Security settings after installation

Your IBM® Cognos® software installation must already be configured to use an authentication provider, which is documented in the IBM Cognos Business Intelligence Installation and Configuration Guide.

When the predefined roles are created during the content store initialization, the group Everyone is a member of the System Administrators role. This means that all users have full access to the content store. To limit that access, you must add trusted users as members of this role, and then remove the group Everyone from its membership.

You must also modify the membership of the predefined roles that include the group Everyone, such as Consumers, Query Users, and Authors. Make similar modifications for them as you do for the System Administrators role. These modifications should also take the license terms into consideration.

If you do not want to use the predefined roles, you can delete them.

To secure the Cognos namespace, modify its initial access permissions by granting access for the required users.

When you set access permissions, you should not explicitly deny access to entries for the group Everyone. Denying access overrides any other security policies for the entry. If you denied access to the entry for Everyone, the entry would become unusable.

To maintain a secure installation, users should be granted only the permissions and capabilities required to allow them to complete their assigned tasks. For example, Readers would normally be restricted to read and traverse permissions for Public Folders and not be allowed to create reports using any studio. Consumers would normally be restricted to read, traverse and execute permissions.

Certain capabilities, such as HTML Item In Report and User Defined SQL should be tightly managed. These capabilities are checked during the authoring process as well as when running reports. If a consumer needs to run a report that requires these capabilities, you may be able to use the Run as Owner feature to limit the number of system users that require these capabilities. The Run as Owner feature uses the report owner's credentials to perform some capability checks and to access data.

For information about granting capabilities for packages, see Object Capabilities.