Cognos Security - Best Role Structure & Capability Settings
Do you have a brand-new install of Cognos? What is the first thing you do after your install is done and you have configured Cognos? Start creating reports? Start building dashboards?
No! You need to make sure you have security properly configured.
Security is one of those things that often gets pushed off until the end of a project but it should be the first thing we do.
As soon as you log in the first time, your usage is being tracked for licensing. If you don’t have your security properly set up, you can be out of compliance with your licensing.
Default Install Adds Everyone as System Admin
There is a critical first step with a new install of Cognos. The default install adds the Everyone group into the System Administrator group. This makes every user who signs in a full system administrator. You need to go into Security > Cognos > System Administrators and add your administrator user.
Once that user is added, you need to remove the Everyone group from the System Administrator role. Here is a screenshot of the original entries:
This is what it should look like after the Everyone group is removed. You could add your user to the Analytics Administrator role but I like to always have the “main” administrator directly in the System Admin group so they are here if any of the other groups get accidentally deleted.
Setting up Our Security Role Structure
Once this critical step is completed, we can start to clean up the provided security groups and decide on our security role structure.
When I am configuring a new Cognos environment, I like to have four roles based on my licensing:
Analytics Administrator
Analytics Explorer
Analytics User
Analytics Viewer
I will use these roles to set capabilities that indicate what tools users can use and what functions or jobs they can perform.
We will also have business groups and roles that would relate to what type of content or access users would need based on the business roles.
There are a lot of provided roles and groups that you may not need. I like to move all but my required roles and put them into a folder that I disable or I simply delete the unused groups (this is trickier if you are doing an upgrade and security clean up vs a brand-new install).
Here are the initial set of groups and roles:
Here are the remaining groups and roles once I have moved the unused groups and roles to a disabled folder.
A couple of those roles are not able to be moved (Tenant Admin for example). That’s ok. We will just leave them empty.
Once I have the roles I need for access and capabilities, I add the users or groups from my authentication source to these roles.
For testing purposes, I set up four users that match the role I am putting them into. That is not always possible but it is a great way to make sure you have the right permissions set so you are in licensing compliance.
Setting up Capabilities in Cognos
The next step is the hardest and most time-consuming. You must make sure you have capabilities set correctly.
Capabilities control access to both tools and functionality within tools inside of Cognos. The capabilities give you access to reporting or dashboards or make you an administrator. The capabilities are used to determine if you are compliant with your licensing so it is especially critical that you get these right. Examples of the tools would be Administration or Dashboards. Examples of functionality within tools would be User defined SQL or Edit dashboards.
When a content store is created, initial capabilities are set and it can be quite a big task to make sure how they are set matches your licensing and how you want your Cognos environment to be used.
There are four general licensing roles:
Analytics Viewer
Analytics User
Analytics Explorer
Analytics Administrator
Analytics Viewers can read public content. This means users with this license can view dashboards and stories. They can view previously executed reports. They cannot interact with prompts or schedule reports. Users will not be able to drill through if this means running a child report.
Analytics Users can create and execute reports, dashboards, explorations, data modules. and stories. They can create and run jobs and schedule reports, create data server connections. They can respond to prompts and upload files. They will also have access to the following tools (if available): Cognos for Microsoft Office, Cognos Workspace, Cognos Event Studio, Cognos Query Studio, and Cognos Analysis Studio.
Analytics Explorers can have the same access as Analytics Users. They can additionally access Planning Analytics for Microsoft Excel, Cognos Framework Manager, Cognos Cube Designer and Dynamic Query Analyzer, Jupyter Notebook, and Transformer.
Analytics Administrators can have the same access as Analytics Explorers. They can additionally access IBM Software Development Kit, the Manage menu, and Administration.
This table represents basic licensing with Cognos Analytics.
| Analytics Viewer | Analytics User | Analytics Explorer | Analytics Administrator | |
|---|---|---|---|---|
| Use IBM Software Developement Kit | X | |||
| Use Manage | X | |||
| Use IBM Cognos Administration | X | |||
| Use Planning Analytics for Microsoft Excel | X | X | ||
| Use Cognos FrameWork Manager | X | X | ||
| Use Cognos Cube Designer | X | X | ||
| Use Dynamic Query Analyzer | X | X | ||
| Use Jupytrer Notebook | X | X | ||
| Use Tranformer | X | X | ||
| Create new reports | X | X | X | |
| Create dashboards | X | X | X | |
| Create stories | X | X | X | |
| Create jobs | X | X | X | |
| Create data server/source connections | X | X | X | |
| Create data modules | X | X | X | |
| Create explorations | X | X | X | |
| Execute reports | X | X | X | |
| Respond to prompts | X | X | X | |
| Upload files | X | X | X | |
| Use Cognos Workspace | X | X | X | |
| Use Cognos Event Studio | X | X | X | |
| Use Cognos Query Studio | X | X | X | |
| Use Cognos Analysis Studio | X | X | X | |
| Use Cognos for Microsoft Office | X | X | X | |
| Schedule reports | X | X | X | |
| View public reports | X | X | X | X | Subscribe to reports | X | X | X | X | View dashboards and stories | X | X | X | X |
Capabilities can be set in two different places and even though they are mostly the same, you may need to go back and forth between the two options. You can set Capabilities in Administration: Manage > Administration > Security Tab > Capabilities
And you can set capabilities under Manage > People > Capabilities.
