Applying data security to IBM Cognos BI packages

You apply data security to IBM® Cognos® BI packages by setting permissions based on users and groups. The data access permissions are generated into the cube package and published along with the cube package.

Important: IBM Cognos BI applies the permissions only when the package is initially published. Therefore, before you publish the package, make sure that the monitor data security settings are valid. You should ensure that monitor data security settings are valid before cube publish, so that the IBM Cognos BI package permissions are correct upon the initial publish.
Package-level security is based on the monitor data security configuration at the time the cube package is published. If monitor data security is changed after you publish an IBM Cognos BI package, you can synchronize those updates with the published package in one of the following ways:
  • Use the IBM Cognos BI Connection console

    From the IBM Cognos BI Connection console, you select Package > Actions > Set properties > Permissions. For more information, see the link under "Related tasks" to the IBM Cognos Business Intelligence documentation.

  • Use the wbmUpdatePackageSecurity command. For information on this command, see the "IBM Cognos BI package data security" link under "Related reference."

Any user or group who can access the monitor model can access the cube package.

Permissions

Users and groups defined in monitor data security, regardless of the monitor data security role, are granted the following permissions for IBM Cognos BI packages:
  • Read
  • Write
  • Traverse
  • Set Policy

In addition, administrators have Set Policy permission.

Monitor cube generation does not define IBM Cognos BI package administration access (Read, Write, Traverse, Set Policy, Execute) explicitly. By default, IBM Cognos BI administrators have full permissions to all published packages.
Important: Monitor cube generation is different from monitor data security, in which no users have default access to monitoring models.

Because all users, by default, are in the IBM Cognos BI System Administrators list, be sure to configure the IBM Cognos BI administrator user.

How access is applied

The way that access is applied depends on whether global security is on or off and if any users or groups are defined in monitor data security.

If global security is off, IBM Cognos BI packages are published without package security specified. Anyone who can access the IBM Cognos BI console can access a package.

If global security is on, all users and groups defined in monitor data security are applied to IBM Cognos BI packages.
  • If no users or groups are defined in monitor data security, only the IBM Cognos BI administrator is added to the user access list of the package. Other users have no access to the package.
  • If at least one user or group is defined in monitor data security, the user or group has user access (Execute, Read, Traverse, and Write permission) to the package.
  • The IBM Cognos BI administrator and users in the following IBM Cognos BI roles have administration access (Read, Write, Traverse, and Set Policy permission) to the package:
    • Controller Administrators
    • Metrics Administrators
    • Planning Rights Administrators
    • PowerPlay Administrators
    • Report Administrators
Parent topic: Configuring data security
Related tasks:
IBM Cognos Business Intelligence documentation
Related reference:
Cognos Business Intelligence Administration and Security
IBM Cognos BI package security (wbmUpdatePackageSecurity command)
Related information:
Working with resource groups
Adding and removing users or groups from roles in a resource group