Using IBM® EMM Authentication Provider to secure IBM® Cognos® BI system

By default, the Cognos® system is unsecured because anyone who has access to the IBM® Cognos® applications can access the data from the IBM® EMM application database. You can secure the Cognos® system by using the IBM® EMM Authentication Provider.

When your IBM® EMM system integrates with the IBM® Cognos® BI system, the IBM® Cognos® system provides access to the IBM® EMMapplication data in the following ways:

From the IBM® EMM applications: when someone requests a report from the IBM® EMM interface, the IBM® EMM system contacts the IBM® Cognos® system which queries the reporting views or tables and then sends the report back to the IBM® EMM interface.

From the IBM® Cognos® applications: when you work with the IBM® EMM application data model in Framework Manager or the reports in Report Studio, you connect to the database for the IBM® EMM application.

When IBM® Cognos® is configured to use IBM® EMM authentication, the IBM® EMM Authentication Provider installed on the IBM® Cognos® BI system communicates with the security layer of the Marketing Platform to authenticate users. For access, the user must be a valid IBM® EMM user and must have a role that grants one of the following permissions:

report_system, which also grants access to the reporting configuration options in the IBM® EMM interface. The ReportsSystem role grants this permission.

report_user, which grants access to the reports but not to the reporting configuration options in the IBM® EMM interface. The ReportsUser role grants this permission.

The following authentication options exist:

When the authentication mode is set to authenticated, the communications between the IBM® EMM system and the IBM® Cognos® system are secured at the machine level. To use the authenticated mode for a user, you must configure a report system user and identify the user in the reporting configuration settings.

Complete the following tasks to configure a report system user:

2.	Store login credentials for the IBM® Cognos® system in a user data source.

The IBM® EMM Authentication Provider uses the following method to authenticate report system user:

Each time that an IBM® EMM user attempts to display a report, Marketing Platform uses the credentials that are stored in the report system user record in its communication with the Cognos® system. The authentication provider verifies the user credentials.

When report authors log in to the IBM® Cognos® applications, they log in as the report system user, cognos_admin and the authentication provider verifies the user credentials.

When the authentication mode is set to authenticated per user, the reports system does not use a report system user and evaluates the credentials of each individual user. The IBM® EMM Authentication Provider uses the following method in the authenticated per user mode:

Each time that an IBM® EMM user attempts to display a report, the Marketing Platform includes the user credentials in its communication with the Cognos® system. The authentication provider verifies the user credentials.

When report authors log in to the IBM® Cognos® applications, they log in as themselves and the authentication provider verifies their credentials.

With the authenticated per user mode, all users must have either the ReportsUser or the ReportsSystem role to see reports. Typically, you assign the ReportsSystem role to one or two administrators and assign the ReportsUser role to the user groups of the IBM® EMM users who need to see reports in the IBM® EMM interface.

Except for checking for a reporting permission, the authentication provider does not check for other authorization. Report authors who log in to the Cognos® applications have access to all the reports on the Cognos® system, no matter how their report folder permissions might be set on the IBM® EMM system.