Secure

Security Auditor

Security Auditor is used to generate datasets containing detailed membership and access rights information describing who has access to what and why.

Generate Datasets with Security Auditor

To begin generating a dataset you must:

1. 1.      Select the output format

   1. Save a Security Snapshot

   2. Delimited text (csv)

   3. Microsoft SQL Server

   4. Oracle

2. Specify Provider Details if you are documenting to a database.

3. Select the option to audit access rights or not (query intensive).

4. Click on ‘Run Audit’.

Configuring Security Auditor Data Providers

There are 2 data providers available for exporting the information, each with its own set of configuration values.

Configuring the CSV Data Provider

The CSV output option allows you to specify the output folder, delimiter and text qualifier.

Configuring the SQL Server Data Provider

The SQL data provider requires a Server, Database and if using SQL authentication, a username and password.

Configuring the Oracle Server Data Provider

The Oracle data provider requires a Server:port#, SID, and a username and password.

NOTE: The items in the database will be created the first time the process is executed. The account used to connect to the database will require the permissions necessary to create objects in the database. To create the objects manually you may use the DLL file in your installation folder. The file location is typically C:\Program Files\BSP\MetaManager^TM\

NOTE: Configuration data for each provider is stored as the default in the future. So next time you run it you do have to configure the data provider unless

NOTE: Additional providers may be created in the future, if you have a specific need just let us know and we’ll see if we can create one for you.

Security Snapshot

After running an Audit with the Save Security Snapshot option selected, the user has the ability to use the drop down in the Security Snapshot tab to view the lineage of the audit.

Show Memberships

Use the tree view to select an object and view the memberships in the grid area. The tool bar has zoom-in and zoom-out options. The user can see the lineage and select it within the grid area and use the link at the bottom to edit a selected object within Security Editor.

Show Access Rights

Allows users to view the lineage of access rights of a security object selected from the tree view. The user has the option to include reports in the lineage grid as well.

Security Editor

Security Editor gives the user the ability to view and edit any security within an IBM Cognos 8 environment. Dragging any object into the canvas area will allow the user to view and then edit the security capabilities for that particular object. Accounts, groups, and roles can be dragged directly into other objects for quickly securing reports or capabilities.

Canvas Functionality

Any supported object can be dragged from the Portal Tree and dropped into the canvas area. Some of the more common objects will be explained in more detail below.

Securing: Folders, Packages, and Reports

Dragging any of these objects to the canvas area will Load all security associated with that object.

There are various options in changing an object security, using Figure 1.

1.      Ability to add accounts, groups, roles to the object

2.      Ability to remove accounts, groups, or roles from the object

3.      Ability to grant access

4.      Ability to deny access

Override the access permissions acquired from the parent entry – By checking this box the user will override any inherited permissions from a parent object. By default, the rights will be grayed out and unable to be edited until this option is selected.

NOTE: After making any changes, “Apply Changes” must be selected, in order for the changes to take place within the IBM Cognos Environment.

Add / Remove Security Objects

Adding objects is as simple as dragging and dropping them from the Portal Tree to the object in the canvas area. Navigate the Portal Tree to find any Account, Group, or Role to add to the object.

There are 2 ways to remove any of the accounts, groups, or roles from the object. For removing one at a time, simply click the “X” next to the security that is to be removed. For removing multiple users from an object, Ctrl and Shift functionality is allowed to highlight more than one at a time. Then right click and select “Remove” or use the Delete key on the keyboard.

Granting / Denying Access Rights

After adding an additional account to the object to be secured, the will be defaulted to no access. The five columns display the access rights for Read, Write, Execute, Set Policy and Traverse. Click on the box under these columns and in the row which will grant or deny access.

In addition, each access right can have the following values as seem in Figure 1

• None (Blank)

• Grant (Solid Image)

• Deny (Image with a Slash)

Access Rights

Permissions	Icons	Permitted Actions
Read		View all the properties of an entry, including the report specification, report output, and so on, which are properties of a report. Create a shortcut to an entry.
Write		Modify properties of an entry. Delete an entry. Create entries in a container, such as a package or a folder. Modify the report specification for reports created in Report Studio and Query Studio. Create new outputs for a report.
Execute		Process an entry. For entries such as reports, agents, and metrics, the user can run the entry. For data sources, connections, and sign-ons, the entries can be used to retrieve data from a data provider. The user cannot     read the database information directly. The report server can access the database information on behalf of the user to     process a request. Cognos 8 verifies whether users have “execute” permissions for an entry before they can use the entry. For credentials, users can permit someone else to use their credentials. Note: Users must have “execute” permissions for the account they use with the run as the owner report option.
Set Policy		Read and modify the security settings for an entry.
Traverse		View the contents of a container entry, such as a package or a folder, and view general properties of the container itself without full access to the content. Note: Users can view the general properties of the entries for which they have any type of access. The general properties include name, description, creation date, and so on, which are common to all entries.

