Data Sources Create a connection definition in Cognos Step 2: Create a Cognos Account on Each Data Source Step 1: Import Metadata Step 3: Publish Package Step 4: Report Author Create Report from Package Step 5: Report Consumer Consumer Runs Report Step 7: Framework Manager Developer Publish the Report Step 6: Cognos S ECURITY S S S S S S S

Returning…

Create a Cognos Logon  The Cognos logon can be given as much or as little access as needed.  The access given to this logon completely controls what can be provided through Cognos. The access can be sub-divided based upon user and role, but cannot be expanded.  It is possible to work with existing logons.  It is possible to work with multiple logons, each granted access to part of the data; each logon would go through the following steps; can create access duplication and problem-solving difficulties Return

Create a Connection with Cognos ReportNet  Creating a connection is done by a Cognos administrator. (Brian and Clif for now)  The connection uses the logon/password defined for Cognos.  The Cognos administrators are the only people who know the logon/password. No users interact directly with this logon.  The administrator will then grant permission for this connection to an approved person or group to do the metadata for the data. Note: The connection could be defined to require the user to enter a login/password. However, each subsequent step may then get a different result based on the logon supplied. Return

Import Metadata into Framework Manager  Done by a Cognos data modeler (25 licenses available)  Uses the named connection created within Cognos  The developer does not need the logon/password or connect string in order to use the connection.  Cognos lists all of the tables/views/synonyms available to the logon/password, and the developer chooses which definitions to bring in.  Cognos has the ability to import table relationships, if they are defined in the database.  Packages are defined by grouping tables together. In DSS this corresponds to star-join models. Return

Publish Datamodel Packages  Done by a Cognos data modeler (25 licenses available)  Packages are saved to the Cognos server and access is granted to approved report author / consumer roles Return

Create Reports from Datamodels  A Report Author is defined as someone who has been given a license to run Report Studio and Query Studio (200 licenses)  A Report Author creates a report based on the datamodel packages published from Framework Manager  A Report Author is shown only packages they are granted access to  The Author needs to be aware of column-based and row-based security that is embedded in the datamodel  The Author first tests the report, and then saves the report in a defined folder so that the QA process can be conducted Return

Cognos Account Security  When the Cognos account is created, the tables and files it has access to should include all of the tables needed by your data consumers  As an example, on the data warehouse (DSS), the Cognos account has complete access to Student, Financial and Employee data  Users are granted access to a subset of the data available to the account, and Cognos does not show other data  For instance, a user with the role DSS_Financial_Complete sees only packages and reports granted to that group Return

Connection Definition Security  A connection to the data source is created using the Cognos account.  Based on a data modeler’s access permissions, they will be shown only the data sources they have been granted access to  If a data modeler has not been granted access to access a particular data source, the data source will not be shown and cannot be chosen by the user.  The connection information (username and password) is encrypted using MD5 and stored on the Cognos application server, which is protected by an F5 firewall router. Connections to the Cognos server are restricted to a select number of fixed IP addresses. Return

Framework Manager Table Security  Tables can have column or row-based restrictions defined  For instance, the Employee table has Object Security defined for fields restricted from “general” access; these fields are allowed only for “complete” roles. The table is allowed for both “complete” and “general” users, but “general” users see only part of the fields and get an error if they try to run a report which includes restricted fields  The Account Balance table has a Security Filter applied. “Complete” and “general” users see all the columns, but “general” users see fewer rows, based on the rows allowed by the security filter Return

Package Security  A package is an individual or set of data models that a report author can use to create reports.  When a data modeler publishes a package, access to that data is granted to author and report viewer roles  Column and row security can be specified within the tables based on a user’s role. Return

Report Authoring Security  Report author sees only data they have been granted access to via roles they have been assigned to  Report author must also be granted role to use an authoring tool (QueryStudio or ReportStudio) Return

Report Security  When a report is published, a hyperlink is created on the Cognos portal, in the defined folder structure, with default roles assigned to the folder  If a user is granted permission to run a report, this hyperlink is visible.  If a user is not granted permission to run a report, the hyperlink is not visible. Even if the user is sent the hyperlink, the user will get an error when they attempt run the report  Administration of this access can be done centrally, or it can be distributed to the security administrators for a particular area. For example, Cheri Rawles has been given access to publish reports for Financial and Employee DSS data, and to give data access to those users who have been authorized by the data stewards. Return

Report Viewing Security  Reports are run using a standard web browser  The system will only accept requests using the Secured Sockets Layer (SSL) protocol, which encrypts all of the data during transmission  The report viewer user can only run reports they have been granted access to, as Cognos shows only these reports in the web portal  The report viewer user will get an error if they try to run a report they were granted access to, if the report contains data they are not granted access to  The report viewer cannot see or determine a report’s data source, the data connection used, or the logon / password used to access the data, except as that information is documented in metadata descriptions of the report Return

Next

Return

Data Sources Create a connection definition in Cognos Step 2: Create a Cognos Account on Each Data Source Step 1: Import Metadata Step 3: Publish Package Step 4: Report Author Create Report from Package Step 5: Report Consumer Consumer Runs Report Step 7: Framework Manager Developer Publish the Report Step 6: Cognos S ECURITY S S S S S S S