About securing the IBM Cognos BI system
When your IBM® EMM system integrates with the IBM Cognos BI system, the IBM Cognos system provides access to the IBM® EMMapplication data in two ways.
*
From the IBM® EMM applications: when someone requests a report from the IBM® EMM interface, the IBM® EMM system contacts the IBM Cognos system which queries the reporting views or tables and then sends the report back to the IBM® EMM interface.
*
From the IBM Cognos applications: when you work with the IBM® EMM application data model in Framework Manager or the reports in Report Studio, you connect to the database for the IBM® EMM application.
In its default state, the Cognos system is unsecured, which means that anyone who has access to the IBM Cognos applications has access to the data from the IBM® EMM application database.
IBM® EMM Authentication Provider
When IBM Cognos is configured to use IBM® EMM authentication, the IBM® EMM Authentication Provider installed on the IBM Cognos BI system communicates with the security layer of the Plataforma de Marketing to authenticate users. For access, the user must be a valid IBM® EMM user and must have a role that grants one of the following permissions:
*
report_system, which also grants access to the reporting configuration options in the IBM® EMM interface. The default role ReportsSystem grants this permission.
*
report_user, which grants access to the reports but not to the reporting configuration options in the IBM® EMM interface. The default role ReportsUser grants this permission.
There are two authentication options: authenticated and authenticated per user.
Mode = authenticated
When the authentication mode is set to “authenticated,” the communications between the IBM® EMM system and the IBM Cognos system are secured at the machine level.
You configure a single report system user and identify it in the reporting configuration settings. To configure the report system user you do the following:
*
Create the user and assign to it the ReportsSystem role, which grants it access to all reporting functions.
*
Store login credentials for the IBM Cognos system in a user data source.
*
Name it, by convention (which is not required), cognos_admin.
The IBM® EMM Authentication Provider then authenticates users as follows.
*
Each time an IBM® EMM user attempts to display a report, the Plataforma de Marketing uses the credentials stored in the report system user record in its communication with the Cognos system. The authentication provider verifies the user credentials.
*
When report authors log in to the IBM Cognos applications, they log in as the report system user, cognos_admin and the authentication provider verifies the user credentials.
Mode = authenticated per user
When the authentication mode is set to “authenticated per user,” the system does not use a report system user. Instead, it evaluates the user credentials of each individual user.
*
Each time an IBM® EMM user attempts to display a report, the Plataforma de Marketing includes the user credentials in its communication with the Cognos system. The authentication provider verifies the user credentials.
*
When report authors log in to the IBM Cognos applications, they log in as themselves and the authentication provider verifies their credentials.
With this mode, all users must have either the ReportsUser or the ReportsSystem role in order to see the reports. Typically, you assign the ReportsSystem role to one or two administrators and assign the ReportsUser role to the user groups of the IBM® EMM users who need to see reports in the IBM® EMM interface.
Authentication vs. authorization
Other than checking for a reporting permission, the authentication provider does no authorization checking. Report authors who log in to the Cognos applications have access to all the reports on the Cognos system, no matter how their report folder permissions might be set on the IBM® EMM system.
Copyright IBM Corporation 2012. All Rights Reserved.