What are Cognos predefined roles for?

Hi,
I’m trying to setup new roles in the Cognos 10.1 namespace to serve my specific security requirements. My goal here is to define my own roles by adding those Cognos standard roles that I need. This way I’m not modifying the Cognos standard roles at all, but rather do all customization in my own roles, to improve maintainability of this solution.
In particular, I’ve created the following new roles and assigned some standard Cognos roles to them:

[ul][li] My Report Administrators Role - allows administration of reports and folders, but not of security settings; has the following Cognos standard roles:
Report Administrators
Server Administrators
Authors
[/li]
[li]
My Report Writers Role - can create new reports, but cannot do any administration; has the following Cognos roles:
Authors
[/li]
[li]
My Report Viewers Role - can run and schedule reports, but not create new reports or do any administration; has the following Cognos roles:
Consumers
[/li][/ul]

From the Cognos role description I’ve got from here: http://publib.boulder.ibm.com/infocenter/cbi/v10r1m0/index.jsp?topic=%2Fcom.ibm.swg.im.cognos.ug_cra.10.1.0.doc%2Fug_cra.html

<blockquote>[b]Report Administrators[/b]: Members can administer the public content, for which they have full access. They can also use IBM Cognos Report Studio and IBM Cognos Query Studio.

[b]Authors[/b]: Members have the same access permissions as Query Users and Analysis Users. They can use Report Studio, IBM Cognos Business Insight Advanced, Query Studio, and Analysis Studio, and save public content, such as reports and report outputs.
</blockquote>

I’ve assumed that my Report Administrators would have access to Report Studio, at least, and be able to create new reports and so forth, and same for Writers. However, when I login as a user with one of those roles - they do not even have an option to go to the Report Studio, or Query Studio - neither from the “Launch…” menu nor do they have this “Open in Report Studio” button next to a report.

So, my question is - what do these predefined Cognos roles really mean? Sounds like their descriptions are not really correct in the documentation? or am I missing some other pre-conditions?

Thank you!
Marina

strange… when i add someone to my predefined role “report administrator” and i close all browsers and lof in as this person i get access to report studio.

Did you change the default security (predefined roles/capabilities?)

Steps to add ‘repot administrator’ Role
In IBM Cognos Connection, in the upper-right corner, click Launch, IBM Cognos Administration.

On the Security tab, click Users, Groups, and Roles.

Click the Cognos namespace.

For the role you want, in the Actions column, click the set properties button.

On the Members tab, modify the membership list:

Ensure that one or more users defined in your authentication provider are members.

Remove the group Everyone.

Click OK.

On the Permissions tab, set access permissions for this role to prevent unauthorized users from creating, updating, or deleting the content, and then click OK.

For every other role, repeat steps 3 to 6.

When you look at the members tab of ‘report administrator’ role properties, do you see the correct user/group/roles?

Hi, CognosGuru,
Thank for the reply!
Now that you asked - yes, I did modify the standard Cognos roles slightly - I took out Everyone group from all other groups and roles they were members of by default. I did it on purpose, to setup a configuration where no user would have access to anything in Cognos unless I specifically gave him a role he is entitled to.
So, in particular, I did the following:

a. removed "Everyone" group from "System Administrators" Role 
b. removed "Everyone" group from other roles/groups 
	i. Adaptive Analytics Users
	ii. Analysis Users
	iii. Authors
	iv. Consumers
	v. Controller Users
	vi. Data Manager Authors
	vii. Express Authors
	viii. Metrics Users
	ix. Planning Contributor Users
	x. PowerPlay Users
	xi. Query Users
	xii. Readers
	xiii. Statistics Authors

After that, I have give specific roles to my test users/groups as described in my first post.

So, is it required that Everyone has some role in the system?

thanks again,
Marina

Marina,

Everyone role is created for the ease of setting up security in Cognos. It is not mandatory to use it. If you want to provide everyone logged into Cognos to get some permission, you can use the “everyone” role.

For example everyone who can log into Cognos Connection is by default consumer. So you add the “everyone” role to the ‘members’ tab of the role ‘consumer’.

If you do not see report studio when you log in, you are NOT a member of the role “Report administrators”. If you do not use the default provided Cognos roles than you are not a member of the capability “Report studio”.

