4.

6 Apply security in IBM Cognos Framework Manager

This section discusses security at a high level. We do not implement security in
our model directly but discuss generic steps about how to apply security.
In IBM Cognos Framework Manager, security is a way of restricting access to
metadata and data. There are three different types of security in IBM Cognos
Framework Manager:
_ Object level security allows you to secure an object directly by allowing or
denying users access to the object, or keeping it hidden from all users.
_ Row level security allows you to create a security filter and apply it to a
specific query subject. This level of security controls the data that is shown to
the users when they build and run their reports.
_ Package level security allows you to apply security to a package and identify
who has access to that package.
Each type of security relies on users, groups, and roles to define access. Before
you add security in IBM Cognos Framework Manager, ensure that security was
set up correctly in IBM Cognos BI.
4.6.1 Object level security
You can apply metadata security directly to objects in a model. When you add
object-based security, you apply a specific user, group, or role directly to the
object. In doing so, you choose to make the object visible to the select users or
groups.
If you do not set object-based security, all objects in the model are visible to
everyone who has access to the package. The object inherits the security that
was defined for its parent object. When you explicitly allow or deny access to an
object, you override the inherited setting. When you apply security to a parent
object, all of the child objects inherit the security settings. After you set security
for one object, you must set it for all objects. You can set security for all objects by
setting security on the root namespace.
You might want an object to be visible only to one selected group or role. For
example, in your project you might have a Salary query subject. You might want
this query subject visible to a Manager role but not visible to an Employee role.
If a user is a member of multiple groups or roles and if one group is allowed
access to an object and another is denied access, the user will not have access
to the secured object. In cases of conflicting access, the denied access group or
role membership will have priority.
Chapter 4. Create reporting packages with IBM Cognos Framework Manager 125
There are two basic approaches to implementing object level security in your
model:
_ Allow access to all objects and then restrict access to certain objects as
required
_ Restrict access to all objects and then grant access as required
To add object level security:
1. Click the object that you want to secure, and from the Actions menu, click
Specify Object Security.
2. Select the users, groups, or roles that you want to change. You can also click
Add to add new users, groups, or roles.
3. Specify security rights for each user, group, or role by completing one of the
following steps:
– To deny access to a user, group, select Deny next to the name of the user,
group or role. Remember that Deny takes priority over Allow.
– To grant access to a user, group or role, select Allow.
4. Click OK.
To remove object level security from the model:
1. In the middle pane, click Explorer.
2. In the Project Viewer, double-click the Packages folder to give it focus in the
Explorer. A list of all packages and any security objects that are applied in the
model display.
3. Select any of the security objects that you want to remove from the model,
and click Delete.
4.6.2 Row level security
You can restrict the data that is returned by query subjects in a project by using
security filters. A security filter controls the data that is shown to users when they
author their reports.
For example, sales managers at the Great Outdoors company want to ensure
that Camping Equipment sales representatives see only orders that relate to the
Camping Equipment product line. To accomplish this, create and add members
to a Sales Managers and Camping Equipment Reps groups. Then apply a
security filter to the Products query subject to restrict their access to camping
equipment data.
126 IBM Cognos Business Intelligence V10.1 Handbook
To specify row level security:
1. Click the query subject with which you want to work, and from the Action
menu click Specify Data Security.
2. To add new users:
a. Click Add Groups.
b. In the Select Users and Groups window, add users, groups, or roles.
c. In the Select Users and Groups window, click OK.
3. If you want to base the group on an existing group, click the Based On
column.
4. If you want to add a filter to a group, in the Filter column, click either
Create/Edit Embedded filter or Insert from Model. These options allow you
to either select an existing filter from your model to use or define the
expression for a new filter.
4.6.3 Package level security
Package access refers to the ability to use the package in one of the IBM Cognos
BI studios or to run a report that uses the package from IBM Cognos Connection.
Users without these permissions are denied access, although they can still view
saved report outputs if they have access to the reports. You can also grant
administrative access to packages for those users who might be required to
republish a package.
You define package level security during the publish process the first time the
package is published.
To modify access to your package after it has been published:
1. Click the package that you want to edit, and from the Actions menu click
Package Edit Package Settings to invoke IBM Cognos Connection in a
new window.
2. In IBM Cognos Connection, click the Permissions tab.
3. Create, add or remove groups or roles as required.
4. After you modify the package access permissions, click OK to return to IBM
Cognos Framework Manager.
Multiple groups or roles: If a user belongs to multiple groups or roles, the
security filter that is associated with these roles are joined together with ORs.
If a group or role is based on another group or role, the security filters are
joined together with ANDs.
Chapter 4. Create reporting packages with IBM Cognos Framework Manager 127
4.7 Model troubleshooting tips
This section provides some tips for troubleshooting your models.
4.7.1 Examine the SQL
When testing query objects in IBM Cognos Framework Manager, you can view
the SQL that is generated for the query on the Query Information tab. Viewing
this information can be a useful way to verify expected results and can be a
valuable troubleshooting technique to help you debug a model.
In particular, you can verify query path and join conditions and determine if
elements of the query are being processed locally by comparing the Cognos and
Native SQL. Items that appear in the Cognos SQL but are not replicated in the
Native SQL indicate that additional processing of the data is required on the IBM
Cognos servers. This issue might be due to unsupported functions in the vendor
database.
You can also select the Response sub-tab in the Query Information tab to view
the request and response sequence to and from the data source. Any warning or
error messages generated are recorded here.