Use Tivoli Integrated Portal and Tivoli Common Reporting to create read-only access to Cognos reports

In Cognos® Business Intelligence, default users have a wider range of capabilities than would be typically appropriate for users that only need to view reports. In this article, learn how to use Tivoli Integrated Portal and Tivoli Common Reporting to create a class of users that have read-only access to Cognos reports.

Sergio Varga (svarga@br.ibm.com), IT Architect, IBM

Photo of Sergio VargaSergio Varga is a Certified IT Architect at IBM. He has a master's degree in technology and has degrees in business administration and computer science. He has over 25 years of experience in the IT field, and his current areas of expertise are in cloud and systems management. He also contributes to the IBM expert systems blog, writing about PureSystems.



20 November 2012

Introduction

Tivoli Integrated Portal (TIP) and Tivoli Common Reporting (TCR) are the foundation for deploying all the monitoring reports from Tivoli Monitoring agents and other Tivoli systems management products. TIP and TCR are integrated with Cognos Business Intelligence Reporting (Cognos) to provide standard monitoring reports. Default Cognos users typically have a broad range of capabilities that include administrative privileges, query design privileges, and report design privileges. However, there are many instances in which some users should not be given such broad capabilities. This article provides step-by-step instructions on how to create a group of users that have read-only access to Cognos reports in TCR and who can only navigate and run existing Cognos reports.

You can easily extend the methods that are described in this article to other kinds of applications within TIP.


Understanding default user access

Figure 1 shows that a user created with the default settings can access the Query Studio, Report Studio, and Administration tasks from Cognos. The default settings let a user create reports and queries and change administration settings. These tasks are more than what's needed for users who only need the ability to run and access reports.

Figure 1. Default user access
Top portion of a common reporting window showing the various settings

By removing the user's administration access as well as their access to Query Studio and Report Studio, you can create an access control group that allows its users to only have access to Cognos reports.


Creating a restricted group in Tivoli Integrated Portal

The first step is to create a group in Tivoli Integrated Portal. In this article's example, the new group is called tivolilive. To create the group, you must log in as the TCR administrator. In this example, the ID of the TCR Administrator is tlmssupp.

Creating a new group

Log in as the TCR Administrator and expand Users and Groups. Then, select Manage Group > Create, as shown in Figure 2.

Figure 2. Manage groups panel
Window showing users and groups and manage group, with a create button in the window.

In the Create a group window, enter the group name, tivolilive, as shown in Figure 3.

Figure 3. Create a group window
the create a group window with tivolilive showing in the group name field.

After you receive the confirmation message that the group was successfully created, click Close, as shown in Figure 4.

Figure 4. Group created successfully confirmation
Group created successfully confirmation window

The new group is now displayed on the Manage Groups panel, as shown in Figure 5.

Figure 5. Manager groups panel with new group
Window with tivolilive showing up in the group name column

Now that the group is created, you must add roles to give tasks to the members of the group. Navigate to the Group roles panel and select or search for the newly created tivolilive group, as shown in Figure 6.

Figure 6. Group roles panel
Window of the search page with various fields to input and select.

Next, select tcrPortalOperator for the role and click Save, as shown in Figure 7.

Figure 7. Add role to group window
Window with tcrPortalOperator selected and two buttons to save or cancel.

The Manage Groups panel now shows the role that is associated with the group, as shown in Figure 8.

Figure 8. Manage groups panel with role added to group
Window showing tivolilive as the group and tcrportaloperator as the role next to it.

Creating a new view

The next step is to limit the pages that users in the new tivolilive group have access to. Expand Settings, select Views, and click New, as shown in Figure 9.

Figure 9. Views panel
View panel with Settings and views selected as well as the New button.

Click New to open the Create View window. In this window, enter a name for the new view. In this example, Tivoli Live is the new view name. Then, click Add, as shown in Figure 10.

Figure 10. Add groups to
The Create view window with Tivoli live showing as the group name.

After you click Add, the Available Roles window opens. Select the tcrPortalOperator role for this view and click Add, as shown in Figure 11. You are then returned to the Create View window.

Figure 11. Add role to view window
Available roles window with tcrportaloperator role selected.

Now that the view has been created, the next step is to add pages to the view. These are the pages that members of the new group will have access to. From the Create View window, expand the Pages In This View section and click Add, as shown in Figure 12.

Figure 12. Pages in this view window
Roles window with pages in this view expanded.

After you click Add, the Select Pages window opens. Select the Settings, Change Password, and Reporting pages, then click Add and Save, as shown in Figure 13.

