class" (p. 54) "Define Regional Settings for Users of Web Products" (p. 47). and then change some user attributes. 12. see "Log On to a Namespace" (p. you can link users defined in a directory server to your Access Manager namespace. Steps 1. If you are using a basic signon strategy. 56) Link External Users If you enabled external user support (p. 56) Define User Access to Upfront Description You define access privileges for Upfront users in Access Manager Administration. you must ensure that they have a signon and are members of at least one user class. you associate them with an external user distinguished name (DN). 55) "Set User Class Permissions" (p. dates. When you add a user in Access Manager. click the user's location to show the correct regional formats for numbers. Click the user you want. 7. When you link users. 6. After the users are linked to the Access Manager namespace. Log on to a namespace. Steps 1. 2. 52 Access Manager . Click OK. In the Locale box. Double-click the Users folder to open it. 27). Log on to a namespace (p. click Properties. 27). Click the Create Personal NewsBox check box to create a personal NewsBox in Upfront. 53) "Set User Class Access Times" (p. 5. 57) "Set Up a Public User Class" (p. 3. 55) "Set User Class Permissions" (p. Click the Upfront tab. the changes are reflected automatically in each associated namespace. For more information. you must add a basic signon for each user that is linked to your namespace (p. and so on.

Chapter 3: Set Up Authentication Data 2. • In the User Name or LDAP Filter box. Each member of a user class has the same access privileges. and by region (All Regions. A message appears that specifies whether the users were successfully linked. Related Topics • "Enable External User Support" (p. Tip: The external user DN appears in red when it must be relinked. and Regional Managers). 3. 5. and the Subtree option includes the entries under the start DN including the start DN. click Select All. select the check box next to the folder. For more information about users assigned to multiple user classes. the One level option includes the entries under the start DN excluding the start DN. a user might be a member of both Senior Managers (by function) and National Offices (by region). the selected users are linked to the namespace. If you type a user name. specify the StartDN and Search Scope. The list of external users appears in the Search Results window. You can also build multiple structures because users can belong to more than one user class. • If you selected LDAP Search Filter. leave this field blank. and select the users you want. • If you selected only one entry. click Relink. Click OK to link the selected user to the namespace. National Offices. use the check box next to the top node. such as Impromptu Web Reports. Right-click the Users folder or any child folder and click Link User. The Base option includes the start DN only. Related Topics • • "Add a User Class" (p. In these structures. determine which users have access to information depending on the user class to which they are assigned. If you want to search for external users. PowerPlay or Transformer. 45). • Click Search. you may want to set up user classes by function (Vice Presidents. the Properties dialog box appears for the selected user. click the Browse tab. on the General tab. If you want to link a user to a different external DN. type a user name or an LDAP search filter. • If you selected more than one entry in the Search Results box. If you want to browse for external users. Tip: To see a list of all external users. Search Scope limits the search to the specified portion of the root DN. Plants). 6. Tip: To select all entries. 51) Access Manager Administrator Guide 53 . A recommended way to organize user classes is according to how your business is structured. and users can be assigned to multiple user classes. click the Search tab. see "Set Up Users: Overview" (p. • Select the users you want to link. Click Link Users. in the user’s Properties dialog box. 54) "Define Regional Settings for Users of Web Products" (p. the search uses the root of the external users as the start DN and the scope of the search is subtree. 4. • In the Search By box. IBM Cognos products that use Access Manager to control user access. 39) Set Up User Classes: Overview A user class is an object that represents a category of users who have similar functions in an organization. and how many users were linked. StartDN specifies the start of the search in an LDAP directory. Tip: To select or clear all users. Senior Managers. For example. District Offices. To select or clear all users in a folder. IBM Cognos Query. select User Name or LDAP Search Filter depending on what you typed in the User Name or LDAP Filter field.

Related Topics • • • • • • • • "Define Regional Settings for Users of Web Products" (p. Type a name for the user class in the Name box. 56) "Set Up Authentication Data" (p. 57) "Set Up a Public User Class" (p. 7. When you add new users to a namespace. 55) "Set User Class Permissions" (p. Tips • • To nest a user class in another user class. Steps 1. 6. 54) "Set User Class Access Times" (p.Chapter 3: Set Up Authentication Data • • • • • • "Define User Access to Upfront" (p. 5. 56) "Set Up Authentication Data" (p. 51) "Define User Access to Upfront" (p. 55) "Set User Class Permissions" (p. Log on to a namespace. type a description of the user class in the Description box. see "Log On to a Namespace" (p. 52) "Display Users Belonging to a User Class" (p. see "Set User Class Access Times" (p. 54) "Set Up User Classes: Overview" (p. you enable administrators of client applications to restrict access to data or provide auto-access to data sources based on these user classes. select the user class and then click Add User Class from the Action menu. 54 Access Manager . 45) Add a User Class Description When you add a user class. 55) and "Set User Class Permissions" (p. 2. Each user class that you create is contained within the root user class. 52) "Display Users Belonging to a User Class" (p. User class names can only appear once in a namespace. select it and click Delete from the Action menu. Existing users also belong to the public user class. This enables you to create subsets of users within user classes. they automatically belong to it. From the Action menu. Notes You cannot have a space as the first character in the name of a user class. 4. If you want. For more information. To remove a user class. 56). 45) Set Up a Public User Class Description A public user class is a user class to which all users in a namespace automatically belong. For information on setting user class access and permissions. 57) "Set Up a Public User Class" (p. 3. 27). Click OK. if there is a public user class. Double-click the namespace to list the contents. 53) "Set User Class Access Times" (p. click Add User Class. Select the Root User Class icon or any of its children.

4. From the Edit menu. Double-click the Root User Class icon to list the user classes. From the Edit menu. In the Time Period From and To boxes. For example. 2. select when the selected user class will have access. For more information. 5. Access Manager Administrator Guide 55 . Steps 1. User class access periods are for a single day and can not pass through midnight.Chapter 3: Set Up Authentication Data This user class is carried forward into other IBM Cognos products that recognize public user classes.M. Click the Settings tab. 51) "Define User Access to Upfront" (p. Log on to a namespace. Click OK. click Use the Following Class For All Users. By default. Users who continue to access data after their time restriction expires will not be automatically logged off. see "Log On to a Namespace" (p. For more information. Double-click the namespace to list the contents. as you would for any other user class. Click the General tab. 3. In the Public User Class box. 52) "Display Users Belonging to a User Class" (p. 5. This restriction applies to accessing Access Manager Administration as well as to applications accessing user class secured data. 6. 2. 27). but they always remain members of the public user class. set the time period when the user class will have access. you cannot set a start time of 8:00 P. see "Log On to a Namespace" (p. Related Topics • • • • • • • "Add a User Class" (p. you can name it anything you want. 6. click Properties. 57) "Set Up User Classes: Overview" (p. You can assign properties and access to the public user class. 55) "Set User Class Permissions" (p.M. and an end time of 3:00 A. click Properties. Steps 1. a namespace does not have a public user class associated with it. Select the user class. Enter the name of the user class. The time period is verified against the user's computer. You do not have to name the public user class "public". 56) Set User Class Access Times Description You set access times for user classes when you want to limit user access to secure data to days and to time periods on those days. 3. 4. In the Access Days and Time box. This means that members of a user class will only be granted access during the time specified for that user class. You can associate users with other user classes. The time restriction is verified against the user's computer and is applied when the user first accesses the data. 27). Log on to a namespace. 53) "Set User Class Access Times" (p. 54) "Define Regional Settings for Users of Web Products" (p. 8. 7.

France. click Properties. Double-click the Root User Class icon to find the user class. For more information about setting permissions in the client application. For example. data sources. Set the permissions for the selected user class. consider a European user class with children user classes of Italy. 53) "Set User Class Permissions" (p. Those permissions are defined in the application. select the Members can view all users and/or user classes check box. You can delegate administration to the European sales managers so that they only have access to members of the Europe user class and all of its children. Steps 1. 7. Select the user class. 3. and Germany. select the hour or minute and type the value or use the arrows at the side of the box to change the value. France. or remove connections to data sources and servers within Access Manager Administration. or create and delete users and user classes. and servers. Access Manager allows you to limit the view of users when you set up delegated administration for your user classes. or delete users and user classes and view. see the online help for that application. From the Edit menu. For example. Double-click the namespace to list the contents. 54) "Set Up User Classes: Overview" (p. clear the Members can view all users and/or user classes check box. 4. 27). as a member of a user class. add. 9. 54) "Define Regional Settings for Users of Web Products" (p. The European sales managers could only administer the user classes and users from the Europe. Click the Permissions tab. and Germany user classes. Click OK. see "Log On to a Namespace" (p. 2. 6. and add data sources and servers. 5. The permissions specified in Access Manager do not determine the access permissions that members of the user class will have when using a client application. Click OK. 56 Access Manager . Related Topics • • • • • • • "Add a User Class" (p. Italy. They do not specify whether that user can view a specific dimension while viewing a cube in PowerPlay. 56) Set User Class Permissions Description User class permissions specify what members of that user class can do using Access Manager Administration. can view. 52) "Display Users Belonging to a User Class" (p. You can allow members of a user class to view users. 57) "Set Up a Public User Class" (p. 8. Permissions for viewing a cube must be specified in Transformer when the cube is created. create. To delegate administration to members of the user class only in its own user class and its children. To change the AM or PM notation. 51) "Define User Access to Upfront" (p. To delegate administration to members of the user class in the entire namespace. For more information.Chapter 3: Set Up Authentication Data To set the time periods. Log on to a namespace. permissions within Access Manager Administration determine whether that user. user classes. select AM or PM and use the arrows at the side of the box. Delegated administrators can see the names of only those users and user classes who belong to the user classes they administer.

Each user appears as a User Reference in the right pane of the Access Manager Administration window. 2. 52) "Display Users Belonging to a User Class" (p. For more information. Log on to a namespace. select the user from the right pane of the Access Manager Administration window and click Properties from the Edit menu. For more information.Chapter 3: Set Up Authentication Data Related Topics • • • • • • • "Add a User Class" (p. Access Manager also enables you to provide auto-access to password-protected databases for users. 60) "Add a Cube Stored in a Database" (p. 51) "Define User Access to Upfront" (p. Each icon represents a reference to a user. 53) "Set User Class Access Times" (p. 48). see "Log On to a Namespace" (p. Double-click the namespace to list the contents. 53) "Set User Class Access Times" (p. The user classes appear in the right pane of the Access Manager Administration window. Related Topics • • "Add a Cube" (p. Steps 1. 55) "Set User Class Permissions" (p. 54) "Set Up User Classes: Overview" (p. Double-click the Root User Class icon to list the user classes. select the user. 56) Set Up a Data Source: Overview Data sources represent network locations where data is stored. 51) "Define User Access to Upfront" (p. A data source can be a database. Select the user class. not the contents of the data source. 52) "Set Up a Public User Class" (p. Access Manager only stores connection information for each data source. Tips • • To view the user classes to which a user belongs. 54) "Define Regional Settings for Users of Web Products" (p. 57) "Set Up a Public User Class" (p. To view or edit the properties of a user. 3. see "Assign a User to a User Class" (p. With an auto-access signon. or a cube stored in a database. 54) "Set Up User Classes: Overview" (p. 55) Display Users Belonging to a User Class Description Access Manager shows the users that belong to each user class in the right pane of Access Manager Administration window. Related Topics • • • • • • • "Add a User Class" (p. 54) "Define Regional Settings for Users of Web Products" (p. 27). users can access a database without being prompted for a database user ID or password. 4. a PowerPlay cube. 61) Access Manager Administrator Guide 57 .