Setting Groups and Roles Memberships

By using Security Editor Groups and Roles memberships can be easily defined within seconds. Drag and drop any Group or Role into the canvas area and those objects will instantly display a list of its members.

In Figure 2, note that Craig and Matt are members of Group A and B, But Marty is only a member of Group A. If we needed to give Marty access to Group B we would simply drag and drop his name into Group B, and this can be done by searching for Marty and dragging his name from the Portal Tree or directly from is name in Group A.

The same is true for Roles. Any account, group or another role can be added to roles. As seem in Figure 2, the group Developers and account Ari are in the role of Authors making Vince, Drama, Turtle, and Ari the accounts that have access to Authors.

NOTE: Changes are saved to the object instantly, there is no Save or Apply button to select.

Setting Account Memberships

By dragging an account to the grid Security Editor will display a list of groups and roles that the account is a member of. There are two additional notes to be aware of:

• Only IBM Cognos groups and roles will be displayed as they are the ones that can be edited.

• Only groups that the account is explicitly a member of will be displayed.

Security Find / Replace

Security Find / Replace is designed to search and replace security object CAMIDs in the Contact, Owner, Permissions, Members, and up to 40 other properties where a CAMID can exist on the selected object(s).

Security Find / Replace UI Functionality

A user can drag and drop any supported object into the canvas area for module to process. There are two options for changing security: Manual Entry of a search and replacement string or using a Mapping file.

Manual Entry

A user can manually enter a search string and a replacement string to modify the CAMIDs used on any of the supported objects in the canvas. The search and replacement string will be the CAMID of a User, Group, or Role. The module will search through the object and change any property that is associated with the search string.

Mapping File

A mapping file can be supplied for adding multiple changes to the CAMIDs used on any of the objects in the canvas. The contents of the mapping file are a search string followed by a tab, followed by a replace string, and then a new line for each replacement desired. A mapping file would look something like this:

Preview Mode

When this check box is selected clicking “Update” will only preview the content in the canvas area. By previewing the objects, MetaManager^TM will display whether or not the object(s) will be impacted under the ‘Status’ column.

Security Painter

Once a reporting and analytical environment has been established, it is often critical to secure the environment so that the appropriate users see only their applicable content and have access to only the appropriate Capabilities in the portal. Security Painter allows administrators to easily modify any object security within the Content Store (Packages, Folders, Reports, Capabilities, etc.) and then easily replicate the same object security to any one or more objects in the Content Store.

NOTE: It is strongly recommended that before any changes are made to reports using this and any other module of MetaManager^TM you use the Create a Backup button on the module toolbar to back up the content pre-change.

Securing Content Store Objects and Capabilities

To begin using Security Painter, you must:

1. Identify the content/capabilities you wish to secure.

2. Identify the security you wish to place on all of the objects selected above.

3. Secure the objects.

Security Area

The security grid displays a list of roles, groups and accounts to be applied to the selected objects. The five columns display the access rights for Read, Write, Execute, Set Policy and Traverse.

In addition, each access right can have the following values:

• None (blank)

• Grant (solid image)

• Deny (image with a slash)

Access Rights

Permissions	Icons	Permitted Actions
Read		View all the properties of an entry, including the report specification, report output, and so on, which are properties of a report. Create a shortcut to an entry.
Write		Modify properties of an entry. Delete an entry. Create entries in a container, such as a package or a folder. Modify the report specification for reports created in Report Studio and Query Studio. Create new outputs for a report.
Execute		Process an entry. For entries such as reports, agents, and metrics, the user can run the entry. For data sources, connections, and sign-ons, the entries can be used to retrieve data from a data provider. The user cannot read the database information directly. The report server can access the database information on behalf of the user to process a request. Cognos 8 verifies whether users have execute permissions for an entry before they can use the entry. For credentials, users can permit someone else to use their credentials. Note: Users must have execute permissions for the account they use with the run as the owner report option.
Set Policy		Read and modify the security settings for an entry.
Traverse		View the contents of a container entry, such as a package or a folder, and view general properties of the container itself without full access to the content. Note: Users can view the general properties of the entries for which they have any type of access. The general properties include name, description, creation date, and so on, which are common to all entries.

