IBM Cognos BI CAM Authentication Limitation with Cognos TM1 Data



Similar documents
User Pass-Through Authentication in IBM Cognos 8 (SSO to data sources)

Configuring IBM Cognos Controller 8 to use Single Sign- On

In this topic we will cover the security functionality provided with SAP Business One.

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

SAS 9.4 Management Console

This means that any user from the testing domain can now logon to Cognos 8 (and therefore Controller 8 etc.).

IBM Cognos Business Intelligence License Descriptions

Using LDAP Authentication in a PowerCenter Domain

Student Data Reporting I Cognos

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

SAS 9.3 Management Console

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

RSA Authentication Manager 7.1 Basic Exercises

New Features... 1 Installation... 3 Upgrade Changes... 3 Fixed Limitations... 4 Known Limitations... 5 Informatica Global Customer Support...

Contents About the Contract Management Post Installation Administrator's Guide... 5 Viewing and Modifying Contract Management Settings...

Content Filtering Client Policy & Reporting Administrator s Guide

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

WatchDox Administrator's Guide. Application Version 3.7.5

QAD Enterprise Applications. Training Guide Demand Management 6.1 Technical Training

Troubleshooting Active Directory Server

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

DeltaV Event Chronicle

Introduction. Connection security

Business Intelligence in Microsoft Dynamics AX 2012

Shavlik Patch for Microsoft System Center

SAS 9.2 Management Console. Guide to Users and Permissions

Oracle Essbase Integration Services. Readme. Release

IBM Cognos Business Intelligence Version Getting Started Guide

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

MSI Admin Tool User Guide

EXAM - A SAS Certified BI Content Developer for SAS 9. Buy Full Product.

Dell Client Profile Updating Utility 5.5.6

AT&T Global Network Client Domain Logon Guide. Version 9.6

Cognos Event Studio. Deliver By : Amit Sharma Presented By : Amit Sharma

Getting Started with Attunity CloudBeam for Azure SQL Data Warehouse BYOL

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Microsoft Project Server 2010 Technical Boot Camp

4cast Server Specification and Installation

User's Guide. ControlPoint. Change Manager (Advanced Copy) SharePoint Migration. v. 4.0

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

P R O V I S I O N I N G O R A C L E H Y P E R I O N F I N A N C I A L M A N A G E M E N T

SmartConnect User Credentials 2012

IBM Cognos TM1: Analyze and Share Data (v10.2)

ADO and SQL Server Security

EPM Performance Suite Profitability Administration & Security Guide

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Course 6234A: Implementing and Maintaining Microsoft SQL Server 2008 Analysis Services

Version 7.5 Backup and Recovery Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Training Module 1: Administration (logical) (for Privia version 5.9)

The IBM Cognos Platform for Enterprise Business Intelligence

How To Backup A Database In Navision

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

QAD Business Intelligence Release Notes

Denodo Data Virtualization Security Architecture & Protocols

SAS 9.3 Intelligence Platform

SAP BusinessObjects Business Intelligence Platform Document Version: 4.1 Support Package Business Intelligence Launch Pad User Guide

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

Restructuring Active Directory Domains Within a Forest

Windows XP Exchange Client Installation Instructions

Enabling single sign-on for Cognos 8/10 with Active Directory

Fast and Easy Delivery of Data Mining Insights to Reporting Systems

Sophos for Microsoft SharePoint startup guide

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

Configuring Controller 8.2 to use Active Directory authentication

Microsoft Project Server 2010 Administrator's Guide

SAS Business Intelligence Online Training

CHAPTER 6: ANALYZE MICROSOFT DYNAMICS NAV 5.0 DATA IN MICROSOFT EXCEL

COURSE SYLLABUS COURSE TITLE:

Microsoft Windows DCOM Configuration. Windows XP SP3 and Server 2003 SP2 Configuration Guide

IBM Cognos 8 ARCHITECTURE AND DEPLOYMENT GUIDE

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

User Bulletin Cellular Detection System Analysis Software v4.0. Introduction. 21 CFR Part 11 Software Console - Administrators Guide

Version Getting Started

Migrating to TM1. The future of IBM Cognos Planning, Forecasting and Reporting

METADATA FRAMEWORK DATA DICTIONARY

OLAP Cube Manual deployment and Error resolution with limited licenses and Config keys