60) "Add a Cube Stored in a Database" (p. select the Data Sources folder. 7. click Add Database. 59) "Set Up Authentication Data" (p. The Database Definition dialog box appears. 58) "Add Metadata" (p. and then add or move databases to the new folder. type a name for the database. 27). go to step 9. Enter the required connection information and click OK. To specify the connection string. Defining a database involves • referencing the database • defining the connection string so that the client application can connect to the database You can create auto-access signons for databases. 61) "Add an OLAP Server Database" (p. 3. The Edit button only appears for databases that you can edit in this fashion. 45) Add a Database Description Before users can access a database. If the Edit button does not appear for the type of database you select. For a complete list of supported database versions. 58) "Add an OLAP Server Database" (p. 9. select the database. 61) "Set Up Auto-Access for a Database" (p. click Edit. Log on to a namespace. 4. Steps 1. click Add Folder from the Action menu. To delete a database. 6.Chapter 3: Set Up Authentication Data • • • • • "Add a Database" (p. The Database Properties dialog box appears. 8. 59). Click OK again to close the property sheet. you need to define the database in Access Manager and then give the required users access privileges to that database. see "Log On to a Namespace" (p. select the type of database you are defining. 58 Access Manager . 5. 61) "Set Up a Data Source: Overview" (p. Tip • • To add a folder to further group databases. see the PowerPlay Readme help. 59) Add an OLAP Server Database Description You can use Access Manager Administration to set up access to an OLAP server database. Related Topics • • • • • • "Add a Cube" (p. 2. Double-click the namespace to list the contents. in the Name box. see "Set Up Auto-Access for a Database" (p. Click the Connection tab. For more information. In the Database Type drop-down box. 57) "Set Up Auto-Access for a Database" (p. For more information. Select the Data Sources folder and from the Action menu. 58) "Add Metadata" (p. On the General tab. and click Delete from the Action menu.

3. Log on to a namespace. see "Log On to a Namespace" (p. Double-click the Data Sources folder to open it. 27). 3. If the Edit button does not appear for the type of database you select. Double-click the namespace to list the contents. Click the Connection tab. Defining a database involves • referencing the database • defining the connection string so that the client application can connect to the database For more information. Click Edit to specify the connection string. Double-click the namespace to list the contents. In the Database Type box. 2. 6. Double-click the database that you want to create an auto-access signon for. 61) "Set Up a Data Source: Overview" (p. you must create a signon for the database using a user ID and password. For more information. 5. 4. The Edit button only appears if you can edit the database definition. In the Database Definition dialog box. 8. 61) "Add a Database" (p. you need to define the database in Access Manager and then give the required users access privileges to that database. 27). Related Topics • • • • • • "Add a Cube" (p. click Add Database Signon. 58). 9. Access Manager Administrator Guide 59 . see "Log On to a Namespace" (p. go to step 9. Log on to a namespace. 8. For more information. Type the database password in the Password and Verify Password boxes. Steps 1. it can be applied to any user to provide them auto-access to the database. see "Add a Database" (p. 57) "Set Up Auto-Access for a Database" (p. 5. 50). 7. see "Provide Auto-Access for a User" (p. 59) Set Up Auto-Access for a Database Description To set auto-access to a database that is directly accessed or that stores a cube. For more information about adding databases. This is the user ID required to access the database. 2. you will have to add one. After the signon is created. For more information. type a name for the database. in the Name box. 6. If no databases appear. 60) "Add a Cube Stored in a Database" (p. 58) "Add Metadata" (p. select the type of database you are defining. Steps 1. From the Action menu. enter the required connection information and click OK. On the General tab. see the OLAP Server Connection Guide. Select the Data Sources folder and click Add Database from the Action menu.Chapter 3: Set Up Authentication Data Before users can access a database. Click OK again to close the property sheet. Type a user ID in the User ID box. The Database Properties dialog box appears. 4. 7. Select the Signons folder.

Steps 1. and then typing the new password in the Password and Verify Password boxes. If you want. 58) "Add Metadata" (p. 58) "Add an OLAP Server Database" (p. 59) 60 Access Manager . and click Delete from the Action menu. 9. Tip • If the password for the cube has changed. 6. see "Log On to a Namespace" (p. 10. 27). To delete a database reference. Click OK. Type the cube password in the Password and Verify Password boxes. you can change the password stored in Access Manager by typing the current password in the Current Password box. 61) "Add a Database" (p. if the trusted services cube password plug-in is registered. Tip • • If the password for the database has changed you can change the password stored in Access Manager by typing the password in the Password and Verify Password boxes. To delete a cube reference. and click Delete from the Action menu. 4. if the trusted services database signon password plug-in is registered. • Related Topics • • • • • • "Add a Cube Stored in a Database" (p. 8. Click OK. 61) "Add a Database" (p. 58) "Add an OLAP Server Database" (p. Type a name for the cube in the Name box. 7. 58) "Add Metadata" (p. 60) "Add a Cube Stored in a Database" (p. Double-click the namespace to list the contents. From the Action menu. type a description in the Description box. 5. 2. For more information. Select the Data Sources folder. 57) Add a Cube Description You add a cube to a namespace so you can control access to the cube using Access Manager. select the cube. Note: The Password and Verify Password boxes will not appear. 57) "Set Up Auto-Access for a Database" (p.Chapter 3: Set Up Authentication Data Note: The Password and Verify Password boxes will not appear. 3. 61) "Set Up a Data Source: Overview" (p. click Add Local Cube. type a description of the cube in the Description box. If you want. Related Topics • • • • • • "Add a Cube" (p. Log on to a namespace. 61) "Set Up a Data Source: Overview" (p. select the database.

You can create auto-access signons for the database in which the cube is stored. see "Log On to a Namespace" (p. 58) "Add Metadata" (p. 58) "Add an OLAP Server Database" (p. 5. 3. for example. or Informatica Model. click Add In-Database Cube. type a description of the cube in the Description box. Add a database. For more information. see "Add a Database" (p. Click OK to save the connection information. Ensure that you specify a valid metadata type because Access Manager does not validate this parameter. 4. From the Action menu. 9. For more information. 59) Add Metadata Description Before you give users access privileges to a metadata source. 7. 57) "Set Up Auto-Access for a Database" (p. click Edit to set the connect string for the database that the cube is stored in. see "Set Up Auto-Access for a Database" (p. ERwin Model. 6. 3. 4. 2. Type a name for the cube in the Name box.Chapter 3: Set Up Authentication Data Add a Cube Stored in a Database Description Adding a cube that is stored in a database creates a reference to the database and the cube so that you can control access using Access Manager. On the General tab. Log on to a namespace. 59). Double-click the database to open it. Access Manager Administrator Guide 61 . Architect defines what types of metadata can be used. Related Topics • • • • • • "Add a Cube" (p. 58). Architect Model. Click OK. For more information. Tip • To delete a reference to a cube stored in a database. 61) "Set Up a Data Source: Overview" (p. 8. In the Description box. Steps 1. 27). 2. see your Architect documentation. 5. 10. If you want. Select the Data Sources folder and click Add Metadata from the Action menu. In the Connection String box. type a name for the metadata in the Name box. Enter the connection information in the PowerPlay Connect dialog box. For more information about metadata sources (types). and click Delete from the Action menu. 60) "Add a Database" (p. Steps 1. Select the Cubes folder. type a description of the metadata if required. Double-click the namespace to list the contents. you must define the source in Access Manager. select the cube.

5. You can also use Access Manager to provide auto-access to Transformer servers for users. Related Topics • • • • "Add a PowerPlay Server" (p. 2. 63). 8. Type the name of the server in the Name box. 3. users can access the server without being prompted for a server user ID or password. For more information. A dialog box appears. 63) "Add a Transformer Server" (p. see "Log On to a Namespace" (p.Chapter 3: Set Up Authentication Data 6. Steps 1. 63) "Set Up Authentication Data" (p. 27). The name must be the name by which the server is identified on the network. 4. 58) "Set Up a Data Source: Overview" (p. Double-click the namespace to list the contents. Click OK. From the Action menu. 62) "Set Up Auto-Access for a Transformer Server" (p. click Add Transformer Server. 7. If you want. In the Additional Information area. 62 Access Manager . Log on to a namespace. Click OK. 59) Set Up a Server: Overview Servers represent server locations on a network. 7. 60) "Add a Cube Stored in a Database" (p. With an auto-access signon. The metadata object appears in the Data Sources folder. type a description of the server in the Description box. 45) Add a Transformer Server Description When you add a Transformer server. see "Set Up Auto-Access for a Transformer Server" (p. you set up a reference to a server that users can access using Transformer. Access Manager stores the connection information for PowerPlay and Transformer servers so that you can control user access to them. You can also create auto-access signons for Transformer servers. Related Topics • • • • • • "Add a Cube" (p. Use this box to specify a metadata source to make available to Architect. For more information. The server appears in the Application Servers folder. Select the Application Servers folder. 58) "Add an OLAP Server Database" (p. Click the Details tab. select the type of metadata to add from the Metadata Type list. 57) "Set Up Auto-Access for a Database" (p. 6. 61) "Add a Database" (p.