Predefined Cognos Roles

The predefined roles within any new Cognos environment include the following:

Users may either populate the security area by dragging a supported IBM Cognos object to the area or accounts, classes and / or roles. If a supported object is dragged over, the current security of that object will be displayed, at which time it can be modified (items removed or additional roles, groups and accounts added).

NOTE: Objects can be removed from the list by selecting the delete button or by selecting one or more rows and selecting the delete key on the keyboard

NOTE: Ctrl + A is supported to select all rows in the grid.

Objects Area

The objects area lists each of the objects to be secured. Unlike in previous releases, adding objects to the objects area will not load the current security for that object in the security area. To load the current security information, users must drag the object to the security area.

Objects can be removed from the list by clicking the delete button or selecting one or more rows and striking delete on the keyboard

NOTE: Objects can be removed from the list by selecting the delete button or by selecting one or more rows and selecting the delete key on the keyboard

NOTE: Ctrl + A is supported to select all rows in the grid.

Security Painter Options

Replace existing security policies – By Default this button is checked and will replace any existing security to the objects in the bottom pane with the security applied above.
Append to existing security policies – This option will append any security above to the policies already within the objects below.
Set security policies to inherit from parent – When checked every object dragged to the bottom pane will have its security removed and changed to inherit rights from the parent.
Skip objects that inherit security – When checked every object in the bottom pane that has inherited security will not see any applied changes from the top pane.

Security Painter Processing

As Security Painter is being executed, the Status field on any given Object Row will change to Updating, Success or Failure after each Object Row is processed.

1. The results are represented in the Status field. See below for more information.

2. The policies property of the current object is assigned the list of policy objects represented by the security grid.

Security Results

The following table lists the possible security results.

An explanation of security results

Security Replicator

Security Replicator is a tabular module designed to:

• Replicate memberships and access rights.

• Replicate security policies.

• Generate mapping files between objects in two security namespaces.

Account Tab

Security Replicator’s Account tab is designed to replicate memberships and access rights for a source account to a set of target accounts, groups and roles. This tab can replicate security from one source object to many target objects within seconds.

Account Tab UI Functionality

Using the Portal Tree, a user can select any account, group, or role to use as a source object by dragging the object to the drop area specified for a source account. Then the user can drag and drop any number of accounts, groups, or roles to the top canvas area. Select the “Update” button in order to being the security replication process.

Options:

Replicate Access Rights – By checking this box any object in the canvas area will receive the access rights of the object that was dropped into the source area.

Replicate Memberships – By checking this box any object in the canvas area will receive all memberships of the object that was dropped into the source area.

Environment Tab

Security Replicator’s Environments tab is designed to replicate security policies form a source environment to a target environment. The process can be used to standardize security policies across IBM Cognos Environments. A mapping file may optionally be supplied if CAMID’s vary between environments.

Environment Tab UI Functionality

The environment tab is simple to use. First select a Target Server from the dropdown box. Any gateway connection that has been established within MetaManager^TM will appear in this list. Second, drop any object(s) into the top canvas area that needs its security to be replicated from the source to the target environment.

Options:

Preview Mode – When this is checked the Update button, does not make any changes between environments. This checkbox is to allow the user to view the status of the changes being made, before they are put into effect.

Mapping File – Here a mapping file can be applied to the security replication, in case the CAMID’s vary between the two environments. This file can be created in the Mapping tab of this Module.

Save Log File – Selecting this link will prompt the user to save a text file of the replication that has taken place between environments. The log file has information on all objects from both the source and target security as well as detailed information on the policies that were set across the environments.

Mapping Tab

Security Replicator’s Mapping tab is designed to generate a mapping file between objects in two security namespaces that have the same name and type, but different CAMID’s. This file can be used in the Environment tab of Security Replicator or during the Restore process in the Restore Module

Creating a Mapping file

1. The source server will be the gateway that is selected. To change the source server, select another gateway from the connection’s dropdown box.

