IBM Cognos Business Intelligence V10.1 Handbook Front cover

4.6 Apply security in IBM Cognos Framework Manager

This section discusses security at a high level. We do not implement security in our model directly but discuss generic steps about how to apply security.

In IBM Cognos Framework Manager, security is a way of restricting access to metadata and data. There are three different types of security in IBM Cognos

Framework Manager:

򐂰

Object level

security allows you to secure an object directly by allowing or denying users access to the object, or keeping it hidden from all users.

򐂰

Row level

security allows you to create a security filter and apply it to a specific query subject. This level of security controls the data that is shown to the users when they build and run their reports.

򐂰

Package level security allows you to apply security to a package and identify who has access to that package.

Each type of security relies on users, groups, and roles to define access. Before you add security in IBM Cognos Framework Manager, ensure that security was set up correctly in IBM Cognos BI.

4.6.1 Object level security

You can apply metadata security directly to objects in a model. When you add object-based security, you apply a specific user, group, or role directly to the object. In doing so, you choose to make the object visible to the select users or groups.

If you do not set object-based security, all objects in the model are visible to everyone who has access to the package. The object inherits the security that was defined for its parent object. When you explicitly allow or deny access to an object, you override the inherited setting. When you apply security to a parent object, all of the child objects inherit the security settings. After you set security for one object, you must set it for all objects. You can set security for all objects by setting security on the root namespace.

You might want an object to be visible only to one selected group or role. For example, in your project you might have a Salary query subject. You might want this query subject visible to a Manager role but not visible to an Employee role.

If a user is a member of multiple groups or roles and if one group is allowed access to an object and another is denied access, the user will not have access to the secured object. In cases of conflicting access, the denied access group or role membership will have priority.

124

IBM Cognos Business Intelligence V10.1 Handbook

There are two basic approaches to implementing object level security in your model:

򐂰

Allow access to all objects and then restrict access to certain objects as required

򐂰 Restrict access to all objects and then grant access as required

To add object level security:

1. Click the object that you want to secure, and from the Actions menu, click

Specify Object Security.

2. Select the users, groups, or roles that you want to change. You can also click

Add to add new users, groups, or roles.

3. Specify security rights for each user, group, or role by completing one of the following steps:

– To deny access to a user, group, select Deny next to the name of the user, group or role. Remember that Deny takes priority over Allow.

– To grant access to a user, group or role, select Allow.

4. Click OK.

To remove object level security from the model:

1. In the middle pane, click Explorer.

2. In the Project Viewer, double-click the Packages folder to give it focus in the

Explorer. A list of all packages and any security objects that are applied in the model display.

3. Select any of the security objects that you want to remove from the model, and click Delete.

4.6.2 Row level security

You can restrict the data that is returned by query subjects in a project by using security filters. A security filter controls the data that is shown to users when they author their reports.

For example, sales managers at the Great Outdoors company want to ensure that Camping Equipment sales representatives see only orders that relate to the

Camping Equipment product line. To accomplish this, create and add members to a Sales Managers and Camping Equipment Reps groups. Then apply a security filter to the Products query subject to restrict their access to camping equipment data.

Chapter 4. Create reporting packages with IBM Cognos Framework Manager

125

Multiple groups or roles: If a user belongs to multiple groups or roles, the

security filter that is associated with these roles are joined together with ORs.

If a group or role is based on another group or role, the security filters are joined together with ANDs.

To specify row level security:

1. Click the query subject with which you want to work, and from the Action menu click Specify Data Security.

2. To add new users: a. Click Add Groups.

b. In the Select Users and Groups window, add users, groups, or roles.

c. In the Select Users and Groups window, click OK.

3. If you want to base the group on an existing group, click the Based On column.

4. If you want to add a filter to a group, in the Filter column, click either

Create/Edit Embedded filter or Insert from Model. These options allow you

to either select an existing filter from your model to use or define the expression for a new filter.

4.6.3 Package level security

Package access refers to the ability to use the package in one of the IBM Cognos

BI studios or to run a report that uses the package from IBM Cognos Connection.

Users without these permissions are denied access, although they can still view saved report outputs if they have access to the reports. You can also grant administrative access to packages for those users who might be required to republish a package.

You define package level security during the publish process the first time the package is published.

To modify access to your package after it has been published:

1. Click the package that you want to edit, and from the Actions menu click

Package



Edit Package Settings to invoke IBM Cognos Connection in a

new window.

2. In IBM Cognos Connection, click the Permissions tab.

3. Create, add or remove groups or roles as required.

4. After you modify the package access permissions, click OK to return to IBM

Cognos Framework Manager.

126

IBM Cognos Business Intelligence V10.1 Handbook