Check these memberships of the role and capability. And let me know if it is working.

good luck!

Hi, Matijn,
Thanks for the pointers. You know, you brought up an interesting angle - you (and others) were asking me to check whether my users are members of Cognos standard roles… Actually, this is not how I setup the system - and maybe this is part of the problem…
My goal was to come up with a “minimally intrusive” solution, where minimal changes would be done to the standard Cognos settings/ roles and most of the settings would be done on my own custom roles. This way, I was hoping, it would make it much easier to deploy this solution to customer’s own Cognos server, without the need to re-configure their whole server…

Anyway, what I did was not add my groups as members of Cognos standard roles (like Report Administrators", but rather create my own new role , “My Report Administrators”, and add whatever standard Cognos roles I deemed needed to that role. And, of course, also add my LDAP user group as a member of this role as well.
So, the final setup for, say , “My Report Administrators” would be:
members of this role:

[ul][li][Cognos] Report Administrators[/li]
[li][Cognos] Server Administrators[/li]
[li][Cognos] Authors[/li]
[li]My LDAP user group[/li][/ul]

and my user, say, radmin1, would be a member of the “My LDAP user group” group, whose membership is controlled by my LDAP server.

I’ve assumed that roles in Cognos are somewhat ‘transitive’ - it does not matter if a Role A has a Role B as a member or a RoleB has a Role A as a member - as long as the user is a member of the parent group he would also get the permissions from all children roles as well… Is it not how Cognos works?

The second comment that you made also got me thinking: you mentioned that my user has to be a member of the “Report Studio” capabilities. I did not touch capabilities at all, because, again, I’ve assumed that the standard Cognos roles would already be configured to have all necessary permissions for capabilities. So, if a user, say, has Cognos “Report Administrators” role he would inherit the necessary permissions for the Report Studio capability… Am I wrong here again?

Please correct me in my understanding of how Cognos security works,

thanks!
Marina

Hi Marina,

I would setup something like this:

Your newly define Cognos role "My report administrators"
member of:
[Cognos] Report Administrators
[Cognos] Server Administrators
[Cognos] Authors

and ldap group something like this:
[LDAP]Cognos report administrators (containing the radmin1 user)

is a member of your Cognos role “My report administrators”

This is the link between your LDAP user(group) and the Cognos role "My Report Administrator). Without this link you would get the permissions you get from the predefine group “all authenticated users”. By default you get no studios if i recall correctly.

Let me know if this setup works, or just try to make your radmin1 user a member of the default [Cognos] Report Administrators role. So you can see how it works.

Hi, Martijn,

thank you for the suggestion. Yes, it does work if I modify the Cognos standard roles to contain my custom role as a member. This is not exactly how I wanted to do it - but at least I have one option that is working. I would prefer not to touch standard Cognos roles at all…

Now, if the only way to manage security is by modifying Cognos predefined roles - I have my next question:
How do you manage deployments of such solutions to a customer that already has a Cognos server with , potentially, their own customizations / changes to the standard roles?

Here is an example:
Lets assume I have modified the Cognos Report Administrators role - added my custom “My Report Administrators” role as a child to it.
And lets assume that a customer has also modified this Cognos role on his server and added his own group/role to it: “Customer Report Administrators”.

Ideally, once I deploy our solution (import my own package) onto the customer’s Cognos server, I would like those setting to be merged, not overwritten by my (or customer’s) settings. So, I would like to see the Cognos’s role have both my role and the customer’s role:

Cognos Report Administrators:
child1: My Report Administrators
child2: Customer Report Administrators

How do I achieve this? Form what I can tell, there are only a few options:

Option1: import my package (which contains model, reports, new custom roles, folders with security settings) into the customer’s Cognos server and pick options for the import such that my settings are added to the customer’s settings (not overwrite them)

Option2: write some utility using Cognos SDK to programmatically modify all necessary Cognos roles to include my settings
Option3: provide good documentation and ask the customer to manually modify all standard Cognos roles and add my sepcified roles to them

I would like to know if Option1 is even feasible - as this would eliminate a lot of pain.
Option2 means a lot of work - but would sure be better than Option3…

Please let me know if I’m missing something.
Thanks a lot for all the help,
Marina