Okta/Dropbox Active Directory Integration Guide

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

CommVault Simpana Archive 8.0 Integration Guide

Implementing Data Models and Reports with Microsoft SQL Server 2012 MOC 10778

SQL Server Replication Guide

HP Quality Center. Software Version: Microsoft Excel Add-in Guide

Active Directory Compatibility with ExtremeZ-IP

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

QUANTIFY INSTALLATION GUIDE

RSA Authentication Manager 7.0 Administrator s Guide

6.7. Quick Start Guide

Liquid Machines Document Control Client Version 7. Helpdesk Run Book and Troubleshooting Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Admin Report Kit for Active Directory

WHITE PAPER. Best Practices for Configuring PATROL for Microsoft Exchange Servers

Security Provider Integration RADIUS Server

Windows Password Change Scenarios

IBM Cognos 8 Controller Financial consolidation, reporting and analytics drive performance and compliance

Transcription:

IBM Cognos BI CAM Authentication Limitation with Cognos TM1 Data

IBM Cognos BI CAM Authentication Limitation with Cognos TM1 Data Introduction... 3 Who should read this bulletin... 3 Products affected... 3 References... 3 Description... 4 Connection sharing... 4 Impact... 4 Technical details and recommended actions... 4 Definitions... 5 Sample use cases... 6 Use Case 1: Jane s experience... 7 Use Case 2: John s experience... 7 Security Mode 4: Administration... 7 Initial steps... 7 Maintenance steps... 8 Security mode 5: Administration + Native... 9 Initial steps... 9 Maintenance steps... 10 Table of Figures Figure 1: Cognos TM1 Clients/Groups Security... 11 Figure 2: Cognos TM1 CAM Clients... 11 Figure 3: Cognos TM1 Administration Groups... 12 Figure 4: Cognos TM1 Native Groups... 13 Figure 5: Cognos TM1 CAM Groups... 14 Business 2 Analytics

Introduction This document provides IBM Cognos Business Intelligence administrators and IBM Cognos Business Intelligence users with technical information of a known security limitation when reporting against IBM Cognos TM1 data leveraging Cognos Access Manager (CAM) for user authentication. Due to the manner in which IBM Cognos BI shares connections to IBM Cognos TM1 servers across users, the potential exists for a user to view inaccessible data or be restricted from accessible data, or to retrieve inconsistent and incorrect data results when running a report. This information will apply if the Cognos TM1 server is authenticated against CAM, and configured to run in security mode 4 or 5. A description of the impact to your user community and detailed steps to an interim workaround are included below. These steps should be followed to avoid users from receiving unexpected results when viewing their reports. Who should read this bulletin All IBM Cognos Business Intelligence Administrators and Users for IBM Cognos TM1 and IBM Cognos Business Intelligence Products Products affected IBM Cognos 8.4.x IBM Cognos 8.4.1.x IBM Cognos 10.1 IBM Cognos Express 9.0 IBM Cognos TM1 9.4 IBM Cognos TM1 9.5 IBM Cognos TM1 9.5.1 Platform: Windows and UNIX References PM23345 Business 3 Analytics

Description Connection sharing Cognos BI shares connections to a Cognos TM1 server to enhance performance. These connections are uniquely defined by the CAM groups assigned to a user. When a Cognos BI user attempts to access Cognos TM1 data, the connection algorithm first determines whether an existing connection can be used, and looks to see if a previously logged in user with an active connection shares a CAM group definition with the designated user. If the algorithm finds an active connection with a matching CAM group definition, the existing connection to Cognos TM1 is shared by the designated user. If the algorithm cannot find a connection having the designated user s CAM Security profile, it creates a new, uniquely defined connection to Cognos TM1. Based on the above rules, if Jane and John both belong to the Europe groups/roles in CAM, they will share a Cognos TM1 connection. This algorithm does not consider the group assignments defined within the Cognos TM1 server itself; specifically, clients (what Cognos TM1 calls users) that are assigned to Cognos TM1 administration groups and/or Cognos TM1 native groups. These group assignments influence the data and metadata that a given client (user) can see in Cognos TM1. When a connection is established with the Cognos TM1 server, the Cognos BI adapter provides credentials in the form of a CAM passport. The accounts, groups and roles to which the given passport session belongs will determine the client and Cognos TM1 groups associated with that connection; hence, they determine the data and metadata that requests received on that connection will be allowed to see. Impact Data security may be compromised for Cognos BI users authoring and reporting against Cognos TM1 data leveraging Cognos Access Manager (CAM) for User Authentication and configured with Integrated Security Mode setting of 4 or 5 in the Cognos TM1s.cfg file. This issue results from a Cognos BI user being assigned the Cognos TM1 data security definition of a previously logged-in user when these users share a similar security group profile. Technical details and recommended actions The recommended work-around calls for more explicit definition of CAM group assignments that exactly matches a user s Security Group profile defined within the Cognos TM1 server. The work-around simulates the Cognos TM1 security within CAM. The Cognos TM1 server is still enforcing security based upon its internal definitions, but the CAM configuration is more aware of those definitions. The degree to which the security definitions in a Cognos TM1 server must be replicated in CAM is dependent upon the security mode in which the Cognos TM1 server is running. Business 4 Analytics

