In ensuring that our web parts, in particular our Navigation Web Part, only show those folders, packages, reports and other Cognos object types that a user is permitted to see, we have had to fully understand all the options available for Cognos Adminstrators in Cognos Connection. Why that is hard for Solution Providers like QueryVision is that some of that behavior is not built into the Cognos SDK – we’ve had to duplicate/emulate the Cognos Connection behavior. And, in working through our understanding of all the options, we uncovered a sophisticated set of options for showing and hiding objects from users beyond what is handled by straight user permissions (e.g. denying access to a folder for user group X). For users of our web parts and for any Cognos Administrator, understanding these options and how they interact is essential to ensuring users see what they need to see, but only what they are permitted to see.
Cognos Connection options
Cognos Connection has a number of techniques for hiding objects from users which need to be hidden for security, usability or other reasons.
- Hiding objects based on user permissions
- Object Disabled flag
- Object Hidden flag
Note that all these techniques are active simultaneously so any given object can be hidden for one or more reasons.
Hiding objects based on user permissions
For all versions of Cognos 8/10, changes to the system.xml file can change which objects are visible to users based on the user’s permissions for that object. Note that this is a global change to all objects in the content store. On the cognos server there are numerous system.xml objects within the folders. The one of interest is located at <installation location>\templates\ps\portal. The entry to change is the following (default value shown):
<!-- CM filter added to content requests to only return objects "visible" to the current user -->
<param name=”visible”>[permission("read") or permission("write") or permission("execute") or permission("traverse") or permission("setPolicy")]</param>;
A more human readable version of this is:
<param name="visible">[permission('read') or permission('write') or permission('execute') or permission('traverse') or permission('setPolicy')]</param>
The default is for all objects to be visible if the user has any permissions set for an object. To hide objects from a user, remove one or more permissions. Popular examples of the settings:
- Remove traverse – visibility = (read or write or execute or setPolicy)
This hides objects for where the user’s permissions are only traverse.
- Remove traverse, execute – visibility = (read or write or setPolicy)
This hides objects for where the user’s permissions are only traverse, execute or traverse & execute. This is a popular choice for hiding packages and top level folders.
Hiding objects with the Disabled flag
For all versions of Cognos 8/10, each object has a disabled property. If an object is disabled, it will be hidden from the user unless they have “write” permission for the object.
Hiding objects with the Hidden property
8.1 to 8.3
In ealier versions of Cognos 8 an object was hidden from the user if the object’s hidden property was set. However, a user can see hidden objects if their “showHiddenObjects” preference is set to true.
Cognos 8.4 +
With Cognos 8.4 and higher, more sophisticated control over a users ability to override hidden was introduced, which allows administrators to stop users from using showHiddenObjects to override the hidden property of an object, unless they are the object owner. Cognos 8.4 adds an additional user capability, “canUseShowHiddenObjectsPreference”, plus logic included to determine if a user should see a hidden object or not.
| Object: hidden flag | User Preference: show hidden objects | User Capability: canUseShowHiddenObjectsPreference | Object: owner | Object: shown to the user? |
| true | true | true | true | |
| true | true | false | true | true |
| true | true | false | false | false |
| true | false | false | ||
| false | true |
QueryVision Web Parts options
QueryVision web parts support the full range of techniques for hiding objects when displayed in the Navigation web part and other parts where cognos content can viewed, including search. To support the ability to hide objects based on user permissions in the system.xml file, an entry is required in QvtConfig.XML as the web parts do not have dynamic access to the Cognos system.xml file. A benefit of this approach is it allows independent setting of permission based object hiding for QueryVision web parts. In QvtConfig.XML each CrnServer section contains the following entry (default shown):
<Visibility>traverse, execute, read, write, setPolicy</Visibility>
As a default it is recommended to change this to the equivalent entry in system.xml, as described earlier in this document.
In Part 2, we’ll talk about enabling or disabling a user’s tabs as yet another way of showing & hiding Cognos content.
We’ve done what it takes to make objects that only have Execute and Traverse (not read) on it not visible. However, this only applies to Cognos Connection. It does not apply to the studios. So an object a user doesn’t have Read access to isn’t visible in the portal, it is visible to them when they go to launch Query Studio for example. We are trying to make a package invisible to certain users, but they can see it when launching Query Studio. If they try to select it they get a security error. It’s not ideal. Any ideas?