Type the server password in the Password and Verify Password boxes. it can be applied to any user. type a description in the Description box. 4. Log on to a namespace. 2. This is the user ID required to access the server. Log on to a namespace. 62) "Set Up a Server: Overview" (p. you set up a reference to a server that users can access using a client application. 27). Related Topics • • • "Add a PowerPlay Server" (p. From the Action menu. click Add PowerPlay Server. see "Provide Auto-Access for a User" (p. 27). see "Log On to a Namespace" (p. 4. Double-click the Application Servers folder to open it. click Add Transformer Signon. 7. Access Manager Administrator Guide 63 . 5. 9. 3. For more information about adding application servers. 63) "Add a Transformer Server" (p. 63) "Set Up a Server: Overview" (p. If you want. 8. see "Log On to a Namespace" (p. Type a user ID in the User ID box. 62) "Set Up Auto-Access for a Transformer Server" (p. such as PowerPlay. If no Transformer servers appear. For more information. For more information about assigning auto-access to a user.Chapter 3: Set Up Authentication Data Related Topics • • • "Add a PowerPlay Server" (p. 63) Set Up Auto-Access for a Transformer Server Description Auto-access to a Transformer server requires the user ID needed to access the server. 62). For more information. or PowerPlay for Excel. Steps 1. Double-click the namespace to list the contents. see "Add a Transformer Server" (p. To delete a reference to a Transformer server. From the Action menu. and click Delete from the Action menu. 62) Add a PowerPlay Server Description When you add a PowerPlay server. Tip • • If the password for the server has changed. you will have to add one. Steps 1. PowerPlay Web. After a signon is created. 50). Click OK. Double-click the namespace to list the contents. 3. Select the Transformer server. 6. Select the Application Servers folder. select the Transformer server. you can change the password stored in Access Manager by typing the password in the Password box and then in the Verify Password box. 2.

click Find. 4. However. Type a value for the maximum length of time Access Manager will try to connect to the server in the Timeout box. Type the name or partial name of the object you want to find in the Name box. Log on to a namespace. Double-click the namespace to list the contents. Related Topics • • • "Add a Transformer Server" (p. and signons. type a description of the server in the Description box. Related Topics • • "Sort Authentication Data" (p. If you want. Log on to a namespace. 5. Click OK. 64) "Set Up Authentication Data" (p.Chapter 3: Set Up Authentication Data 5. 7. The server appears in the Application Servers folder. For more information. and the location in the namespace where the objects can be found. Steps 1. the type of objects they are. Type the port number to access the server in the Port box. see "Log On to a Namespace" (p. For more information. appear in the dialog box. user classes. databases. Select the folder that contains the data you want to sort. 3. From the Edit menu. you can sort data in the right pane of the Access Manager window by name or type. 62) "Set Up a Server: Overview" (p. you can search for users. You can click the object to open its Properties dialog box. 27). The name must be the name by which the server is identified on the network. see "Log On to a Namespace" (p. Choose the type of object you want to find from the Type box. server hosts. You can search only one namespace at a time. 2. 62) "Set Up Auto-Access for a Transformer Server" (p. Steps 1. Type the name of the server in the Host box. 2. you can sort application servers by type so that all Transformer servers are listed together and all PowerPlay servers are listed together. 64 Access Manager . along with their type and location in the namespace. 6. 45) Sort Authentication Data Description Authentication data (listed in a folder in the left pane of the Access Manager window) is listed alphabetically or numerically from A to Z or 0 to 9. 9. 8. For example. Click Find Now. The search results return objects that meet the search criteria. 63) Search for Authentication Data Description You can search a namespace for any type of object that is contained in the namespace. 27). Any objects found. cubes. For example. 3.

In the right pane of the Access Manager window.Chapter 3: Set Up Authentication Data 4. 64) "Set Up Authentication Data" (p. Related Topics • • "Search for Authentication Data" (p. 45) Access Manager Administrator Guide 65 . click the Name or Type title bar to sort the columns alphabetically. An arrow appears in the title bar indicating how the data is sorted: by which column and in which direction.

Chapter 3: Set Up Authentication Data 66 Access Manager .

Before you can test your user classes. Access Manager automatically creates . your users must configure their computers to access the required authentication data from the authentication source. The user classes restrict user access to specific information. • directory server connection information. and apply the user classes in other applications.lae) for a remote user). or a report that has user class security applied to it.lac) and stores it on the user’s computer. To configure access to authentication data. such as dimensions in a cube. Upfront does not support . 12). instead of the original authentication source. Access Manager Administrator Guide 67 . such as Transformer. you can secure them by applying user classes. • ticket service information for Web-based access. For example. As a result. if the user tries to connect to the same data source while they are not connected to the network. When users access a cube. or a local authentication export file (. Configure Access to Authentication Data As the administrator of authentication data. and base distinguished name (DN). Access Manager uses the . in a PowerPlay cube. and PowerPlay Web. Configuration Manager is installed by default. After you define and test your authentication data. created and managed in Access Manager Administration. such as the host. such as a cube or a report. a cube may contain financial information that you do not want all your employees to see. Access Manager can automatically create a local authentication cache file (. Access Manager grants the user access only to the information that you want them to see. you can ensure that only members of that user class view that information. users must have • Configuration Manager installed with their IBM Cognos applications. You must also set up your user’s access to the authentication data so they can use it. or Impromptu Web Reports. see "Configure an Authentication Source" (p. there may be times when you want to test how the user classes you defined in Access Manager Administration perform in an IBM Cognos application. they must be identified by Access Manager before they can access the information. Use Local Authentication Cache Files When a user connects to a secure data source.lac file. you must use Configuration Manager the same way a typical user does to configure your IBM Cognos application to access the required authentication data. For example. and only members of that user class will be able to view those dimensions. By applying a user class to information. port.lac files. PowerPlay. Depending on the user classes to which they belong and how those user classes are applied. user classes can be applied to specific dimensions. Setting up authentication data in Access Manager Administration is only one part of providing secure user access to information. IBM Cognos Query.lac files for those IBM Cognos applications that can use Access Manager. For more information about Configuration Manager. • connections to the required data sources (for example. nor do Architect. the directory server on which a namespace is located.Chapter 4: Set Up Security Across Applications When you use IBM Cognos applications to create reports and cubes from your organization's database information.

Notes • If you import user classes from an Impromptu catalog and there is a conflict between the user classes in the Impromptu catalog and the user classes in the Architect model. reports. You can set permissions for each user class that • define which objects are visible to the members of the user class. 72) "Access Manager and Impromptu Web Reports" (p. which only need read access to authentication data.lac) can be disabled with the Configuration Manager. 73) "Access Manager and Impromptu" (p. • 68 Access Manager . 74) "Access Manager and IBM Cognos Visualizer" (p. 75) Access Manager and Architect Architect is a metadata management tool that provides a single administration point for metadata that supports all your IBM Cognos reporting and analytical tools. (User Class Properties dialog box. 74) "Access Manager and NoticeCast" (p. only unique (new and non-conflicting) user classes are imported from the Impromptu catalog. 69) "Access Manager and Upfront" (p. Architect modelers use Architect to build a common set of business-oriented metadata so that users can build queries. 73) "Access Manager and PowerPlay" (p.Chapter 4: Set Up Security Across Applications Notes • Local authentication cache files (.lac) are intended for use with client tools. and to minimize network and database performance issues If you want to allow Architect modelers to create Architect models. Model security in Architect is based on user classes that you create and maintain in Access Manager Administration. and change passwords. import metadata sources. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. they can use the same authentication data to access multiple data sources. 71) "Access Manager and Transformer" (p. For more information about installing the server. IBM Cognos Query or Transformer. 70) "Access Manager and PowerPlay Enterprise Server" (p. Only users who are members of the root user class can import security information into an Architect model. Architect modelers can control which parts of the model are accessible to the members of a user class. 68) "Access Manager and IBM Cognos Query" (p. see the installation and configuration guide for your product. you must give them permission within Access Manager Administration. such as PowerPlay client. both within Architect and from other IBM Cognos products • identify allowable activities of report authors and query designers who work with the model in Impromptu and IBM Cognos Query • set runtime execution limits and restrict the query activities to help maximize system resources. Using . and cubes. Local authentication cache files (. whether they are using the model in Architect.lac files on IBM Cognos servers is not supported as they may cause performance and concurrency problems. or as authors in Impromptu. 75) "Ticket Services" (p. Permissions tab) Use the Windows Common Logon Server When users install the Windows Common Logon server that comes with Architect.

Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. 67) Access Manager and Transformer Transformer is used to create multidimensional cubes from database information. Access a Cube in a Database Access Manager also stores information for auto-access to cubes that are contained within other databases. see the Architect online help. see "Set Up Auto-Access for a Database" (p. For more information. 75) "Set Up Security Across Applications" (p. Apply Auto-Access to Cubes Instead of using Transformer to store signon information. such as database user IDs. the user doesn’t have to provide a user ID and password for the database when they access the cube. The database may have security and the cube may have user class security. Users who access a secure cube must also be able to access the authentication source specified for that particular cube. you must convert the data to a local authentication export file (. For more information about using security in Architect. For information about applying user classes to a cube. Transformer does not support the union of user classes. The most common source for authentication data is in a namespace on an LDAP directory server. user class information is verified against the default namespace specified in the directory server. and connection parameters in a cube (. if a user is configured to use a namespace on the directory server. 73) "Access Manager and Impromptu" (p. 75) "Ticket Services" (p. because they are not connected to the network. 70) "Access Manager and PowerPlay Enterprise Server" (p. 72) "Access Manager and Impromptu Web Reports" (p. passwords. Also. the information in the namespace takes precedence. Users who belong to more than one user class must select a user class each time they access secure data. If both a namespace and Transformer contain signon information for the same cube. 69) "Access Manager and Upfront" (p. Users then access the cube in PowerPlay to view and analyze their corporate data. Storing signon information in a namespace facilitates centralized administration of signon information. Access Manager Administrator Guide 69 . 74) "Access Manager and NoticeCast" (p. you can use Access Manager to store signon information in a namespace. 74) "Access Manager and IBM Cognos Visualizer" (p. The user classes identify which users have access to which portions of data in the cube.mdc file).lae) and copy the file to the user's computer. As a result. Related Topics • • • • • • • • • • • "Access Manager and IBM Cognos Query" (p. for example. 71) "Access Manager and Transformer" (p. the user class information is verified against the default namespace specified in Configuration Manager. Transformer automatically reads the auto-access information specified in the namespace. Transformer administrators can apply the user classes you create in Access Manager Administration to the cubes they create. 59). If there is no namespace specified in the Transformer model. see the Transformer online help. If there is no default namespace specified in Configuration Manager. You can use Access Manager Administration to manage and combine the user class and database connection information by specifying signon information for the database. 73) "Access Manager and PowerPlay" (p. If users of the secure cube cannot access the authentication data.Chapter 4: Set Up Security Across Applications • Architect supports the union of user classes.

Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. This is similar to user class views because you create a cube that only a specific user class can access. 73) "Access Manager and PowerPlay" (p. When a Transformer administrator creates a cube. By default. 68) "Access Manager and IBM Cognos Query" (p. Use the Windows Common Logon Server When users install the Windows Common Logon server that comes with PowerPlay. If it does not find any macros. The cube contains user class views that permit members of the Europe. For more information about administrative macros. the user can only see the dimensions that the user class. North America. PowerPlay determines if you have set up macros to automate the process. has been given access. and Far East user classes to view data that only applies to their region. 71) "Access Manager and Upfront" (p. For example. Apply User Class Views in Transformer You can further define what data a user has access to by creating user class views and assigning user classes to them. of which the user is a member.Chapter 4: Set Up Security Across Applications For information about applying auto-access in Transformer. Product Line. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. For information about applying user class views in Transformer. 75) "Set Up Security Across Applications" (p. For more information about installing the server. it is more efficient to use user class views because you can apply multiple views to one cube and therefore greatly reduce the number of files that you distribute. see the installation and configuration guide for your product. However. 70 Access Manager . see the PowerPlay Macro help. PowerPlay supports the union of user classes. they can use the same authentication data to access multiple data sources. Create Administrative Macros to Facilitate User Access To facilitate user access to cubes. you can set up administrative macros that automatically provide PowerPlay with the authentication data the user needs to access the cube. and Region dimensions. For more information about applying user class security to a cube. 67) Access Manager and PowerPlay PowerPlay is used to view and analyze data in a multidimensional cube that was created in Transformer. 73) "Access Manager and Impromptu" (p. see "Access Manager and Transformer" (p. 74) "Access Manager and IBM Cognos Visualizer" (p. when a user tries to open a cube. 72) "Access Manager and Impromptu Web Reports" (p. see the Transformer online help. 75) "Ticket Services" (p. In Transformer you can apply a dimension view and user classes to a cube to create a cube with a custom view. When a user accesses the cube using PowerPlay. the Great Outdoors Company distributes a cube that contains Order Date. 69). it prompts the user for a user ID and password. the administrator can apply user classes that restrict user access to dimensions of the cube. 74) "Access Manager and NoticeCast" (p. 70) "Access Manager and PowerPlay Enterprise Server" (p. see the Transformer online help.

71) "Access Manager and Transformer" (p. Related Topics • • • • • • • • • • "Access Manager and Architect" (p. see the PowerPlay Connect online help. Access Manager reads the authentication source specified in the cube. and MS SQL Server OLAP servers. see the PowerPlay Enterprise Server Administration help. rather than enter the appropriate connection information. user class name. To be able to deploy secure cubes on the server. 74) "Access Manager and IBM Cognos Visualizer" (p. As a result. servers. Oracle Express. 67) Access Manager and PowerPlay Enterprise Server You use PowerPlay Enterprise Server with a Web browser to view cubes that are stored on the PowerPlay Enterprise Server. 75) "Set Up Security Across Applications" (p. Anyone can access the server or Web site simply by referencing a cube. Access Manager Administrator Guide 71 . Access Manager provides PowerPlay Connect with connection information that users need to create . 69). they can specify to the server the authentication source that is associated with the cube and any logon information the user needs to provide. PowerPlay Enterprise Server supports the union of user classes. and databases. If they don’t specify an authentication source. For more information about applying security to cubes. Sybase. such as user ID and password. Informix. of which the user is a member. For more information. however. You cannot use the server password security method to publish to Upfront. 68) "Access Manager and IBM Cognos Query" (p. MS SQL Server. see the PowerPlay Enterprise Server Guide. or database user ID and password. DB 2. For more information. the administrator must have access to a directory server namespace and must use a version of Transformer that can apply user class views to a cube. the user can only see the dimensions that the user class or user class view. 73) "Access Manager and Impromptu" (p. see the Transformer online help. As a result. PowerPlay Connect reads the information and shows it in a browse list. see "Access Manager and Transformer" (p. 69) "Access Manager and Upfront" (p. If the currently configured namespace contains server and database connection information. Transformer administrators can apply user class security or user class views to the cubes they create. 73) "Access Manager and PowerPlay Enterprise Server" (p. users can select. For more information about applying user class security to cubes. when a user accesses a cube. The Transformer administrator can also apply auto-access to password-protected cubes. 72) "Access Manager and Impromptu Web Reports" (p.mdc pointer files. Deploy Secure Cubes Using the PowerPlay Enterprise Server When the administrator adds a secure cube to the PowerPlay Enterprise Server.mdc pointer files that store information about server and database connections. Publish to Upfront To publish cubes and reports from the PowerPlay Enterprise Server Administration tool to Upfront. You can use PowerPlay Connect to define access to cubes stored in Oracle. or DB2 databases. You can also use PowerPlay Connect to define access to Hyperion. Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. 74) "Access Manager and NoticeCast" (p. For more information. has been given access.Chapter 4: Set Up Security Across Applications Access Manager and PowerPlay Connect The PowerPlay Connect utility is used by PowerPlay users or administrators to create or modify . you must secure the tool using Access Manager.

The user classes identify which users have access to which portions of data in the catalog. Impromptu does not support the union of user classes. 73) "Access Manager and PowerPlay" (p. Use the Windows Common Logon Server When users install the Windows Common Logon server that comes with Impromptu. they can still log on using catalog security. 72) "Access Manager and Impromptu Web Reports" (p. see "Ticket Services" (p. 75) "Set Up Security Across Applications" (p. Impromptu administrators can specify a namespace for Access Manager to check every time an Impromptu user opens the catalog. 74) "Access Manager and NoticeCast" (p. but the Impromptu user has Access Manager set up on their computer. 68) "Access Manager and IBM Cognos Query" (p. Related Topics • • • • • • 72 Access Manager "Access Manager and Architect" (p. 69) "Access Manager and Upfront" (p. Impromptu administrators apply the user classes you create in Access Manager to the catalogs they create. 75). For more information. 74) "Access Manager and IBM Cognos Visualizer" (p. The catalog provides a business-oriented view of the database. For information about applying user classes to a catalog. 73) "Access Manager and PowerPlay" (p. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. 68) "Access Manager and IBM Cognos Query" (p. 73) "Access Manager and Impromptu" (p. see the Impromptu online help. For more information about installing the server. If the user is not listed in the default namespace. If the user is not listed in the namespace. If the administrator did not specify a namespace. Multiple IBM Cognos applications can use the same authentication data during a single session. Impromptu denies access. Users who belong to more than one user class must select a user class each time they access secure data.Chapter 4: Set Up Security Across Applications Ticket Services The ticket service of the Access Manager Server issues tickets to control user access to reports and cubes. 75) "Ticket Services" (p. 70) "Access Manager and Transformer" (p. 69) . 67) Access Manager and Impromptu Use Impromptu to create reports. they can use the same authentication data to access multiple data sources. 71) "Access Manager and Transformer" (p. An Impromptu administrator creates a catalog that contains the metadata (columns and tables) used to create reports. Users can also use Access Manager to add their operating system user name and password to the namespace so that they can automatically log on to the catalog. 73) "Access Manager and Impromptu Web Reports" (p. Impromptu performs queries in structured query language (SQL) against a database to retrieve information for a report. 70) "Access Manager and PowerPlay Enterprise Server" (p. see the installation and configuration guide for your product. Impromptu checks the default namespace instead.

For more information. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. 68) "Access Manager and Impromptu" (p. 75) "Set Up Security Across Applications" (p. You define security settings for IBM Cognos Query in Access Manager Administration by setting up users and user classes. Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. 75) "Ticket Services" (p. 73) "Access Manager and Impromptu" (p. 74) "Access Manager and NoticeCast" (p. IBM Cognos Query supports the union of user classes. Users open foundation queries in IBM Cognos Upfront. they can apply security to the report by applying user profiles. User classes identify which users have access to which reports and report folders. The report administrator can add additional security to the report in Impromptu Web Reports by applying user classes. 74) "Access Manager and NoticeCast" (p. 69) "Access Manager and Upfront" (p. see the Impromptu Web Reports Administrator Guide. The report administrator creates user classes in Impromptu Web Reports by generating them from Impromptu user profiles. 71) "Access Manager and Transformer" (p.Chapter 4: Set Up Security Across Applications • • • • • "Access Manager and Upfront" (p. whereas user profiles identify which users have access to which portions of report data. For information about using IBM Cognos Query. Multiple IBM Cognos applications can use the same authentication data during a single session. see the IBM Cognos Query online help. 68) "Access Manager and IBM Cognos Query" (p. 74) "Access Manager and IBM Cognos Visualizer" (p. 74) "Access Manager and IBM Cognos Visualizer" (p. 75) "Ticket Services" (p. Impromptu Web Reports does not support the union of user classes. 75) "Set Up Security Across Applications" (p. 72) "Access Manager and Impromptu Web Reports" (p. Users who belong to more than one user class must select a user class each time they access secure data. Ticket Services The ticket service of the Access Manager Server issues tickets to control user access to reports and cubes. 72) "Access Manager and PowerPlay" (p. see "Ticket Services" (p. 73) Access Manager Administrator Guide 73 . Related Topics • • • "Access Manager and Architect" (p. 67) Access Manager and Impromptu Web Reports Impromptu Web Reports is used with a Web browser to view Impromptu reports that are stored on a server. When a report author creates a report in Impromptu. 70) "Access Manager and PowerPlay Enterprise Server" (p. For more information. 67) Access Manager and IBM Cognos Query Use IBM Cognos Query to create queries of business data. 75).

and Architect users publish reports and queries to Upfront. 75) "Set Up Security Across Applications" (p. see the Upfront online help. Upfront NewsIndex administrators then apply the user classes to NewsIndex entries to control access to NewsBoxes and NewsIndex entries. 74) "Access Manager and NoticeCast" (p. but the panel. You define security settings for Upfront in Access Manager Administration by setting up users and user classes. 67) Access Manager and Upfront Use IBM Cognos Upfront with PowerPlay Web and IBM Cognos Query to organize and share business information. Upfront users can view their user ID and the user classes they belong to. Visualizations can reference secure data sources such as cubes or databases. 74 Access Manager . Without proper authentication. 69) "Access Manager and IBM Cognos Visualizer" (p. 75) "Ticket Services" (p. as NewsIndex entries. If you want Upfront users to be able to change their own passwords and personal settings within Upfront. 74) "Access Manager and NoticeCast" (p. they are prompted for authentication data. 71) "Access Manager and Transformer" (p. For information about using Upfront. axis. Upfront supports the union of user classes. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. 68) "Access Manager and IBM Cognos Query" (p. Each Upfront user must belong to at least one user class. You can view several metrics in a visualization that originates from different data sources. you must give them permission to do so in Access Manager Administration. 71) "Access Manager and Transformer" (p. or filter that refers to the secure data source appears blank. 67) Access Manager and IBM Cognos Visualizer IBM Cognos Visualizer creates visualizations that represent business data graphically in three dimensions. 74) "Access Manager and IBM Cognos Visualizer" (p. Permissions tab) They can only change the settings that are stored in Access Manager. 75) "Ticket Services" (p. PowerPlay Web. 70) "Access Manager and PowerPlay Enterprise Server" (p. Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. from within Upfront. 75) "Set Up Security Across Applications" (p. 70) "Access Manager and PowerPlay Enterprise Server" (p. (User Class Properties dialog.Chapter 4: Set Up Security Across Applications • • • • • • • • "Access Manager and PowerPlay" (p. When a user opens a visualization that refers to a secure data source. IBM Cognos Query. 73) "Access Manager and PowerPlay" (p. 69) "Access Manager and Upfront" (p. and users can interact with this data. 72) "Access Manager and Impromptu Web Reports" (p. 73) "Access Manager and Impromptu" (p. the visualization will open.

