A Service Account allows a SharePoint site or sub-site displaying one or more Cognos based dashboards or reports to use a single Cognos account to transparently authenticate for all users.
This can be useful in several scenarios:
- Unrestricted Public site – users can access all content, including Cognos
- “Registered” Public site – users have to register to get access to “high value” content, such as Cognos reports. This allows tracking of who is using the site (and Cognos content) and what they are accessing, while transparently controlling which Cognos account is used
- Multi-client/customer external facing sites – one per customer. Either a single Service Account is used for all visitors from that customer or a small number of sub-sites and Service Accounts for different (SharePoint defined) groups within that customer
Is my application a candidate for Service Accounts?
While external facing sites are obvious candidates for Service Account use, Intranet applications can also qualify.
SharePoint applications that access Cognos BI have to manage both SharePoint access, rights and privileges and Cognos access, rights and privileges. If SharePoint users are also Cognos users and if the SharePoint authentication authority (e.g. Active Directory) is also the Cognos authentication authority, then Single Sign On simplifies life by only having a single account for both SharePoint and Cognos.
However, there are cases where SharePoint and Cognos use different authentication authorities, which would require separately managed accounts for each user (one for SharePoint and one for Cognos) and require that the user log in twice or use a more sophisticated SSO technique (e.g. Quervisions Dynamic SSO).
An alternative is to manage access to SharePoint sites and sub-sites by the User or (preferred) SharePoint Group membership and use Service Accounts for Cognos to provide what feels like “Single Sign On” to the user, but is in fact using a transparent hidden Cognos account which is decoupled from SharePoint authentication.
Service Account Candidate
- One or more relatively large (application) groups of people which share the same access rights (Cognos Group) and privileges (Cognos Role) within Cognos
- High (SharePoint Application) user churn, but stable SharePoint Groups and SharePoint Group to Cognos Group mapping
Use an Individual Account (SSO, Challenge/Response)
- Many groups of users with different Cognos access rights and privileges
- Users can belong to multiple Cognos Groups