Managing Cognos Administration and Test Users with a Relational Authentication Provider

The Challenge

Administering and testing Cognos applications typically requires creating and changing administration and test user accounts, permissions and group/role memberships:

  • Create Test users and assign group/role memberships to match each of the different Application users including groups or role assignments.
  • Grant temporary Administrative accounts or privileges for Cognos Developers for one time or infrequent update tasks
  • Provide Administrative accounts unique to Cognos which can be changed at any time to allow 3rd party Cognos Application Administration.

Where Cognos and/or the Authentication Provider for Cognos (e.g. Active Directory, LDAP, Netminder, …) are managed by central groups or services, these tasks can require service charges for each change, lengthy approval or implementation delays or even be refused due to one or more service policies.

The Solution

Have a dedicated Cognos Authentication Provider for Test and Admin

Cognos’ allows multiple Authentication Providers to be configured for a Cognos installation. Users, groups and roles from each provider can be independently mapped into Cognos namespace Groups and Roles. This allows a separate Authentication Provider to be used for Test/Admin users independently of users authenticated by central Active Director, LDAP or Netminder providers, but still under Cognos Administrator control, while fully supporting the Cognos Security model.

There are some key advantages to this approach:

  • Adding, changing or removing test or admin accounts and their group/role memberships within the Test/Admin namespace can be achieved independently by the Application development team.
  • The Corporate Authentication provider service is relieved of creating or managing Cognos specific user accounts and groups.
  • [Central] Cognos Administrators can pre-configure limited Cognos Groups and Roles for users and groups from the Test/Admin namespace, giving Application Administrators and Developers the control they need without granting Cognos Server or System Administrative privileges.

While separate Active Directory or LDAP Authentication Providers could be set up, configuration and management can be non-trivial, require a dedicated machine (or VM) and require substantial additional license or product costs plus potentially run into corporate policy issues (e.g. restrictions on installing Active Directory within the Corporate domain).

An alternative solution is to add what Cognos refers to as a “Custom Authentication Provider” (CAP). The CAP architecture allows adding of a fully secure and compliant Authentication Provider, but where custom features can be added and where the authentication mechanism and data source can be customized.

QueryVision’s Test/Admin Authentication Provider

QueryVision out-of-the-box Relational Authentication Provider uses any standard JDBC connectable database (including SQL Server, DB2, Oracle, SQL Server Express, MySQL, …) as the Authentication authority and data source which contains User accounts (including IDs and Passwords), Groups and Roles. These can be freely assigned either directly to Cognos permissions and capabilities or via Cognos namespace groups and roles. This solution also provides for encrypting authentication database access and configurable encryption of user passwords (default is SHA-1 one way encryption).

This solution provides the ability to add, change or remove users and user/group/role assignments for Test/Admin purposes which only impact the secured authentication relational database vs. requiring Cognos Admin or central Authentication Manager intervention.

QueryVision is currently exploring a low cost, limited version of its Relational Provider for Administration and Test Users. Contact us sales@QueryVision.com for details.