For Cognos TM1 environments having a CAM Authentication Mode of 4, the work-around calls for creating 3 new CAM groups to mirror the Cognos TM1 Admin Groups (Admin, Data Admin, and Security Admin) and assigning ownership to these groups in CAM accordingly. For Cognos TM1 environments having a CAM Authentication Mode of 5, the work-around requires creating CAM groups and user assignments for any Cognos TM1 Security Group not accounted for in CAM in addition to the Cognos TM1 Admin Group assignments. For complete information on security modes available for the Cognos TM1 server, please refer to the Cognos TM1 Operations Guide. Definitions These definitions will help to clarify the recommended workaround. Please refer to Figure1: Cognos TM1 Clients/Groups Security Security mode: Cognos TM1 servers may operate in five (5) security modes: 1. Cognos TM1 server uses standard native security. 2. Cognos TM1 server uses mixed mode. Standard Native security or integrated logon. 3. The Cognos TM1 server uses integrated login that allows you to use Microsoft Windows network authentication to control access to Cognos TM1 Data. 4. CAM authentication, including assignments to Cognos TM1 administration groups. 5. CAM authentication, including assignments to Cognos TM1 administration and Cognos TM1 native groups. Please refer to the Cognos TM1 Operations Guide for additional detail. Cognos TM1s.cfg: Your Cognos TM1s.cfg file should contain parameters similar to the following: ServerCAMURI=http://10.111.25.121:9300/p2pd/servlet/dispatch ClientCAMURI=http://10.111.25.121/Cognos 8/cgi-bin/Cognos.cgi CAMPortalVariableFile=portal/variables_Cognos TM1.xml SkipSSLCAMHostCheck=FALSE CAMPortalVariableFile=portal/variables_Cognos TM1.xml Set IntegratedSecurityMode=4 or 5. Cognos TM1 client: Cognos TM1 refers to a Client as a user. With the exception of the predefined Admin client that can be neither created nor deleted, all Cognos TM1 clients are created manually. Cognos TM1 CAM client: When a user logs onto a Cognos TM1 server for the first time with a CAM passport (mode 4 or 5), Cognos TM1 automatically creates a client for the primary user in that passport. Such clients are distinguishable from Cognos TM1 clients by their name, which contains the CAM namespace and default user name separated by a back-slash (see Figure 2: Cognos TM1 CAM Clients) Cognos TM1 group: Like CAM, clients/users can be assigned to Cognos TM1 groups that have been created manually, or imported from CAM. The cubes, dimensions, elements and subsets are Business 5 Analytics

then secured against the defined Cognos TM1 groups, and not the clients/users. Thus, in order for a client/user to be granted read or write permission to data or metadata, that client/user must be assigned to one or more Cognos TM1 groups that have been granted such permission. Cognos TM1 Administration group: Cognos TM1 servers predefine three native groups that grant administration privileges to their members (see Figure 3: Cognos TM1 Administration Groups) 1. Data Administration group grants read and write permissions to all metadata and data values in the Cognos TM1 server. It is intended for batch operations such as data import, export and period-end calculations. Data Administrators cannot see nor amend security definitions. 2. Security Administration group grants access to all metadata in the Cognos TM1 server, but not data values. It is intended for ongoing maintenance of security permissions on cubes, dimensions, elements, subsets, etc, as well as group assignments fro individual clients/users. Restrictions upon the actual data values in the cubes that a user can see are still enforced by Cognos TM1 server, thus Security Administrators cannot read nor write metadata definitions or data values unless they have been granted such permissions explicitly. 3. Administration group grants both Data and Security administration privileges. Cognos TM1 Native group: A Cognos TM1 group created manually (see Figure4: Cognos TM1 Native Groups) Cognos TM1 CAM group: A Cognos TM1 group created manually by importing a group or role from CAM. Such groups are distinguishable from native groups by their name, which contains the CAM namespace and group/role name separated by a back-slash (see Figure 5: Cognos TM1 CAM Groups) Sample use cases If your Cognos TM1 server is authenticated against CAM; running in security mode 4 or 5, you may be impacted by the following use case scenarios. Consider two users in a CAM namespace (security provider): John and Jane. These two users belong to the same groups and roles within both the given namespace as well as the Cognos namespace. For purposes of illustration, let s assume that: Cognos TM1 Server is called Sales Data. The cube contains Sales data for both Europe and Asia. CAM namespace that defines John and Jane is called MyCAM. CAM groups defined within the MyCAM namespace are Europe and Asia. Both users (John and Jane) belong to Europe and can therefore share a connection. Jane also belongs to the Data administration group within the Cognos TM1 server, which provides her access to both Europe and Asia data on the Sales Data server. Business 6 Analytics