Figure 13. Select pages window
View window with settings, change password and reporting checkboxes selected

The Create View window does not have the complete settings for the new view, as shown in Figure 14.

Figure 14. Completed view
View window with several checkboxes not selected.

Creating a Console Preferences Profile

The next step is to create a new Console Preferences Profile to ensure that new users only have access to the allowed views. Under Settings, select Console Preferences Profiles to open the window, as shown in Figure 15.

Figure 15. Console preferences profile window
Console preferences profile window

Scroll down the window until you get to the Required Views and Roles sections. In the Required Views section, ensure that All tasks is unchecked and that System and custom views is checked. In the Roles section, click Add and add the tcrPortalOperator role. The Console Preferences Profile window should now look like Figure 16.

Figure 16. Completed Console Preferences Profile
Completed Console Preferences Profile

At this point, you have created a group that only has access to TCR reports and the password change page. Now, you'll add users to this group.


Adding users using the TIP interface

Now that the new tivolilive group has been created with the restricted access, you can add new users to the group through the TIP interface and they will inherit the restricted access rights of the group. This section explains how to add a user to the tivolilive group.

First, expand Users and Groups. Select Manage Users to open the Manage Users panel, and click Create, as shown in Figure 17.

Figure 17. Manage users panel
Manage Users panel

After you click Create, the Create a User window opens. Enter the User ID of the new user in the User ID field and click Group Membership, as shown in Figure 18.

Figure 18. Create a user window
Create Users window with svargal in the user id field

After you click Group Membership, the Group Membership window opens. Add the new tivolilive group using Search and Add functions as needed. This is shown in Figure 19.

Figure 19. Group Membership window
Group Membership window with tivolilive in the current group field

After the Group Membership window closes, fill in the remaining fields on the Create a User window and click Create, as shown in Figure 20.

Figure 20. Completed Create a User window
Completed Create User window

When you receive the confirmation that the user was successfully created, click Close, as shown in Figure 21.

Figure 21. Create a user confirmation message
Create user confirmation message

The newly created user appears on the Manage Users panel, as shown in Figure 22.

Figure 22. Manage Users panel with new user
Manage Users panel with new user

The new user has limited access to the pages defined for the new tivolilive group.


Adding users with the command-line interface

You can also use the TIP command-line interface to create and add users to the new tivolilive group. Using the command-line interface is useful for batch creation of users in scripts. The following command shows how to create a user and add the user to the new tivolilive group.

Listing 1. Creating a user and adding them to the group
/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/wsadmin.sh -user tlmssupp -password <psw> 
-c "\$AdminTask createUser {-uid "$id" -password "$psw" -confirmPassword "$psw" 
-cn "$firstname" -sn "$lastname" -mail "$email"}"
            
/opt/IBM/tivoli/tipv2/bin/wsadmin.sh -user tlmssupp -password <psw> 
-c "\$AdminTask addMemberToGroup {-memberUniqueName uid="$id",o=defaultWIMFileBasedRealm 
-groupUniqueName cn=tivolilive,o=defaultWIMFileBasedRealm}"
            
/opt/IBM/tivoli/tipv2/bin/wsadmin.sh -user tlmssupp -password <psw> 
-c "\$AdminConfig save"

See Resources for links to detailed documentation on these commands.


Restricting access to Tivoli Common Reporting

The next step is to restrict access to Cognos features that should not be allowed for users that have a read-only access level. You want to block access to Cognos' Administration, Report Studio, and Query Studio capabilities by any user that is assigned to the new tivolilive group.

By default, every user in Cognos has Administrator access. In this example, you identify a specific user to have administrator access, give that user, tlmssupp, Administrator level access to Cognos, and then remove the configuration settings that give all users Administrator level access.

Log in as the TCR administrator and select Administration. Expand Reporting and select Common Reporting. Next, select Launch and Administration, as shown in Figure 23, to open the Common Reporting Administration panel

Figure 23. Common Reporting panel
Common Reporting window

From the Common Reporting Administration panel, select the Security tab, click User Groups and Roles, and then click Cognos, as shown in Figure 24.

Figure 24. Security tab in Common Reporting Administration
Security Tab in Common Reporting Administration

From the Cognos directory listing, page through the list of names until you find System Administrators and click More, as shown in Figure 25, to open the Perform an Action window.

Figure 25. Cognos directory list
Cognos directory list

In the Perform an action window, click Set Members, as shown in Figure 26, to open the Set Members window.

Figure 26. Perform an action window
Set members link is circled in red on the administration window

On the Set members window, click Add, as shown in Figure 27, to open the identity provider list.