73) "Access Manager and PowerPlay" (p. 75) "Set Up Security Across Applications" (p. Access Manager Administrator Guide 75 . 69) "Access Manager and Upfront" (p. You can secure the data source using Access Manager Administration. If many users will access the secured files. Notification may be by email to wired or wireless devices. IBM Cognos Visualizer supports the union of user classes. To use Access Manager with IBM Cognos Visualizer. 68) "Access Manager and IBM Cognos Query" (p. users must also have access to the authentication source. you must upgrade your directory server. Because Visualization files (. 67) Ticket Services Description You have the option to increase the reliability of Access Manager by configuring multiple ticket services. You can also balance the load between the ticket services to improve performance. we recommend that you use a directory server namespace. You secure the database or cube that the Visualization file references. Access permission for each NoticeCast user is controlled by their membership in the user classes defined in Access Manager. 70) "Access Manager and PowerPlay Enterprise Server" (p. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. Users who belong to more than one user class are logged on with all the privileges of all the user classes to which they belong. 75) "Set Up Security Across Applications" (p.viz) directly. 68) "Access Manager and IBM Cognos Query" (p. 72) "Access Manager and Impromptu Web Reports" (p. Related Topics • • • • • • • • • • • "Access Manager and Architect" (p. For more information. 70) "Access Manager and PowerPlay Enterprise Server" (p. 71) "Access Manager and Transformer" (p. 71) "Access Manager and Transformer" (p. 73) "Access Manager and Impromptu" (p. a failover mechanism automatically switches to a secondary ticket service when no response is detected from the primary ticket service. If multiple ticket services are configured. 75) "Ticket Services" (p. 74) "Ticket Services" (p. see the installation and configuration guide for your product. Users apply rules and threshold values to their data to alert key individuals when those rules and thresholds are true. 72) "Access Manager and Impromptu Web Reports" (p. 73) "Access Manager and Impromptu" (p. 74) "Access Manager and NoticeCast" (p. 67) Access Manager and NoticeCast NoticeCast enables users to detect and manage time-critical events in their business applications. 69) "Access Manager and Upfront" (p. 74) "Access Manager and IBM Cognos Visualizer" (p.Chapter 4: Set Up Security Across Applications You do not secure Visualization files (.viz) are designed to be widely distributed. 73) "Access Manager and PowerPlay" (p.

type the DN for the root of the directory according to the LDAP standard. the authentication data passes from PowerPlay Enterprise Server to Impromptu Web Reports via a ticket. 7.Chapter 4: Set Up Security Across Applications The ticket service is part of Access Manager Server. 76 Access Manager . click the Directory Servers folder.lae). If the connection is unsuccessful. They do not need to provide a user ID and password every time they try to access a secure data source. If you have more than one server on a computer. type the name or IP address of the server where the directory server is installed. In the Prompt box. If you did not install the directory server. type the password. This DN is the name you typed in the Directory Suffix box when you installed the Sun Java System Directory Server (for example. Click the Ticket Services tab. an error message appears. In the Base Distinguished Name (DN) box. In the Runtime Administrator Password box. in the Host box. For example. 11. type the maximum amount of time (in seconds) the user has to establish a connection to the directory server. The port you specify must be the same as the one specified in Configuration Manager. If you are satisfied with the ticket services configured. 8. the entries in the Ticket Service connections list should appear as the ticket services configured using Configuration Manager. For information about installing a ticket service. 13. 12. As a result. The default port number is 9010. 3. Click the Runtime Credentials tab. 14. 6. Tip: The host can be entered by name or IP address. The Directory Server Properties dialog box appears. By default. Steps 1. o=Cognos. Click Add. 5. For each ticket service in the ticket service connections list. 9. In the Timeout box. the port name distinguishes between the two servers. a user provides a user ID and password to log on to a PowerPlay cube that is stored on the server. In the Runtime Administrator Distinguished Name (DN) box. In the Authentication Information pane. 10. The Access Manager Server ticket service issues tickets to control user access to reports and cubes. Multiple IBM Cognos applications can use the same authentication data during a single session. Then the user drills through to a report in Impromptu Web Reports. On the General tab. type the name or the IP address of the server where the ticket service is installed and the port. type the name that you use to log onto the directory server. Click Log On. see the installation and configuration guide for your product. type the port the directory server uses. In the Port box. At this point. The directory server assigns this port to LDAP servers. From the Action menu. the port is 389. click Add Connection. The ticket service controls user access to a report or cube for one session. Tip: Ticket service entries should be in the 'host:port' format. Click OK. skip to step 13 to ensure ticket service connections have been set up properly. You can store ticket service information in a local authentication export file (. 2. Ensure that you have the correct connection information. c=CA). contact the administrator for the required DN. select the ticket service and click Test. Note: If you used Configuration Manager to configure one or more ticket services. The Administrator Access dialog box appears. users trying to access multiple cubes on a server only have to provide a single signon. 4. To connect to additional ticket services proceed to step 12.

73) "Access Manager and PowerPlay" (p. c=ca" -D "cn=Directory Manager" -w admin1234 -f "X:\Program Files\Cognos\cern\bin\logs\ts-901020021016. use the IP address of the UNIX server or edit the /etc/hosts file so that it contains the correct naming resolution. 69) "Access Manager and Upfront" (p. 71) "Access Manager and Transformer" (p.log" -n mynamespace The parameters are listed in the following table. you must restart your Upfront services or you may experience authentication problems. or refer to it by IP address. you must register the ticket service computer name in a domain name system (DNS) server. Type TSLogProcessor and the required parameters. Otherwise. Convert Log Files When event logging is enabled. For information on enabling this feature. Access Manager Administrator Guide 77 . logouts. 72) "Access Manager and Impromptu Web Reports" (p. Parameter -? Description Help information. TSLogProcessor -h myhost -p 1465 -r "o=cognos. The logs are in a non-readable format so that run-time performance is not significantly impacted when enabling ticket service event logging. session logs are created. You must use the conversion utility. For example. The entries in the ticket service connections list should not be rearranged at runtime. 74) "Access Manager and NoticeCast" (p. This provides a log file containing historic information about successful logins. TSLogProcessor. 77) Audit Ticket Service Activity Description You can optionally enable auditing of ticket service information by using the ticket service of Access Manager Server. If you cannot ping the ticket service computer from each computer that needs to access it. If you configure the directory server to use the host name of a ticket service that resides on UNIX. Change directory to installation location\bin. 2. 73) "Access Manager and Impromptu" (p. Steps 1.Chapter 4: Set Up Security Across Applications Notes • Every computer that will access the ticket serviceticket service must be able to reach the ticket service computer. see the Configuration Manager User Guide. 67) "Audit Ticket Service Activity" (p. • • Related Topics • • • • • • • • • • • • "Access Manager and Architect" (p. If you decide to change the order of your ticket service connections. and session (ticket) expiry. 74) "Access Manager and IBM Cognos Visualizer" (p. 3. 68) "Access Manager and IBM Cognos Query" (p. ensure that the server can communicate using the selected host name. 70) "Access Manager and PowerPlay Enterprise Server" (p. Start a command prompt session. 75) "Set Up Security Across Applications" (p. to convert the non-readable log files to text files.

details: <list of details> status: [ success | fail ] Related Topics • • "Ticket Services" (p. All subsequent log entries contain information regarding events requested of the ticket service. -x -S -C Format the file in XML format. and the ticket will be terminated. • access indicates a request to access the ticket. and base DN. An entry in the log file may be as follows: [Mon Nov 04 09:46:39 2002] from:142. you can analyze the data to assess ticket service usage. • logout indicates a request to terminate the ticket. Optional parameter. The path of the SSL certificate database.88. Bind password for the bind name. all entries in the log file are returned. 75) "Enable Audit Logging" (p. • update indicates a request to update the contents of a ticket.98. Root distinguished name.Chapter 4: Set Up Security Across Applications Parameter -h -p -r -D -w -f -n Description Name of the directory server host.219 ticket:10364211933Ngqb8QiOo515jSSchUA action:access details:ns=MyNamespace user=John Doe status:success Parameter [Date/Time] from: <IP_address> action: [ logon | update | access | logout | expiry ] Description A timestamp of when a ticket service event occurred. Specify a namespace. The IP address of the server that requested an action. If no namespace is specified. If a namespace is specified. Port number of the directory server. Analyze Converted Log Files After the log files are converted to a readable format. 40) 78 Access Manager . Specifies namespace and user name. Five possible actions can be requested: • logon indicates a request for the creation of a ticket. port. SSL is enabled. Bind name for the directory server. Path to log file. • expiry indicates that the ticket duration has expired. Identifies the success or failure of a requested action. The action requested by the ticket service. only the entries for that namespace are returned. The log file contains header information regarding ticket service properties such as host. Optional parameter.

you must regenerate it. Why can't I delete a user? If a namespace is enabled for anonymous access. 36). you cannot delete the guest user from the namespace. you cannot delete the anonymous user from the namespace. stores unique key values about the users and user classes it is associated with. Why can't I open a secured resource after merging namespaces? A secured resource such as a cube. see "Transfer Namespace Information Between Directory Servers" (p. and then click the Cut command in the Edit menu or from the toolbar. If you merge namespaces and one namespace contains either a new secured resource or a new list of users. For more information about merging namespaces. You cannot delete the user whose credentials you are using for the current session.Frequently Asked Questions and Troubleshooting Why can't I log on as a user? Check that your user ID and password are correct. To re-associate the secure resource. then select another user and click the Paste command. report. Access Manager Administrator Guide 79 . If a namespace is enabled for guest access. Why can't I delete a user class? If a namespace is enabled for a public user class. you cannot delete the public user class from the namespace. or foundation query. the objects that you selected for the previous user are copied from the clipboard into the right pane of the current user. When does the cut command behave like copy command? When you select all the objects in the right pane of Access Manager Administration for a user. You must also re-associate a target namespace that contains identical resource names or user names. you must re-associate the resource with the list of users in the target namespace. For example. after you cut database cube objects for a user. and ensure that you are assigned to at least one user class. the Cut command behaves like the Copy command. You cannot delete the root user class. You cannot delete the user classes to which you belong or modify the properties for those user classes.

