About securing the IBM Cognos BI system
When your IBM® system integrates with the IBM Cognos 8 BI system, the IBM Cognos system provides access to the IBM®application data in two ways.
*
From the IBM® applications: when someone requests a report from the IBM® interface, the IBM® system contacts the IBM Cognos system which queries the reporting views or tables and then sends the report back to the IBM® interface.
*
From the IBM Cognos applications: when you work with the IBM® application data model in Framework Manager or the reports in Report Studio, you connect to the IBM® application's database.
In its default state, the Cognos system is unsecured, which means that anyone who has access to the IBM Cognos applications has access to the data from the IBM® application database.
IBM® Unica® Authentication Provider
When IBM Cognos is configured to use IBM® authentication, the IBM® Unica® Authentication Provider installed on the IBM Cognos 8 BI system communicates with the security layer of the Marketing Platform to authenticate users. For access, the user must be a valid IBM® user and must have a role that grants one of the following permissions:
*
report_system, which also grants access to the reporting configuration options in the IBM® interface. The default role ReportsSystem grants this permission.
*
report_user, which grants access to the reports but not to the reporting configuration options in the IBM® interface. The default role ReportsUser grants this permission.
There are two authentication options: authenticated and authenticated per user.
Mode = authenticated
When the authentication mode is set to “authenticated,” the communications between the IBM® Unica Marketing system and the IBM Cognos system are secured at the machine level.
You configure a single report system user and identify it in the reporting configuration settings. To configure the report system user you do the following:
*
Create the user and assign to it the ReportsSystem role, which grants it access to all reporting functions.
*
Store login credentials for the IBM Cognos system in a user data source.
*
Name it, by convention (which is not required), cognos_admin.
The IBM® Unica® Authentication Provider then authenticates users as follows.
*
Each time an IBM® Unica Marketing user attempts to display a report, the Marketing Platform uses the credentials stored in the report system user record in its communication with the Cognos system. The authentication provider verifies the user credentials.
*
When report authors log in to the IBM Cognos applications, they log in as the report system user, cognos_admin and the authentication provider verifies the user credentials.
Mode = authenticated per user
When the authentication mode is set to “authenticated per user,” the system does not use a report system user. Instead, it evaluates the user credentials of each individual user.
*
Each time an IBM® user attempts to display a report, the Marketing Platform includes the user credentials in its communication with the Cognos system. The authentication provider verifies the user credentials.
*
When report authors log in to the IBM Cognos applications, they log in as themselves and the authentication provider verifies their credentials.
With this mode, all users must have either the ReportsUser or the ReportsSystem role in order to see the reports. Typically, you assign the ReportsSystem role to one or two administrators and assign the ReportsUser role to the user groups of the IBM® users who need to see reports in the IBM® interface.
Authentication vs. authorization
Other than checking for a reporting permission, the authentication provider does no authorization checking. Report authors who log in to the Cognos applications have access to all the reports on the Cognos system, no matter how their report folder permissions might be set on the IBM® system.
Copyright IBM Corporation 2012. All Rights Reserved.