I would say you could just work in Manage as all of the capabilities exist here (some of the newer capabilities only exist here) but the Manage tab does not allow you the ability to set an overall set of permissions and push it down to all child capabilities so we will start in Administration.
In Administration, the first thing I do in a new installation is to go to the overall capability properties (top right corner):
Switch to the Permissions tab:
There are a couple of ways to tackle this big job. One way is to remove these two options and add the four roles that I will need overall (Analytics Administrator, Analytics Explorer, Analytics User, and Analytics Viewer). Grant the proper permissions. For capabilities, we only need to set three permissions:
| Type of Permission | Access permissions granted |
|---|---|
| Access | Execute and Traverse |
| Assign | Traverse and Set Policy |
| Manage | Execute, Traverse, and Set Policy |
And then click the ‘Select this option if you want to override the existing access permissions of all child entries’ box. This will remove all the current permissions to all capabilities and replace them with the ones we just set. Then we have to go into each capability and remove any roles which are not licensed.
We could also go through and modify all the existing capabilities without setting capabilities from the top. This way of doing it is slightly safer as you just replace the listed groups with our new roles but it may take longer.
Analytics Administrators should be the only role on these capabilities:
| Parent Capability | Child Capability |
|---|---|
| Administration | Adaptive Analytics Administration |
| Administration | Administration tasks |
| Administration | Collaboration Administration |
| Administration | Configure and manage the system |
| Administration | Controller Administration |
| Administration | Distribution Lists and Contacts |
| Administration | Manage Visualizations |
| Administration | Metric Studio Administration |
| Administration | Mobile Administration |
| Administration | Planning Administration |
| Administration | PowerPlay Servers |
| Administration | Printers |
| Administration | Query Service Administration |
| Administration | Run Activities and Schedules |
| Administration | Set Capabilities and Manage UI Profiles |
| Administration | Styles and Portlets |
| Administration | Users, Groups, and Roles |
| Manage Content | |
| Save to Cloud | Manage Connections |
| Specification Execution | |
After I remove all roles except for administrator from this group, I use the Manage > Licenses to make sure I did not miss anything. I log on as an Analytics Explorer and make sure that that user does not show up as an Administrator:
If you missed one of the capabilities, you will see the user under the Analytics Administrator license role.
Analytics Explorers have just a few capabilities that apply to them (and Administrators). Please remember that these license roles could always change – check your licensing to make sure you are in compliance.
| Parent Capability |
|---|
| Desktop Tools |
| Import relational metadata |
| Notebook |
| Self Service Package Wizard |
Analytics Viewers ONLY have these capabilities:
| Parent Capability | Child Capability |
|---|---|
| Adaptive Analytics | |
| AI | Learning |
| Cognos Viewer | |
| Cognos Viewer | Context Menu |
| Cognos Viewer | Selection |
| Cognos Viewer | Toolbar |
| Collaborate | |
| Collaborate | Allow collaboration tools |
| Collaborate | Launch collboration tools |
| Dashboard | |
| Data Manager | |
| Detailed Errors | |
| Include link in email | |
| Share using email | |
| Type in external email | |
| Execute Indexed Search | |
| External Repositories | |
| External Repositories | View External Documents |
| Glossary | |
| Hide Entries | |
| Lineage | |
| Mobile | |
| Planning Contributor | |
The Analytics User role has access to the rest of the capabilities. This means that the remaining capabilities should have Analytics Administrator, Analytics Explorer, and Analytics User as the roles.
This is not a quick job. It is time-consuming and you have to be very careful. Having test users to make sure you have the licensing right can be really helpful. If you don’t have the time or resources to complete this daunting task, don’t be afraid to reach out. Our clients tend to love our flexible SaaS anywhere plan which would take care of all the nitty-gritty there is to do with your environment. You can click here to learn more about it.
Next Steps
We hope you found this article informative. Be sure to subscribe to our newsletter for data and analytics news, updates, and insights delivered directly to your inbox.
If you have any questions or would like PMsquare to provide guidance and support for your analytics solution, contact us today.
