Business Intelligence Cognos IBM

Mastering IBM Cognos Security

Jason Clements
Written by Jason Clements

Understanding Cognos Access Permissions Settings on Cognos objects

Cognos Access Permissions settings on Cognos objects are use to grant or deny access or actions for specific security objects, usually Groups or Roles. There are five access permissions which are described briefly here.

Cognos Access Permissions

ReadView all properties including output
Create a shortcut to an object
WriteModify properties of or delete an object
Create objects in a container such as a package or folder
Modify an object’s specification in a studio: Report Studio, Query Studio, etc.
Create new outputs for a report
ExecuteRun objects such as reports, report views, events and metrics
Set PolicyRead and modify the security settings for an object
TraverseView the contents of a container such as a package or folder

In addition to these access permissions there are other important rules which influence a user’s access to and available actions on an object.

Cognos Group / Role Membership

A user assumes the combined access permissions of all the groups and roles defined for an object of which the user is a member (explicit or implicit)

Granted and Denied Access in Cognos

Denied Access has precedence over Granted Access

Traverse Access in Cognos

To access an object a user must have Traverse access permission on all of the ancestors of the object.

Ownership of Objects in Cognos

The owner of an object has full access permissions to the object (but still requires traverse access).

Cognos System Administrators

Users which are members the System Administrators Role in the Cognos namespace have full access permissions to all objects.

Access Permission Inheritance in Cognos

Access permissions on a content store object are by default inherited by its parent. To assign different permissions on an object then check the ‘Override the access permissions acquired from the parent entry’ option on the permissions form.

If you want clear any overridden permissions on the descendants of an object then check the ‘Delete the access permissions of all child entries’ option on the permissions form.

The inheritance of security settings in Cognos makes administration easier when dealing with a large number of objects. With well thought out organization of the content store objects only a single ancestor’s security will need to change.

However, when security is overridden at lower levels in the object hierarchy it becomes difficult to determine where these overrides exist and what impact they have.

About the author

Jason Clements

Jason Clements

Who is Jason Clements? Good question. He is a husband, father, BI consultant, and database administrator, He has been working with SQL Server for a decade, working primarily in business intelligence, ETL/SSIS, data quality, and reporting. Jason is employed with BlueNET Technologies as Senior Business Analytics Consultant.

As an active member of the community, Jason has spoken at regional and local venues including the vendor based trade shows and various user groups & webcasts. He is an active group member and speaker at the North Georgia SQL Server User Group in the ATL area.

1 Comment

Leave a Comment