Security and Deployment

Access Permissions

The entries that you deploy may have security applied to them, such as access permissions Access Permissions and Credentials that specify which users and groups can access them. If you deploy the entire content store Deploying the Entire Content Store, all access permissions are deployed. If you deploy selected packages, public folders and directory content, you can choose whether to deploy access permissions Deploying Selected Public Folders and Directory Content.

Consider the following:

• Referenced users and groups

  If you deploy access permissions to a target environment, the referenced users and groups must exist in the target environment.

• Access permissions rules

  For access permissions to work after entries are deployed, the source environment and the target environment must use the same authentication provider with the same configuration. Otherwise, the permissions may not work after deployment.

  Use the Cognos namespace to ensure that the permissions from the source environment work in the target environment. For example, in the source environment, create Cognos groups with the group Everyone as a member, and then set access permissions for the groups. After deployment, in the target environment, map the Cognos groups to the appropriate users and groups from the authentication provider, and then remove Everyone from the membership of the group.

For information about deploying Cognos groups and roles, see Including Cognos Groups and Roles.

Securing Deployment Archives

A deployment archive Deployment Archives can contain sensitive information, such as signons and confidential account or credit card numbers in report outputs. When you export, you can encrypt the deployment archive by setting a password. Later, when you import, you must type the encryption password. The password must contain eight or more characters.

You must encrypt the deployment archive when it contains data source signons Create or Modify a Data Source Signon or when you deploy the entire content store Deploying the Entire Content Store.

The encryption settings are configured in the configuration tool. For more information, see the IBM Cognos Installation and Configuration Guide.

Including References to Other Namespaces

Some entries, such as groups, roles, distribution lists, contacts, data source signons, and some report properties, such as email recipients and report contacts, can refer to entities in namespaces other than the Cognos namespace. When you deploy public folders and directory content, you can deploy these entries with or without references to these namespaces.

Consider the following:

• Included references

  If you include the references to other namespaces, the system verifies that each of the referenced entities exists in the applicable namespaces. Therefore, you must ensure that you are logged on to each namespace, and that you have the necessary permissions to access the required entities in the namespaces. If you cannot access the namespaces, you will encounter errors during the deployment.

• No included references

  If you do not include the references to other namespaces, the referenced entities are removed from the membership list of groups, roles, distribution lists, and data source signons and other properties where they may exist.

When you deploy the entire content store Deploying the Entire Content Store, the references to all namespaces are included.