copy all files in the certutil folder to your computer. check the file called amserver. you may receive the following error message in Access Manager .db file (including the cert7.Runtime in Configuration Manager or adding a connection to a directory server in Access Manager Administration.exe. Access Manager requires that the SSL Certificate Database specify the location of a cert7.db. 2. type the following: certutil -A -n display_name -t C -d output_directory -i ca_certificate • display_name specifies the name of the certificate to add • output_directory is the directory where the cert7. if the directory server is configured for SSL. For example.db file. Error Message When Adding Objects Containing the Same Basic Letter Configuration Using Active Directory Server If you try to add more than one object. generated at the same times as the cert7. you cannot add a user named "coté" and one named "cote". To use the utility. The certutil application and related .db and key3.dll files are located on the IBM Cognos Series 7 product CD in the Support Files/sun_one/certutil folder. Active Directory does not allow two objects to contain the same basic letter configuration. To run the utility. A key3. or through the Control Panel Services on Windows.log on UNIX for more information any time the Access Manager Server is not functioning as expected.x or the certutil application provided on your IBM Cognos product CD. you can use either Netscape Navigator 4.db file will be created or updated • ca_certificate is the location and file name of the certificate for the certificate authority For example.db file. or via the command line on UNIX and there is no indication of why the server will not start.log located in the <installation-location</bin directory You can consult the Windows Event Viewer or the amserver. 80 Access Manager .db filename).Administration: An internal error has occurred in Access Manager.cer The utility creates the two required files. must exist in the same location. or user classes. such as namespaces. How Do I Determine Why the Access Manager Server Won’t Start? If you attempt to start the Access Manager Server through Configuration Manager. To generate or update the cert7. Open a command prompt window and go to the directory that contains certutil. certutil -A -n mycacert -t C -d c:\ -i ca.Frequently Asked Questions and Troubleshooting Why can’t I connect to a directory server that is configured for SSL communication? When configuring Access Manager . cert7. you can check the following locations for more information: • On Windows. Steps 1.db files. users.db and key3.Runtime. that contain the same basic letter configuration and you are using Active Directory as your directory server. you may get an error indicating that the directory server is not responding. Ensure that the files are correctly specified in Configuration Manager under Access Manager . go to the Event Viewer • On UNIX.

last name.0. Parameter -help -h Description Shows a description of the parameters. -p Specifies the port number of the directory server. Specifies the computer name of the directory server. basic signons. names of member users.xsd Syntax You run the AM_NamespaceReport utility in a command prompt window from installation_location\cern\bin directory. AM_NamespaceReport Utility You use the AM_NamespaceReport utility to create two types of XML-format reports to show all users or user classes in a namespace.xsd • AM_NamespaceReport_users_v2. You can use optional filters to create reports that contain specific information. and access permissions. The XML schemas for report output are located in the installation_location\cern\accman directory: • AM_NamespaceReport_users. external user DN is also returned. However. which is the same as specifying the all filter. names of children user classes. first name. The default is o=cognos.xsd (used when -b paramater is included) • AM_NamespaceReport_userclasses. and OS signons.Appendix A: Access Manager Utilitites The Access Manager installation includes two command line utilities that you use to evaluate the namespace. The default user report. only users and user classes for which you have show privileges appear in the report. The default user classes report. The default is localhost. includes the following information: name. To use this option. which is the same as specifying the all filter. c=ca Access Manager Administrator Guide 81 . Any valid user can log on. description. For the namespace version 17. such as users with expired passwords or when the user last changed their password. do not specify any other optional or mandatory parameters. -r Specifies the base DN of the directory server. The syntax to run the utility is: AM_NamespaceReport -options -o output_file_name All parameters are case sensitive. email. includes the following information: user class name. You can use the AM_NamespaceReport utility with any version of a namespace. phone number. The default is 389.

This is the default filter.Appendix A: Access Manager Utilitites Parameter -s Description Specifies that SSL is enabled. -C Specifies the location of the cert7. Specifies that the report will show the date and time for the last password change for each user. a report is created for the default namespace. The default is OSSignons. The options are users and userclasses are supported. For the users report type. • disabled Returns only the names of users whose accounts are disabled. This parameter is required only if SSL is enabled. -t Specifies the type of report. -n -D Mandatory. • userclasses Returns only information about the users’ user class membership. For the userclasses report type. This parameter is optional. The default is a users report. This filter is used only with the namespace version 17. • users Returns only the names of the member users. type the following: 82 Access Manager . • userclasses Returns only information about the children user classes. Specifies the name of the namespace for reporting. If you do not specify a namespace. -f Specifies a filter type for a report.db file. the following filter options are: • all Returns all user information. This is the default filter.0. -w Specifies the user password. • brokenlink Returns only the names of users whose DNs are broken. the following filter options are: • all Returns all user class information. If the password is blank. • lockedout Returns only the names of users whose accounts are locked. The report is in XML format. -b Example To report all users in a namespace. do not include this option. -o Mandatory. Specifies the output location and file name for the report. Specifies the user name to use to authenticate into the namespace.

com" phone="(123)456-7899" externalUserDN="uid=tmorris.carter@cognos. a message is displayed indicating whether the namespace is corrupt or not. To use this option.ou=people.xsd" host="localhost" port="389" baseDN="o=Cognos. The default is localhost.ou=people. Parameter -help -t -f -h -p -r Description Shows a description of the parameters. The default is LDAP. unexpected behavior can result. do not specify any other optional or mandatory parameters. such as an unexpected hardware failure. The default is o=Cognos. run this utility on a regular basis. Specifies the port number of the directory server. To help you identify when corruption occured.w3.o=cognos. a namespace can become corrupted. You can use the AM_NamespaceCorruprtionDetect utility to determine if a namespace is corrupt. Specifies the base DN of the directory server. Specifies the location and name of the local authentication export file. Specifies the host computer name for the directory server.c=ca" ns="Default" user="Administrator" type="users" filter="all"> <User name="Sam Carter" first_name="Sam" last_name="Carter" email="sam. The syntax to run the utility is: AM_NamespaceCorruptionDetect -t type -f LAE_filename -h host -p port -s -C cert7. You must use this option when you use the -t LAE option.c=ca"> <BasicSignon>tmorris</BasicSignon> <OSSignon>domain/tmorris</OSSignon> <Description>Employee id: 56789</Description> </User> </NamespaceReport> AM_NamespaceCorruptionDetect Utility In certain cases. Specifies where the namespace is stored. If your namespace is corrupt.morris@cognos. c=CA. The options are LDAP and LAE.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="D:\Cognos\cer4\accman\AM_NamespaceReport. The default is 389.db -r baseDN -n namespace -D username -w password All parameters are case sensitive. If this occurs.xml Here is a sample output of the users report type: <?xml version="1.Appendix A: Access Manager Utilitites D:\Cognos\installation_location\bin>AM_NamespaceReport –n default –D Administrator –w "" -t users -f all –o all_users.o=cognos.com" phone="(123)456-7890" externalUserDN="uid=scarter. After you run the utility.c=ca"> <BasicSignon>scarter</BasicSignon> <OSSignon>domain/scarter</OSSignon> <Description>Employee id: 12345</Description> </User> <User name="Ted Morris" first_name="Ted" last_name="Morris" email="ted. Syntax You run the AM_NamespaceCorruptionDetect utility in a command prompt window from installation_location\cern\bin directory. Access Manager Administrator Guide 83 .0" encoding="UTF-8"?> <NamespaceReport xmlns:xsi="http://www. contact Cognos Software Services.

Specifies the user name to use to authenticate when accessing the Active Directory. configure external user support in Configuration Manager and then "Enable External User Support" (p. amADUpdate Utility If your primary directory server is a Microsoft Active Directory that was previously configured for use with IBM Cognos products. Mandatory. Optional. Specifies the name of the namespace to evaluate for corruption. If a port number is not specified. The namespace set as the default is used if a namespace name is not specified Specifies the user name to use to authenticate into the namespace. The syntax to run the utility is: amADUpdate -h host -p port -r baseDN -D username -w password All parameters are case sensitive. Mandatory. Specifies the port used by the Active Directory.db file. 389 is used by default. If the password is blank. 39). such as a Sun Java System directory server or IBM Tivoli directory server.. you must run the amADUpdate utility before enabling and configuring external user support in IBM Cognos Configuration. Specifies the password for the authenticated user. localhost is used by default. 84 Access Manager . -p port -r baseDN -D username -w password After you run the amADUpdate utility. Specifies the base distinguished name. The amADUpdate utility is available only on Windows. you will be prompted for the password when you run the tool. This option is mandatory if SSL is enabled. do not include this option. It does not matter if the directory server was previously configured for use with IBM Cognos products or not. The default is OSSignons. Parameter -h host Description Optional. If no password is specified. Optional. Do not include -s if SSL is not enabled. Specifies the location of the cert7. Syntax You run the amADUpdate utility in a command prompt window from installation_location\cern\bin directory. If a host is not specified. Specifies the computer where the Active Directory is installed.Appendix A: Access Manager Utilitites Parameter -s -C -n -D -w Description Specifies that SSL is enabled for the directory server. Specifies the user password. You do not have to run the amADUpdate utility if • you are using a Microsoft Active Directory that was not previously configured for use with IBM Cognos products • you are using a different supported primary directory server.

When an authentication service is configured. authentication source Source of authentication data. By default.Glossary Access Manager Server An IBM Cognos security component that manages a ticket service and an authentication service. the logon process communicates directly with the ticket service and the directory server. such as access to Public folders in Upfront. Preferably. To use this service. verify that the user has the required access privileges. and grant access accordingly. See also Ticket Service and Authentication Service. At least one Access Manager Server is needed for each IBM Cognos application. They usually belong to user classes that cannot permanently change preferences or any IDs or passwords for secure resources. An Access Manager Server can be configured as a ticket service or an authentication service. which then communicates with the ticket service and the directory server. Most IBM Cognos applications currently support directory server namespaces and local authentication export files (. an Access Manager server must be configured as an authentication service. Anonymous users are usually granted minimal access privileges. or both. authentication data Data that is required to identify users (user IDs and passwords) and to provide access to application servers and data sources protected by means of user class privileges or user passwords. the authentication service is not enabled.lae). authentication service An Access Manager Server service used for authentication in Web-deployed IBM Cognos applications. The anonymous user • must be a member of at least one user class • can have auto-access • can exist in the public user class If you enable anonymous users in a namespace. Anonymous users are never asked for identification but you can restrict their access to data sources and their membership in user classes. To implement failover and load balancing for the Access Manager Server. See also Access Manager Server and Ticket Service. Access Manager Administrator Guide 85 . the logon process communicates with the authentication service. authenticate To identify a user with a signon (user ID and password). When an authentication service is not configured. anonymous user An unnamed user who can access a data source without seeing a logon screen. you can install additional Access Manager Servers and configure load balancing in Configuration Manager. it should be installed on the same computer as the directory server. then other IBM Cognos products will not prompt users for a user ID or password .