Figure 27. Identity providers list
The add link is circled in red on the set members window

From the identity provider list, select VMMProvider and then click Search, as shown in Figure 28, to open the Select entries window.

Figure 28. Select entries window
VMMProvider is circled in red on the select entries window

From the Select Entries window, click Search, as shown in Figure 29, to open the Select entries (Navigate) window.

Figure 29. Select entries window
The search link is circled in red on the select entries (navigate) window

In the Select entries (Search) window, click Advanced, then change the default search to accept Any, as shown in Figure 30.

Figure 30. Advanced options on the Select Entries (Search) panel
Advanced options on the Select Entries (Search) panel with advanced and any circled in red

Enter the name of the TCR Administrator user to give Administrator level access to them, as shown in Figure 31 . In this example, you want to give user tlmssupp Administrator level access to Cognos. Then, click Search. The user's ID should appear in the search results list.

Figure 31. User Search panel
User Search panel with tlmssupp showing in the list

Select the user in the search results, then scroll to the right side of the panel and click the arrow button to add the selected user as an administrator, as shown in Figure 32.

Figure 32. Select User ID panel
Select User ID panel with arrow box and tlmssupp circled in red

You have now added user tlmssupp as an administrator in addition to the default user Everyone. Return to the Administration panel, as shown in Figure 27, select Everyone, and click Remove. Now only the user with the ID of tlmssupp has Administrator privileges.


Restricting access to Cognos features

The next task is to prevent members in the newly created group from having administrative access to Cognos and to prevent them from being able to design queries and reports.

Denying administrator access

To prevent users in the newly created tivolilive group from having administrative privileges in Cognos, open the Set Properties panel by selecting Capabilities > Administration > Set properties, as shown in Figure 33, from the TCR home screen.

Figure 33. Setting administration properties
Setting administration properties with capabilities, administration and set properties circled in red

In the Set properties panel, click Permissions and Add, as shown in Figure 34, to open the Select Provider window.

Figure 34. Select Provider window
Select Provider window with permission and add circled in red

Select VMMProvider, as shown in Figure 35, to open the provider search panel.

Figure 35. Select provider window
Select provider window with vmmprovider circled in red

On the provider search panel, select Search, as shown in Figure 36.

Figure 36. Provider search panel
Provider search panel with search circled in red

Enter the desired group name, as shown in Figure 37. In this example, you want to add the new tivolilive group, then click Search. The tivolilive group now appears in the Results field.

Figure 37. Group search window
Group searh window

Select the group name in the Results field, then click the arrow button to add it to the Administrators group, as shown in Figure 38.

Figure 38. Adding group to Administrators
Adding group to Administrators

After the new tivolilive group has been added to the list, select it and click Deny, as shown in Figure 39. This denies administrator privileges for all members of the group.

Figure 39. Denying access for group
Denying Access to the group

Denying access to Query Studio and Reporting Studio

Users in the new tivolilive group are read-only users and do not need access to Query Studio and Reporting Studio. Following a process similar to the steps in Denying administrator access, you can remove these users' ability to create queries and reports.

To remove users from Query Studio, start from the TCR home screen and select Capabilities > Query Studio > Set properties. The remaining steps are the same as those found in Denying administrator access.

To remove users from Reporting Studio, start from the TCR home screen and select Capabilities > Report Studio > Set properties. The remaining steps are the same as those found in Denying administrator access, with two exceptions. First, instead of denying users access to all permissions in Report Studio, users must keep the Traverse permission. All other permissions must be denied, as shown in Figure 40.

Figure 40. Report Studio permissions
Report Studio Permissions

Second, members of the new tivolilive group must be given the Execute and Traverse capability for HTML items. Navigate to the HTML Items in Report capability for the Report Studio, as shown in Figure 41.

Figure 41. HTML In Items capability
HTML in items capability

Add the new tivolilive group to the capability and give the group Execute and Traverse capability, as shown Figure 42.

Figure 42. HTML item permissions
HTML item permissions

Conclusion

Be default, users that are created in Tivoli Common Reporting have a wide range of administrative and design capabilities. But in many cases, it's desirable to have a class of users that have read-only access to reports in Cognos through Tivoli Common Reporting. This article described a way to create a read-only class of users that:

  • Do not have administrative access to Tivoli Common Reporting
  • Do not have administrative access to Cognos
  • Do not have access to the Query Studio
  • Cannot create reports in Report Studio, but can execute and navigate through existing HTML reports

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security, Tivoli
ArticleID=846011
ArticleTitle=Use Tivoli Integrated Portal and Tivoli Common Reporting to create read-only access to Cognos reports
publish-date=11202012