Cognos and OpenLDAP authentication implementation best practice

Jephe Wu - http://linuxtechres.blogspot.com

Objective: design a better Openldap authentication machnisam for individual clients
Environment: Cognos 8.3 and OpenLDAP

Concept:
Company name corp1, some users are doing Cognos report for client name corp2 because corp1 provides outsourcing services for corp2.
There are some internal cognos ldap account in company corp1 and external users in client company corp2, all these users are trying to read pre-defined reports.


Steps:
1. create openldap database corp1 and corp2 as 2 different namespaces.
All company corp1 users will use namespace corp1 to login cognos and all client company corp2 users will use corp2 as namespace to login cognos.

2. create group 'admin' in openldap namespace corp1, add Jephe into that group. Jephe is the cognos administrator in corp1

3. In cognos security configuraiton 'cognos' namespace, add 'admin' group in namespace corp1 into 'System Administrators' group.

4. in client corp2 public folder , all reports can be granted to corp1 users.

5. you can also grant all users in corp2 into cognos default 'reports administrators' group and give above public folder full access for corp2 users so that corp2 users themselves can edit their reports and save it.

6. Directory access such as save report etc is different from report access. For giving directory full access including 'my folder', do this:

  • Launch Cognos Connection and Log on
  • When using IBM Cognos 8 BI 8.1 or IBM Cognos 8 BI 8.2, click on Tools > Directory
  • When using IBM Cognos 8 BI 8.3 or IBM Cognos 8 BI 8.4, click on Launch > Cognos Administration > Security
  • Click on your Namespace (e.g. Series 7 or LDAP)
  • Search the User Account and click on set properties for the affected User
  • Click on the Permissions tab and grant this user full permissions.
  • Select 'Delete the access permissions of all child entries' and click OK