or server without being prompted for logon information. bind To access a directory in a directory server by providing the appropriate distinguished name (DN) and password.lae file connection information. collection A group of related OLE objects that you can reference as a unit. the root level C (country) in the directory CA (Canada) together with the organizational level (O=Cognos) forms the base DN for the following distinguished name: CN = Cognos Documentation. C = CA basic signon A signon (user ID and password) that you create and maintain in Access Manager and that IBM Cognos applications use to identify individual users. default namespace The directory server namespace used by Access Manager at run time when no namespace is specified in the configuration. data object An object that identifies individual data locations and that enables access to them. It maintains directory server and . See also ownership collection and reference collection. the directory server currently configured to be active. For example. Users are prompted once for their logon information. IBM Cognos business intelligence tools can generate reports based on cubes that were created in PowerPlay Transformer (PowerCubes). IBM Cognos security administration file (. Windows-based IBM Cognos products use the Windows Common Logon Server to record this information. database. and the expansion state of the nodes on the directory tree. 86 Access Manager . Compare to operating system (OS) signon. or on a local computer (standard cubes).Glossary auto-access The ability to access a password-protected cube. base distinguished name (DN) The higher levels and directory names of the path (including the root) that you specify to access the hierarchical information in a namespace. cube Multidimensional information structured hierarchically. common logon A set of user prompts that Access Manager uses to identify users and govern access to data sources. to support efficient online analytical processing (OLAP). You can store cubes in one of several supported relational databases.csa) A . in a LAN folder. and in various third party OLAP sources.csa file is used by Access Manager to store connection information. Any action performed on a collection affects all objects in that collection. and Web-based IBM Cognos products provide for a single signon using tickets issued by the Access Manager Server ticket service. O = Cognos.

followed by each higher level and directory name. files. individuals. such as access to Public folders in Upfront. in a distinguished name the lowest (target) level and directory name appear first. IBM Cognos applications can use the SunONE directory server or Active Directory Server to associate users with data access permissions. In the case of authentication data. and other resources on the Internet or a corporate Intranet. you can drill through from a summary to view the detailed sales transactions for a particular customer. directory administrators (also known as a directory managers in SunONE directory server) can administer directories on a directory server. OrganizationName (O). where the root directory precedes the target. an IBM Cognos security administration file (. Enabling guest users allows you to set different security access for named and for unnamed (guest) users. There can be many directories on the same level. O = Cognos. directory server A general term for an LDAP-compliant server that contains authentication data. Lightweight Directory Access Protocol (LDAP) A product-independent protocol that is used to locate organizations. For example. distinguished name (DN) The path that you specify to access the hierarchical information in a namespace. distributed administration A method of updating local data from a centrally-maintained master source.ldif) (definition) An ASCII file in standard LDAP data interchange format. terminating in the root. drill through To view detailed information behind a value in a report. and an optional CountryCode (C). They usually belong to user classes that cannot permanently change preferences or any IDs or passwords for secure resources. Access Manager Administrator Guide 87 . such as Impromptu. The guest user • must be a member of at least one user class • can have auto-access • can exist in the public user class If you enable guest users in a namespace.lae) or directory server namespaces to remote or networked systems. Guest users are usually granted minimal access privileges. For example. guest user An unnamed user who can access a data source without providing signon information.Glossary delegated administrator An administrator who can create and update lower-level permissions. a DN used to access a namespace of the security directory server is as follows: CN = Cognos Documentation. The target level is CN (Common Name) and the target directory is Cognos Documentation. LDAP data interchange format file (. You may also be able to drill through to information provided in another IBM Cognos application. The hierarchy has a name for each level.csa) can be used to provide updated local authentication export files (. then IBM Cognos products that support guest access will offer users the option of logging in as guests. For example. called CommonName (CN). Unlike a DOS path. C = CA The root level is C (Country) and the root directory is Canada. regional managers can administer the authentication data associated with users in their regional office.

lac) Usually used for mobile or standalone users. you must use an LDAP directory server as your authentication source. lockout A condition whereby a user is prevented from logging on for a set period of time because they made a number of unsuccessful logon attempts. Local authentication cache files are read-only. namespace A source of authentication data used by Access Manager that exists as a directory on a directory server. depending on the default security server configured in the system registry. after which access is restricted for a prescribed lockout duration. Administrators define the number of permitted attempts and the lockout duration. An administrator can limit the number of unsuccessful logon attempts. 88 Access Manager . logon The process of authentication (for example. for example. Netscape Certificate Database file A file that stores the digital certificates used to create digital signatures and private keys required for a Secure Sockets Layer (SSL) connection. application servers and data sources. and that contains multidimensional data. or some other unexpected interruption during the directory server update process. The security data stored in each namespace. user classes. entering a user ID and password for basic signon) to gain access to protected data sources. local authentication export file (.lae) or local authentication cache files (. It can also be a pointer file that connects to a database cube or a third-party OLAP source. multidimensional cube file (. such as signon information for users. You use an object method to cause the application to perform an operation on an object. or as an entry in a local authentication export file (.Glossary To use Access Manager with IBM Cognos BI servers in production.lae files locally on a single computer. distinguishes each entry from all other namespaces in the repository. The .lac) A source of personal authentication data in Access Manager that can automatically be created on each user's computer when those users access the central directory server. due to a power failure. locked namespace A namespace that has become inaccessible. such as open or save. local authentication The process of verifying access to protected data sources using local authentication export files (.lae). not on a network or with multiple users.lae) A source of authentication data in Access Manager that is independent of a directory server and that may be used to • authenticate standalone users who cannot be authenticated over a network (Access Manager configuration) • transfer authentication data between namespaces (Access Manager Administration) You can only use . method An action defined in a Basic-like language that is performed by OLE automation objects.mdc) The IBM Cognos file that the PowerCube designer creates in PowerPlay Transformer.lac file enables mobile users to access their authentication data even when they aren't connected to the network. local authentication cache file (.

reference collection References an object that has been previously created. and contains a group of objects that are independent of the collection. The OS signon is used by Access Manager but created and maintained outside of Access Manager. If the user is not connected to a network. To change the characteristics of an object. such as the ability to create and update data. an information access privilege set up by an administrator and granted at runtime. such as its size or color. the objects. public user class The user class to which all users in a namespace automatically belong. privilege See permission. See also ownership collection. as you would for any other user class. but they always remain members of the public user class. and which is retained in memory. You do not have to name the public user class "public". You manipulate an object by changing its associated properties and methods. ownership collection Contains a group of objects that are dependent on the collection. If a user has both an OS signon and a basic signon. such as whether it is visible or not (that is. This user class is carried forward into other IBM Cognos products. See also reference collection. You can assign properties and access to the public user class. password-protected data Sensitive or confidential data that may only be accessed by users who enter the correct password. operating system (OS) signon An operating system (OS) signon consists of a user ID and password that authorizes a user to log on to their computer network or operating system. To find an OS signon. appears on the screen or performs its commands without displaying anything on the screen). You can associate users with other user classes. Access Manager first checks for a network ID. permission In Access Manager. you change the value of its properties. and methods exposed by an application correspond to the dialog box options and menu commands provided by the Application object. OLE automation objects have properties and methods that you can use to control object attributes and operating characteristics. then the basic signon. OLE automation A process whereby the features of an application are made available as a collection or group of objects. Access Manager then checks for an operating system ID. A property defines one of the characteristics of an object. the OS signon is verified first. property In OLE automation terms. a set of values or characteristics that remains with an OLE object. a namespace does not have a public user class associated with it. properties. By default. You use an object property to set or access the value of some property that the object has.Glossary object The OLE automation element that you manipulate to create and modify such things as files and reports. For example. or an aspect of its behavior. Access Manager Administrator Guide 89 .

an Access Manager server must be configured as a ticket service. user class memberships. The Administrator user is a member of the root user class. you extend the directory server schema to include Access Manager functionality. single signon A process whereby a user logs on once but can access multiple data sources. for Windows products. The root user class is created by default. user object A software object that represents the users of a product. user objects are used to specify the user's ID and password. schema A description of the object classes (the various types of objects) and the attributes for those object classes in an LDAP database. on the basis of membership in a specified user class. The term generally applies to Web-based products only. ticket service An Access Manager Server service that issues tickets used to maintain single signons for users of Web-deployed IBM Cognos applications. and can be renamed but not removed from the namespace. root administrators Administrators who have access to an entire namespace and all permissions associated with it. the times that members of the user class can access data. basic signon or operating system (OS) signon. user class object A software object that administrators define for their organizations to control access based on membership in specific user groups or communities. A user class object specifies the user class name. The data a user class can access is defined in a client application. A ticket is created each time that the user logs on. See also Access Manager Server and Authentication Service. an equivalent term is common logon. When you configure a directory server. To use this service. The root administrator is created by default.Glossary restricted administrator See delegated administrator. and auto-access assignments. root user class The user class with all administration privileges to the namespace. and the administrative privileges the user class has in Access Manager. without multiple prompts. The tickets are issued for a specified period of time so that users can access multiple applications without having to re-enter authentication data. user class-protected data Sensitive or confidential data that may only be accessed by authorized users. 90 Access Manager . ticket A record of a user’s authorization that allows use of a Web-based product for an amount of time specified by the administrator. and can be renamed but not removed from the namespace. For authentication purposes. signon A User ID and password that is used to identify individual users and govern their access to resources.

The cube designer can specify whether the values associated with omitted categories are rolled-up (summarized) or removed from reports based on the cube. the term is used more generally to signify access to a data source or an authorized subset of the information in that source. based on user class membership. Windows Common Logon Server A server that records information about the users of a Windows-based application so that they can log on once and access multiple data sources. See also user and user class objects. users are granted all the combined permissions of the user classes that they belong to. user reference Information that associates a user with a user class. Note: Not to be confused with the User Classes and Users View in the Administration tool of Impromptu Web Reports. Instead. Access Manager Administrator Guide 91 . Applications that support a union of user classes do not require a user to choose a user class when they log on.Glossary user class union A combination of user class permissions for users who belong to more than one user class. the categories and measures that members of a specified user class are permitted to see. which is a hierarchical view of the User Classes folder and the Users folder. In other IBM Cognos applications. typically a subset of the information contained in the entire PowerCube. user class view In Transformer.

Glossary 92 Access Manager .

88 importing to namespaces. 62. 49 user classes. 8 delegated administration. 18 Transformer servers. 56 enabling audit logging. 79 Architect using Access Manager. 84 anonymous users. 75 using PowerPlay. 55 users. 67 using IBM Cognos Query.lac files definition. 36. 68 using IBM Cognos products. 85 authentication sources configuring. 85 authentication data definition. 60 database cubes. 21. 74 Access Manager Components configuration options. 69 using Upfront. 22 Access Manager Administrator Guide 93 . 73 using Impromptu. 29 AM_NamespaceCorruptionDetect. 59 definition. 85 deleting. 42 comparing to source. 41 saving connections. 21 setting default.Index Symbols . 54 users. 21 . 12 Access Manager Server.ldif files definition. 63 user classes. 88 . 11. 18 components. 16 accessing namespaces. 48 auditing security administration. 26 security in IBM Cognos products. 21 auto-access benefits of using. 86 third party cubes. 58 directory server connections. 22 testing. 87 . 70 using Transformer. 85 directory server namespaces. 37 . 8 converter. 8 definition. 18 database cubes. 88 adding (cont'd) local authentication export files (. 72 using Impromptu Web Reports.lae). 18 batch maintenance. 73 using NoticeCast. 17. 67 moving. 83 utility. 9 cubes. 85 IBM Cognos products. 7 auditing ticket service activity.lae files. 40 using Architect. 59 databases. 61 namespaces. 49 servers. 46 administration adding a namespace administrator. 30 definition. 77 automating. 64 sorting. 67 authentication service definition. 10. 41 adding. 21 local authentication export files (.csa files definition.lae). 42 metadata. 77 authenticating definition. 83 amADUpdate utility. 12 definition. 37 definition. 50 A access data sources. 63 users.mdc files definition. 36 searching. 40 ticket service activity. 67 servers. 85 adding cubes. 64 storing on directory servers. 74 using Visualizer. 50 Access Manager. 86 saving. 61 databases. 42 updating. 72 using Impromptu Web Query. 68 assigning users to user classes.

