Policy monitoring reports security setup with InfoSphere Master Data Management and Tivoli Directory Server

The Policy Monitoring component is introduced in IBM® InfoSphere® Master Data Management (MDM) v10.1 release. Using IBM Cognos® Business Intelligence reporting tools, Policy Monitoring enables organizations to report on data quality by using aggregated metrics and to establish policies for compliance with data quality thresholds. This tutorial provides detailed steps to set up a basic security model in IBM Cognos Business Intelligence application for providing authentication and authorization for Policy Monitoring reports.

Puneet Sharma (puneet.sharma@in.ibm.com), Senior Product Architect, IBM India Software Labs

Author photo of Puneet SharmaPuneet Sharma is working as a Senior Product Architect for IBM's InfoSphere Master Data Management (MDM) product portfolio. He has designed many important features of MDM Portfolio in past few years. He is currently focusing on building the next generation Master Data Governance capabilities for the MDM Portfolio.



Srinivasa Parkala (shsriniv@in.ibm.com), Senior Software Developer, IBM India Software Labs

Author photo of Srinivasa ParkalaSrinivasa Parkala is a Senior Software Developer in IBM's InfoSphere Master Data Management (MDM) product portfolio. He has part of design and development of Master Data Policy Monitoring capability in MDM SE.



Somak Bhattacharya (somakbha@in.ibm.com), Software Developer, IBM India Software Labs

Somak author photoSomak Bhattacharya is working as a Software Developer in IBM's InfoSphere Master Data Management (MDM) product portfolio. He has been part of building Master Data Policy Monitoring capability in MDM SE.



29 November 2012

Also available in Portuguese

Before you start

Learn what to expect from this tutorial, and how to get the most out of it.

Scope of this tutorial

This tutorial provides you the steps to set up basic security and does not talk about the advanced security configurations available in IBM Cognos Business Intelligence application.

The following two types of reports are shipped with Policy Monitoring.

  • Summary reports: These reports contain measured values for different Key Performance Indicators (KPIs).
  • Reports with master data: These reports contain master data along with measured values for different KPIs. The master data is fetched from the Policy Monitoring landing area tables.

Due to the sensitive nature of master data, limited access to Reports with master data should be granted. This tutorial will guide you in setting up report-specific access for Policy Monitoring reports such that a set of users will have access to Summary Reports, and another set of users will have access to Reports with master data.

Prerequisites

This tutorial assumes that you have successfully done the following.

  • Set up IBM Cognos Business Intelligence version 10.1.1, successfully configured Policy Monitoring reports.
  • IBM Tivoli Directory Server v6.3 is installed, and an instance is successfully configured.

Creating IBM Tivoli Directory Server LDAP entries

The following steps will help you to create the needed LDAP entries in Tivoli Directory Server.

Create a suffix

  1. Open the Tivoli Director Server Web Administration tool.
  2. Click Manage server property, and then click Suffixes.
  3. Type o=abccompany in the Suffix DN field.
  4. Click Add, and then click Apply.

Create the organization

  1. Select Directory management, and then click Add Entry.
  2. Select organization from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type o=abccompany for relative DN, and abccompany for O.
  5. Click Next.
  6. Click Finish to create the organization.

Create organization unit

  1. Select Directory management, and then click Add Entry.
  2. Select oraganizationalUnit from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values.
    • Relative DN: = "ou=datagovernancecounsil"
    • Parent DN = "O=abccompany"
    • ou: = "datagovernancecounsil"
  5. Click Next, and then Finish.

Create summary reports user

  1. Select Directory management, and then click Add Entry.
  2. Select inetOrgPerson from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values.
    • Relative DN: = "uid=user1"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "user1"
    • sn: = "user1"
  5. Click Next.
  6. Type the following values.
    • uid = "user1"
    • userPassword = "user123"
  7. Click Next, and then Finish.

Create Data Reports user

  1. Select Directory management, and then click Add Entry.
  2. Select inetOrgPerson from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values.
    • Relative DN: = "uid=user2"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "user2"
    • sn: = "uer2"
  5. Click Next.
  6. Type the following values.
    • uid = "user2"
    • userPassword = "user123"
  7. Click Next, and then Finish.

Create administrator user

  1. Select Directory management, and then click Add Entry.
  2. Select inetOrgPerson from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values.
    • Relative DN: = "uid=user3"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "user3"
    • sn: = "user3"
  5. Click Next.
  6. Type the following values.
    • uid = "user3"
    • userPassword = "user123"
  7. Click Next, and then Finish.

Create user group (adminusers)

  1. Select Directory management, and then click Add Entry.
  2. Select groupOfNames from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type following values, as shown in Figure 1.
    • Relative DN: = "cn=adminusers"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "adminusers"
    • Member = "uid=user1,ou=datagovernancecounsil,o=abccompany"
      Figure 1. Children of adminusers group
      This is Manage Entity Screen; this screen displays user1 changes done as per update user1 steps
  5. Click Next, and then Finish.

Create user group (mdpmsummaryreportsusers)

  1. Select Directory management, and then click Add Entry.
  2. Select groupOfNames from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values, as shown in Figure 2.
    • Relative DN: = "cn=mdpmsummaryreportsusers"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "mdpmsummaryreportsusers"
    • Member = "uid=user2, ou=datagovernancecounsil,o=abccompany"
      Figure 2. Children of mdpmsummaryreportsusers group
      This is Manage Entity Screen; this screen displays user2 changes done as per update user2 steps
  5. Click Next, and then Finish.

