Thursday, March 1, 2018

Restrictions Restrictions

      Welcome back to my blog posts. I hope the information I'm providing on my blog has been of use to atleast some of you. Leave a note in the comments section to tell me what information you find useful and what information you're looking forward to. I will do my best to post them (without giving away business secrets obviously *wink wink*)

      Cognos has the capability of providing authentication against Active Directory. In case you're not aware, in a simple answer, Active Directory is your windows domain authentication.The username and password that you use to login into windows can also be used to login into Cognos.

      This setup is usually good enough for the majority of installations. It allows everyone with a windows username and password to login and run reports. Cognos also honors groups and roles at the Active Directory level, so its easy to assign permissions based on the role or membership of a user in a role.

      This also has the undesired effect of leaving the system wide open to everyone with a username and password. Imagine a situation where a user in the IT department is able to view the financial information of the entire company. Scary!

      While Cognos allows one to lock down the ability to run reports or look at report outputs based on role membership, it would be most beneficial if it didn't allow users to login in the first place.

      On a environment that is configured with the appropriate set of roles and memberships, setting the value of the option 'Restrict users to built-in namespace' to true completely locks down the environment, preventing users from logging in unless they're members of a pre-configured group of users that is allowed access.