Index
automating Access Manager, 18 data sources (cont'd) setting up, 57 database cubes access, 49 adding, 61 auto-access, 59 databases access, 49 adding, 58 auto-access, 17, 59 days user class access, 55 default directory servers, 34 IBM Cognos security administration files (.csa), 21 namespaces, 34 default namespaces definition, 86 delegated administration Access Manager, 56 delegated administrators definition, 87 deleting troubleshooting, 79 user classes, 54 users, 46 directory server definition, 87 directory server connections modifying, 23 testing, 22, 23 directory server namespaces accessing, 27 adding administrators, 29 creating, 26 merging, 36 directory servers accessing, 22 connections, 22 merging namespaces, 36 modifying connections, 23 namespaces, 21, 25 setting default, 34 SSL configuration, 24 storing authentication data, 22 Sun Java System, 8 testing connections, 23 transferring authentication data, 36 distinguished names (DN) definition, 87 distributed administration definition, 87 drill through definition, 87 duration of passwords, 33

B
base DNs definition, 86 basic signons, 14 definition, 86 setting properties, 31 batch command processing, 18 batch maintenance, 18 bind definition, 86

C
case sensitivity basic signons, 31 passwords, 33 cert7.db file definition, 88 challenge response, 15 collections definition, 86 common logon, 15 definition, 86 PowerPlay, 70 components Access Manager, 8 Configuration Manager, 9, 12 directory server configuration, 8 configuration options, for Access Manager components, 12 configuring authentication source, 9 authentication sources, 12 directory server, 8 directory servers, 8 Secure Sockets Layer (SSL), 12, 24 connecting directory servers, 22 PowerPlay Enterprise servers, 17 Transformer servers, 17 copyright, 2 corrupted namespace, 39 creating local authentication export files (.lae), 42 namespaces, 26 user classes, 54 users, 46 cubes access, 49 adding, 60 auto-access, 18 definition, 86

D
data objects definition, 86 data sources access, 49

E
enabling external user support, 39 end times user class access, 55

94 Access Manager

Index
environment variables REMOTE_USER CGI, 14 expired passwords, 33 exporting namespaces, 35, 36 external user support update Microsoft Active Directory, 84 external users, 39 linking, 52 relinking, 52 in-database cubes adding, 61 Integrated Windows Authentication, 15

L
language settings users, 51 LDAP data interchange format file definition, 87 LDAP directory servers accessing, 22 Lightweight Directory Access Protocol (LDAP) definition, 87 linking external users, 52 local authentication definition, 88 local authentication cache files (.lac), 67 definition, 88 local authentication export files (.lae) adding, 42 comparing to source, 37 definition, 88 exporting namespaces, 35 importing to namespaces, 36, 42 updating, 37 locked namespaces definition, 88 lockout definition, 88 logging user class changes, 40 logging on, 27 another user, 28 directory server namespaces, 27 logon definition, 88

F
file types cert7.db file, 88 IBM Cognos security administration files (.csa), 86 LDAP data interchange format files (.ldif), 87 local authentication cache files (.lac), 88 local authentication export files (.lae), 88 multidimensional cube files (.mdc), 88

G
glossary, 85 guest users, 16 definition, 87 deleting, 79 setting up access to namespaces, 31

H
HTTPS, 12

I
IBM Cognos products Access Manager, 10, 67 Architect, 68 authentication data, 11 IBM Cognos Query, 73 Impromptu, 72 Impromptu Web Reports , 73 NoticeCast, 75 PowerPlay, 70 PowerPlay Enterprise Server, 71 Transformer, 69 Upfront, 74 Visualizer, 74 IBM Cognos Query using Access Manager, 73 IBM Cognos security administration files (.csa) definition, 86 saving, 21 setting default, 21 identifying users, 13 importing local authentication export files (.lae), 36, 42 Impromptu using Access Manager, 72 Impromptu Web Reports using Access Manager, 73

M
memberships user classes, 48 merging authentication data, 35, 42 merging namespaces exporting namespaces, 35 importing local authentication export files (.lae), 42 transferring namespaces between directory servers, 36 metadata adding, 61 methods definition, 88 modifying directory server connections, 23 moving authentication data, 36 multidimensional cube files (.mdc) definition, 88

N
named users, 16

Access Manager Administrator Guide 95

Index
namespaces, 13 adding, 26 adding administrators, 29 anonymous access, 30 closing, 27 comparing to local authentication export files (.lae), 37 default, 34 definition, 88 describing, 29 detect corrupted, 39 detect corruption utility, 83 exporting to local authentication export files (.lae), 35, 36 generating reports, 81 guest users, 31 importing local authentication export files (.lae), 42 merging, 35, 36, 42 minimum length of names, 31 opening, 27, 28 out of date, 37 passwords, 33 regional settings, 34 report utility, 81 setting up, 13, 25 signons, 31 summary, 29 transferring information, 36 troubleshooting server connections, 23 updating from local authentication export files (.lae), 42 upgrading to a newer schema version, 38 users in more than one, 13 nesting user classes, 54 Netscape Certificate Database file (.cert7.db) definition, 88 NoticeCast using Access Manager, 75 passwords (cont'd) case sensitivity, 33 duration, 33 expiration, 33 setting minimum characters, 33 setting properties, 33 permissions definition, 89 setting for user classes, 56 user classes, 18 plug-in trusted signon, 14 PowerPlay common logon, 70 using Access Manager, 70 PowerPlay servers adding, 63 PowerPlay Web using Access Manager, 71 privileges definition, 89 properties definition, 89 setting signons, 31 user classes, 18 public user class, 17 definition, 89 deleting, 79 setting up, 54

R
reference collections definition, 89 relinking external users, 52 remote users exporting namespaces, 35 REMOTE_USER CGI environment variable, 14 reports user classes, 81 users, 81 restricted administrators definition, 90 root administrators definition, 90 root user class definition, 90 deleting, 79 root users adding, 29 namespaces, 29 runtime configurations, 12

O
objects definition, 89 OLAP server databases adding, 58 OLE automation Access Manager, 18 definition, 89 opening namespaces, 27 operating system (OS) signons, 14 creating, 47 definition, 89 operating systems Windows, 15 out of date namespaces, 37 ownership collections definition, 89

S
saving authentication source connections, 21 IBM Cognos security administration files (.csa), 21 schema definition, 90 upgrading to newer versions, 38

P
password-protected data definition, 89 passwords benefits of using, 9

96 Access Manager

91 Access Manager Administrator Guide 97 . 79 directory server connections. 12 secured cubes signons. 79 merging namespaces. 24 Sun Java System directory server configuring. 67 auto-access. 15 servers access. 14 guest users. 15 passwords. 9. 52 user permissions. 63 troubleshooting connecting to directory server configured for SSL. 31 security across products. 31 secured cubes. 14 sorting authentication data. 47 Secure Sockets Layer (SSL). 80 copy command. 75 auditing. 18 trusted. 64 SSL security. 12 configuring authentication sources. 67 third party cubes signons. 12 configuring authentication source. 79 deleting users. 74 upgrading namespaces to a newer schema version. 91 user class views definition. 24 strategies for signon. 64 Secure Sockets Layer (SSL) security. 90 software development kit trusted signon plug-in. 49 adding. 18 secured databases signons. 24 start times user class access. 52 using Access Manager. 8 trusted signons. 62. 14 users.lae). 55 Sun Java System Certificate Database file configuring SSL. 12. 36 Transformer using Access Manager. 90 external. 17 PowerPlay servers. 8 Set User Class Permissions. 18 third-party OLAP server databases. 16 basic. 38 user class union definition. 22. 79 cut command. 62 setting up. 18 secured databases. 79 Trusted Services Plug-in SDK. 17 single. 56 setting up authentication data. 9. 37 namespaces. 77 ticket services definition. 13 user classes. 55 transferring namespace information. 51 times user class access. 90 time settings users. 62 Transformer servers. 15 strategies for setting up. 12 SSL security (cont'd) configuring on a directory server. 45 basic signons for namespaces. 67 user classes. 53 signons anonymous users. 15 definition. 24 HTTPS. 14 operating system (OS). 62 auto-access. 12 configuring on a directory server. 16 maintained outside Access Manager. 58 ticket service. 23 user classes. 63 connecting. 79 opening secure resources. 10. 62 Windows Common Logon. 14 U updating local authentication export files (. 9 common logon. 35. 17 Windows. 67 directory server connections. 42 Upfront user access. 8 T testing authentication data. 69 Transformer servers adding. 14 searching authentication data. 15 Windows NT. 63 auto-access. 90 tickets definition. 23 logging on. 13 third party cubes. 47 single signons. 14 definition. 17 security Access Manager. 9 applying in IBM Cognos products.Index SDK trusted signon plug-in. 14 properties. 79 deleting user classes.

46 disabling. 47 strategies for setting up.Index user classes. 91 user classes. 84 Windows Common Logon server. 51. 50 definition. 17 adding. 53 testing. 13 multiple user classes. 47 setting up. 15 V variable REMOTE_USER CGI environment. 81 update Microsoft Active Directory. 56 setting up. 17. 9 day access. 48 benefits of using. 16 utilities amADUpdate. 54 assigning users. 48 named. 55 user class-protected data definition. 13 maintaining signons outside Access Manager. 2 viewing users in user classes. 74 W Web products defining users’ access. 54 permissions. 46 anonymous. 90 user references definition. 18 properties. 55 definition. 83 namespace report. 91 users adding. 40 nesting. 18 public. 14 membership to user classes. 51 Visualizer using Access Manager. 57 logging changes. 70 Windows NT challenge response. 51. 16 types. 45 signons. 67 time access. 57 guest. 90 deleting. 16 identifying. 51. 48 auto-access. 16 OS signons. 51 98 Access Manager . 15 definition. 46 displaying in user classes. 14 version of document. 48 more than one namespace. 54 setting permissions. 16 assigning to user classes. 54 displaying users. 84 detect namespace corruption. 57 users’ access. 90 deleting.