Create user group (mdpmdatareportsusers)

  1. Select Directory management, and then click Add Entry.
  2. Select groupOfNames from the Structural Object Classes list.
  3. Click Next, and then click Next again.
  4. Type the following values, as shown in Figure 3.
    • Relative DN: = "cn=mdpmdatareportsusers"
    • Parent DN = "ou=datagovernancecounsil,o=abccompany"
    • cn: = "mdpmdatareportsusers"
    • Member = "uid=user3,ou=datagovernancecounsil,o=abccompany"
      Figure 3. Children of mdpmdatareportsusers group
      This is Manage Entity Screen; this screen displays user3 changes done as per update user3 steps
  5. Click Next, and then Finish.

Update user entries to specify correct parent

  1. Update user1.
    1. Select Directory management, and then click Manage Entries.
    2. Navigate to the user1 entry and click Edit Attributes.
    3. Set Parent DN="cn=adminusers,ou=datagovernancecounsil,o=abccompany".
    4. Save the entry.
  2. Update user2.
    1. Select Directory management, and then click Manage Entries.
    2. Navigate to the user2 entry and click Edit Attributes.
    3. Set Parent DN="cn= mdpmsummaryreportsusers,ou=datagovernancecounsil,o=abccompany".
    4. Save the entry.
  3. Update user3.
    1. Select Directory management, and then click Manage Entries.
    2. Navigate to the user3 entry and click Edit Attributes.
    3. Set Parent DN="cn= mdpmdatareportsusers,ou=datagovernancecounsil,o=abccompany".
    4. Save the entry.

After following the steps mentioned previously, you should have LDAP entries similar to the entries shown in Figure 4.

Figure 4. LDAP entries for user groups
This is Directory management screen; this screen displays the users created in Create User Group step

Configure an LDAP Namespace for IBM Directory Server

Create a new LDAP namespace in the IBM Cognos Business Intelligence application that will refer to your IBM Tivoli Directory Server setup.

  1. Open IBM Cognos Configuration.
  2. In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.
  3. In the Name box, type a name for your authentication namespace.
  4. In the Type list, click LDAP, and then click OK. The new authentication namespace resource appears in the Explorer window, under the Authentication component.
  5. In the Properties window, for the NamespaceID property, specify a unique identifier for the namespace. Note: Do not use colons (:) in the NamespaceID property.
  6. Specify the values for all other required properties to ensure that IBM Cognos Business Intelligence application can locate and use your existing authentication namespace, as shown in Figure 5.
    Figure 5. LDAP setting properties
    The table shows the properties for LDAP settings
  7. To configure the LDAP advanced mapping properties for use with IBM Directory Server objects, use the values specified in Figure 6.
    Figure 6. LDAP advanced mapping properties
    The figure shows the properties for LDAP advance mapping property settings
    Note: LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
  8. From the File menu, click Save.
  9. Restart the IBM Cognos BI service.

Grant limited access to default roles

By default, the group Everyone is included in the default roles in the built-in Cognos namespace, and hence, all of the users will have access to all of the reports. To grant limited access for pre-defined roles, perform the following steps.

  1. Log in to IBM Cognos BI application web interface with user1.
  2. Navigate to IBM Cognos Administration.
  3. Click the Security tab, and then click the Cognos namespace.
  4. Add the adminusers group (by navigating in TDS LDAP namespace) to System Administrators and Authors roles.
  5. Remove the Everyone group from the System Administrators and Authors roles, as shown in Figures 7 and 8.
    Figure 7. Members of Authors role
    Image shows members of Author role where Everyone group is removed
    Figure 8. Members of System Administrators role
    Image shows members of System administrator role where everyone group is removed

Disable anonymous access to the IBM Cognos BI application

By default, unauthenticated access is enabled and you need to disable it to enforce LDAP-based authentication. Perform the following steps to disable it.

  1. Open the IBM Cognos configuration tool.
  2. Click the Cognos namespace under the Security, Authentication node and set Allow anonymous access? to False, as shown in Figure 9.
    Figure 9. Cognos default namespace
    The image shows anonymous acess screen with allow anonymous access set to False.
  3. Restart the IBM Cognos BI service.

Configure access for Policy Monitoring reports

Summary reports

  1. Log in with user1 (Administrator group member).
  2. Change the security roles for Summary Reports such that both "mdpmdatareportsusers" and "mdpmsummaryreportsusers" have access to summary reports. From the Permissions tab in the Set properties page, select the Override the access permissions acquired from the parent entry check box, as shown in Figure 10.
    Figure 10. Permissions for summary reports
    The image shows permission setting for summary reports, with Override access permissions acquired rom parent entry check box.
  3. Change the security roles for the following summary reports.
  • Completeness-Report
  • Completeness-Member-Details
  • Duplicate-Members
  • False-Positive-False-Negative
  • Report-Summary
  • Source-to-Golden-Consistency

Data reports

  1. Log in with user1 (Administrator group member).
  2. Change the security roles for data reports such that only "mdpmdatareportsusers" has access to data reports. From the Permissions tab in the Set properties page, select the Override the access permissions acquired from the parent entry check box, as shown in Figure 11.
    Figure 11. Permissions for data reports
    The image shows the Override the access permissions acquired from the parent entry permission setting for data report
  3. Change the security roles. Perform this step for the following summary reports.
  • Completeness-Details
  • Duplicate-Member-Attribute-Details
  • Source-to-Golden-Consistency-Details

Conclusion

Master data is sensitive data that organizations want to protect and avoid exposing to all users. This tutorial provides guidelines on how to restrict the visibility of certain reports based on the user role. This tutorial is a good starting point to help you set up a basic security model in IBM Cognos Business Intelligence application to provide authentication and authorization for Policy Monitoring reports.

Resources

Learn

Get products and technologies

  • Build your next development project with IBM trial software, available for download directly from developerWorks.
  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Information management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Information Management
ArticleID=846029
ArticleTitle=Policy monitoring reports security setup with InfoSphere Master Data Management and Tivoli Directory Server
publish-date=11292012