2. Select a target server – any gateway connection that has been established within MetaManager^TM will appear in this list.

3. Select the ‘Logon’ link next to the target server drop down and log-in.

4. Select a Namespace of the target sever to map to.

5. Select object(s) to map by checking the boxes next to groups, roles, or accounts.

6. Drag any object to the top canvas area to be mapped.

7. Select “Generate.”

Depending on the object(s) chosen to map, the accounts, groups, or roles will appear in the bottom canvas area that are associated with the objects(s) dropped into the top canvas area.

8. Select the ‘Save Log Files’ link in order to see a log of the process and discover any issues there might be with the mapping file.

9. Select the ‘Save Mapping File’ link and that will be the mapping file that can be used in the Environment tab of Security Replicator or the Restore tab of Restore Module.

NOTE: The objects that are dropped into the canvas area must be present in both the Source and Target environments in order for the tab to generate a proper mapping file.

Sign-on Blasters

Sign-on Blasters allows you to update external database credentials and IBM Cognos Datasource Signon credentials at the same time. You can test individual database and Datasource Sign-on connections, as well as test each of the Vendor specific Database Connections and IBM Cognos DataSource sign-ons prior to and after making the changes.

NOTE: To use the drivers to connect to Oracle & Teradata you may need to install client components. In some cases, a reboot will be necessary.

• Oracle ODP.NET Drivers - http://www.oracle.com/technetwork/topics/dotnet/index-085163.html

• Teradata OLE DB Drivers - http://downloads.teradata.com/download/connectivity/ole-db-provider

Using Sign-on Blasters

To begin, drag either a Datasource, Datasource Connection, or Datasource Sign-on to the canvas area.

Two rows will be created the first time you add an object to the grid. The top row represents your external database. The row underneath represents the IBM Cognos Datasource Sign-on. If you would like to add additional DataSource Sign-ons underneath you can drag and drop additional connections on top of the external database row. If you drag connections anywhere else on the canvas an additional external database row and Datasource Sign-on row will be added. It is possible to add Datasource Sign-ons that point to different databases beneath the external database row. It is the user’s responsibility to ensure that the Sign-ons under the database row are correct and reference the intended database.

The database row is given the same name as the IBM Cognos Datasource by default. The name can be changed to whatever you would like.

Under Type, you can select one of the supported database types. If none is selected no updates will be made to a database, but updates to DataSource Sign-ons will still occur. This is useful when you want to update IBM Cognos Datasource Sign-ons in bulk without updating the actual database password.

• None

• MS SQL

• Oracle

• Teradata

You will need to supply your server's name under the Server column, as well as the database name under Database. You will need to supply the current username and password for the database under the corresponding columns. Finally, supply the new password under New Password.

NOTE: Passwords are not masked in any way in the user interface or in any saved mmx files from Signon Blasters. It is up to the user to secure this information. In the user interface the passwords are intentionally not masked to ensure that you’re using and setting the correct passwords.

You can test the IBM Cognos Datasource Sign-on or the Vendor Specific Database connection by using the test button.

When you click on either an IBM Cognos Datasource Sign-on or the Vendor Specific Database connection row, details about that row are shown below. If there is a problem with a connection it will be displayed in the details window as well.

It is recommended that before you run any updates to your connections that you test them first. You can either test each connection individually, or you can use the Test button to test everything.

Once you are ready you can click the Update button to make your changes. Sign-on Blasters will first test the database connection once more. If the connection fails, the rest of the updates will not proceed.

If the Database Connection succeeds Signon Blasters will proceed by first changing the user’s password in the vendor specific database. At this point all of the IBM Cognos Datasource Connection using this sign-on will be broken. Sign-on Blasters will now go to each sign-on and update the password, effectively fixing the now broken sign-on object.

It is a good idea to run a test after running the update to ensure that the data source connections are now working properly. Unless you move the “New Password” to the “Password” column prior to running a post-test, the database test will fail with a logon error.

It is important to ensure that you’ve selected every IBM Cognos Datasource Signon from ever IBM Cognos Server that is using the same Database User beneath the Vendor Database row in Signon Blasters. Note that it is possible that several Databases and IBM Cognos Database Connection may use the same Database User, make sure that when updating a user that you have identified all of the databases that the user has access to.