Use Case 1: Jane s experience 1. John logs on to Cognos BI 2. John runs BI report against the Sales Data Cognos TM1 server. He gets the data for Europe. 3. Jane logs on to Cognos BI. 4. Jane runs a different BI report against the Sales Data Cognos TM1 server expecting to see data for both Europe and Asia. 5. Since Jane also belongs to the Cognos TM1 Data administration group, she should be able to see both Europe and Asia. 6. Jane may see a blank report or receive an error* saying that the cube data that she wants to see does not exist because the system has assigned her Cognos TM1 security based on user John s profile that only has access to Europe. *The general behavior with missing members is as follows: For a named level hierarchy the members will be silently omitted from the report; all set expression based on it will be empty. If analysis studio explicitly uses Europe, then if Europe is unavailable, Analysis studio will display a dialog with a message saying that the member is inaccessible, and inviting you to replace it with another member. For all studios, if the report asks to see Continents, then if Europe is unavailable, it will be silently omitted from the report. Summaries will be adjusted accordingly. Use Case 2: John s experience 1. Jane logs on to Cognos BI. 2. Jane runs a Cognos BI report against the Sales Data Cognos TM1 server. She gets all the data for both Europe and Asia as expected for her role as a Data Administrator. 3. John logs on onto Cognos BI. 4. John runs a Cognos BI report against the Sales Data Cognos TM1 server expecting to see only data for Europe. 5. John unexpectedly sees data for both Europe and Asia because the system has assigned his Cognos TM1 security based on user Jane s profile that has access to both Europe and Asia. Security Mode 4: Administration When the Cognos TM1 server is running in security mode 4, it ignores all security assignments to Cognos TM1 native groups and Cognos TM1 CAM groups; however, it does look at security assignments to Cognos TM1 administration groups. As such, only Cognos TM1 CAM clients that are assigned to the administration groups will be affected. All other security assignments in the Cognos TM1 Clients/Groups Security dialog (see Figure1: Cognos TM1 Clients/Groups Security) can be ignored. This work-around requires that you create and maintain a distinct group in CAM for each Cognos TM1 administration group in each Cognos TM1 server, and then assign the appropriate CAM users to those groups. Initial steps Repeat these steps once for each Cognos TM1 administration group to which Cognos TM1 CAM clients have been assigned. Ignore all assignments to Cognos TM1 native clients, which are the Cognos TM1 clients without a namespace and back-slash in their name. For example, if there are no Cognos TM1 CAM Business 7 Analytics

clients assigned to the Data Administration group, then you do not need to set up a Data Administration group in CAM. You will also repeat these steps once for each mode 4 or 5 Cognos TM1 server that you access from Cognos BI. 1. Open the Cognos Administration tool in Cognos BI. 2. Create a new CAM group in the Cognos namespace: Give it a distinct name that includes the name of the Cognos TM1 server and the name of the Cognos TM1 administration group; for example: Cognos TM1 Sales Data - Data Admin. Since you will be creating a distinct set of CAM groups for each Cognos TM1 server, it s sensible to include the name of the Cognos TM1 server in the name of the associated CAM group. You do not need to assign Cognos BI capabilities to this group, although you may do so if you wish. Instead of the Cognos namespace, you may create this new group directly within your third-party security provider using the administration tools that the third-party software provides. However, if CAM is configured with multiple security providers, then you must create a new group in each provider. 3. Assign CAM users to the new CAM group. For each Cognos TM1 CAM client that is assigned to a Cognos TM1 administration group, add the corresponding CAM user to the associated CAM group. You may also assign CAM groups and roles to the new CAM group. However, you must ensure that all CAM users that are members of those groups and roles either directly or indirectly have been assigned to the Cognos TM1 administration group in the Cognos TM1 server. If there are any extras, then you haven t worked around the issue. 4. Do not import these new CAM groups into your Cognos TM1 server. Maintenance steps Whenever another Cognos TM1 CAM client is added or removed from a Cognos TM1 administration group, then the corresponding change must be applied to the associated CAM group that was created in the Initial Steps above. For example, if you assign a Cognos TM1 CAM client named MyCAM\Jane to the Security Administration group in the Cognos TM1 Sales Data server, then you must also open the Cognos Administration tool in Cognos BI and add the Jane user from the MyCAM namespace to the Cognos TM1 Sales Data Security Administration group in the Cognos namespace. Business 8 Analytics

