The document discusses IBM Cognos security best practices. It begins with an overview of Cognos security concepts like authentication, authorization, namespaces and the Cognos Application Firewall. It then lists several best practices for securing a Cognos implementation, such as disabling anonymous access, removing default permissions, and thoroughly testing user access. The document also provides examples of different permission levels and how they control user actions in the Cognos system.
1. IBM Cognos® Security Best
Practices
Wisconsin User Group, March 2014
Kirk Wiseman
PerformanceG2, Inc.
2. Agenda
! Authentication versus Authorization
! Overview Cognos Security
! Best Practices
! Questions
3. Authentication vs Authorization
!
Cognos
security
is
based
on
authen2ca2on
and
authoriza2on
!
Authen2ca2on
-‐-‐
You
are
who
you
say
you
are.
!
Authoriza2on
–
What
you
can
or
cannot
do.
!
Authen2ca2on
is
handled
by
a
3rd
party
security
tool
such
as
Ac2ve
Directory
LDAP
or
OpenLDAP
!
Authoriza2on
is
handled
through
Cognos
using
groups,
roles,
capabili2es
and
permissions
4. Cognos Security Overview
!
Namespaces
!
External
Authen2ca2on
providers
are
set
up
as
namespaces
in
Cognos
!
Cognos
Namespace
! A
built-‐in
namespace
that
provides
pre-‐defined
security
entries,
including:
groups,
roles,
data
sources,
distribu2on
lists
and
contacts
!
Cannot
be
deleted
!
Cognos
groups
and
roles
are
op2onal
!
Cognos
Applica2on
Firewall
(CAF)
!
Acts
as
a
smart
proxy
for
the
gateways
and
dispatchers
!
Analyses,
Modifies
and
validates
HTTP
and
XML
requests
!
Prevents
Malicious
code
from
being
inserted
!
Turned
on
by
default
–
LEAVE
IT
ON!
5. Cognos Security Best Practices
!
Immediately
aVer
install
and
configura2on:
! Turn
off
anonymous
access
and
enable
an
external
authen2ca2on
provider
!
Add
at
least
two
groups
of
administrators
to
the
Cognos
System
Administrator
group.
!
Remove
the
Cognos
Everyone
Group
from
Everything
!
Plan
your
security
sooner
rather
than
later
!
Plan
it
out
on
paper,
excel,
etc.
first
!
Decide
whether
you
are
going
to
u2lize
the
op2onal
Cognos
Groups
and
Roles,
Your
Authen2ca2on
provider’s
groups
or
a
combina2on
of
both.
!
Set
up
capabili2es
early
!
Create
your
folder
structure
early
and
set
permissions
using
allow
!
Use
DENY
sparingly,
if
at
all!!
!
Set
up
test
users
and
test
each
and
every
scenario.
6. Cognos Security Best Practices
!
If
se]ng
up
Single
Sign-‐on
do
it
aVer
all
other
tes2ng
has
been
accomplished
!
If
access
is
to
be
given
outside
of
the
company’s
firewall
then
set
up
SSL
!
Set
the
Valid
domains
op2on
!
Maintain
a
security
process
document
for
your
organiza2on
7. A little bit about Permissions
!
Read
!
View
all
proper2es
of
an
entry,
including
report
specs,
report
output,
etc.
!
Write
!
Modify
proper2es
of
a
report
!
Delete
an
entry
!
Create
entries
!
Modify
reports
!
Create
new
outputs
!
Execute
!
Reports,
agents,
etc
can
be
run.
!
Data
Sources
can
retrieve
data.
!
Set
Policy
!
Read
and
modify
security
se]ngs
!
Traverse
! The
ability
to
see
through
an
object
to
its
children.
8. Permission Examples
Ac#on
Permissions
Required
Add
an
entry
Write
permissions
for
a
parent
entry
Query
the
entry
proper#es
Read
permissions
for
an
entry
View
the
children
of
the
entry
Traverse
permissions
for
an
entry
Update
an
entry
Write
permissions
for
an
entry
Delete
an
entry
Write
permissions
for
an
entry,
and
write
permissions
for
a
parent
entry
Copy
an
entry
Read
permissions
for
an
entry
and
any
child
entries,
traverse
permissions
for
all
of
the
children,
and
write
and
traverse
permissions
for
the
target
parent
entry
Move
an
entry
Read
and
write
permissions
for
an
entry,
write
permissions
for
both
the
source
parent
entry
and
the
target
parent
entry,
and
traverse
permissions
for
the
target
parent
entry