Security mode 5: Administration + Native When the Cognos TM1 server is running in security mode 5, it looks at security assignments to Cognos TM1 administration groups, Cognos TM1 native groups, and Cognos TM1 CAM groups. As such, Cognos TM1 CAM clients with membership in either native groups or administration groups will be affected. The work-around documented below requires that you create and maintain a distinct group in CAM for each Cognos TM1 administration group and Cognos TM1 native group to which Cognos TM1 CAM clients have been assigned, and then assign the corresponding CAM users to those groups. Conversely, you could simply remove all group assignments between Cognos TM1 CAM clients and Cognos TM1 native groups rather than apply the work-around documented below. You must ensure that this alternative is feasible for the security settings in your Cognos TM1 applications. Initial steps Do the work-around for Security Mode 4 as outlined above. Repeat these steps once for each Cognos TM1 native group to which Cognos TM1 CAM clients have been assigned. Ignore all assignments to Cognos TM1 native clients, which are the Cognos TM1 clients without a namespace and back-slash in their name. For example, if there are no Cognos TM1 CAM clients assigned to the 10100 group, then you do not need to set up a 10100 group in CAM. You will also repeat these steps once for each mode 5 Cognos TM1 server that you access from Cognos BI. 1. Open the Cognos Administration tool in Cognos BI. 2. Create a new CAM group in the Cognos namespace: Give it a distinct name that includes the name of the Cognos TM1 server and the name of the Cognos TM1 native group; for example: Cognos TM1 Sales Data - 10100. Since you will be creating a distinct set of CAM groups for each Cognos TM1 server, it s sensible to include the name of the Cognos TM1 server in the name of the associated CAM group. You do not need to assign Cognos BI capabilities to this group, although you may do so if you wish. Instead of the Cognos namespace, you may create this new group directly within your third-party security provider using the administration tools that the third-party software provides. However, if CAM is configured with multiple security providers, then you must create a new group in each provider. 3. Assign CAM users to the new CAM group. For each Cognos TM1 CAM client that is assigned to a Cognos TM1 native group, add the corresponding CAM user to the associated CAM group. You may also assign CAM groups and roles to the new CAM group. However, you must ensure that all CAM users that are members of those groups and roles either directly or indirectly have been assigned to the Cognos TM1 native group in the Cognos TM1 server. If there are any extras, then you haven t worked around the issue. 4. Do not import these new CAM groups into your Cognos TM1 server. Business 9 Analytics

Maintenance steps Whenever another Cognos TM1 CAM client is added or removed from a Cognos TM1 native group, then the corresponding change must be applied to the associated CAM group that was created in the Initial Steps above. For example, if you assign a Cognos TM1 CAM client named MyCAM\Jane to the 10100 group in the Cognos TM1 Sales Data server, then you must also open the Cognos Administration tool in Cognos BI and add the Jane user from the MyCAM namespace to the group Cognos TM1 Sales Data 10100 in the Cognos namespace. This is a supported interim workaround that must be implemented to properly secure your Cognos BI environment against a Cognos TM1 server. A more comprehensive solution will be available in a future release. Please refer to our Flashes and Alerts on the IBM Cognos Support website for current information related to this topic. The contents of this Flash Alert are based on the best-available information as of the date of its publication. While every attempt has been made to provide guidance on the known issues at the time of publication, the Flash Alert may not describe all of the circumstances under which the issue described above may occur, and may not provide a resolution for every occurrence of the issue. We continue to work to provide a comprehensive solution. All additional information will be documented in subsequent editions of this Flash Alert and posted on the IBM Customer Support web site at http://www.ibm.com/cognos /support Failure to follow these important instructions may result in a user being able to view inaccessible data or be restricted from accessible data, or to retrieve inconsistent and incorrect data results when running a report. IBM will not be liable for any loss or damages from the failure to implement these instructions. Business 10 Analytics

Figure 1: Cognos TM1 Clients/Groups Security Figure 2: Cognos TM1 CAM Clients Business 11 Analytics

Figure 3: Cognos TM1 Administration Groups Business 12 Analytics

Figure 4: Cognos TM1 Native Groups Business 13 Analytics

Figure 5: Cognos TM1 CAM Groups Business 14 Analytics

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information