The Cognos namespace and the Cognos Users namespace

The Cognos namespace includes predefined objects to help you quickly set up initial security. The Cognos Users namespace allows you to create and manage users who are not part of an authenticated external namespace.

You use the predefined objects and other features of the Cognos namespace for ongoing security management.

The Cognos namespace can contain groups and roles. A group is a collection of users. Users can either be members of an authenticated external namespace or of the Cognos Users namespace, if the Easy install option was used to install IBM® Cognos® Analytics. Members of groups can be users and other groups. A role is a collection of capabilities that identify the tasks that a user can perform. Members of roles can be users, groups, and other roles. A user can belong to several groups or roles. When a user is a member of more than one group, access permissions are merged.

The following diagram shows the structure of groups and roles in the Cognos namespace.

Diagram showing that members of a group can be a user or another group, and members of a role can be a user, group, or another role. — Figure 1. Structure of groups and roles

You can create groups and roles in the Cognos namespace. The Cognos Users namespace is available only if the Easy install option was used to install IBM Cognos Analytics. If available, you can create users in the Cognos Users namespace.

Predefined and built-in objects in the Cognos namespace

Initial access permissions are applied to all predefined objects. You can modify the permissions from the object properties.

Anonymous

This user is for the initial configuration where anonymous access is enabled and users are not prompted to provide credentials. When anonymous access is disabled in Cognos Configuration, a user logs in using their own credentials.

All Authenticated Users

This group represents users who are authenticated by authentication providers. The membership of this group is maintained by the product and cannot be viewed or altered.

Everyone

This group represents all authenticated users and the Anonymous user account. The membership of this group is maintained by the product and cannot be viewed or altered. You can use the Everyone group to set default security quickly. For example, to secure a report, you grant read, write, or execute permissions to the report for the Everyone group. After this security is in place, you can grant access to the report to other users, groups, or roles, and remove the group Everyone from the security policy for this report.

Analysis Users

Members of this role have the same access permissions as Consumers. They can also use the IBM Cognos Analysis Studio.

Analytics Administrators

Members have the same access permissions as Analytics Explorers. They can also access:

Manage > Data Server Connections
Data source connections in the Administration Console
IBM Cognos Software Development Kit.

This role is available only after a custom installation.

Analytics Explorers

Members have the same access permissions as Analytics Users. They can also access Planning Analytics For Microsoft Excel, Cognos Framework Manager, Cognos Cube Designer and Dynamic Query Analyzer, Transformer, and TM1 Writeback to bundled FLBI TM1 server.

This role is available only after a custom installation.

Analytics Users

Members have the same access permissions as the Analytics Viewer members. They can create new reports, dashboards, stories, new jobs, data server connections, or data modules. They can execute reports, respond to prompts, upload files. They can also access Cognos for Microsoft Office, Cognos Workspace, Cognos Insight, Cognos Event Studio, Cognos Query Studio, and Cognos Analysis Studio

This role is available only after a custom installation.

Authors

Members of this role have the same access permissions as Query Users and Analysis Users. They can use Reporting, Query Studio, and Analysis Studio, and save public content, such as reports and report outputs.

Consumers

Members of this role can read and execute public content, such as reports.

Directory Administrators

Members of this role can administer the contents of namespaces. In the Cognos namespace, they administer groups, accounts, contacts, distribution lists, data sources, and printers.

Analytics Viewers

Members have the same access permissions as Query Users and Analysis Users. They can use Reporting, Query Studio, and Analysis Studio, and save public content, such as reports, dashboards, and stories.

This role is available only after a custom installation.

Library Administrators

Members of this role can access, import, and administer the contents of the Library tab in IBM Cognos Administration.

Mobile Administrators

Members of this role can administer IBM Cognos Analytics Mobile Reports.

Mobile Users

Members of this role can access IBM Cognos content, such as reports, through IBM Cognos Analytics Mobile Reports.

Modelers

Members of this role have access to the web-based modeling capabilities.

Portal Administrators

Members of this role can administer the Cognos portlets and other portlets. This includes customizing portlets, defining portlet styles, and setting access permissions for portlets.

PowerPlay Administrators

Members of this role can administer the public content, for which they have full access. They can also administer and use IBM Cognos PowerPlay.

PowerPlay Users

Members of this role have the same access permissions as Consumers. They can also use IBM Cognos PowerPlay.

Query Users

Members of this role have the same access permissions as Consumers. They can also use the IBM Cognos Query Studio.

Readers

Members of this role have read-only access to IBM Cognos software. They can navigate some portions of the content store, view saved report outputs in the portal, and use some report option such as drill-through.

Report Administrators

Members of this role can administer the public content, for which they have full access. They can also use IBM Cognos Analysis Reporting and IBM Cognos Query Studio.

Server Administrators

Members of this role can administer servers, dispatchers, and jobs.

System Administrators

Members of this role are considered root users or super users. They may access and modify any object in the content store, regardless of any security policies set for the object. Only members of the System Administrators role can modify the membership of this role.

The initial configuration for this role includes the Everyone group. You must modify the initial security settings for this role and remove the group Everyone from its membership. If you do not change the initial configuration, all users have unrestricted access to the content store.

Tenant Administrators

Members of this role can perform tenant administration tasks. This role is used in a multitenant IBM Cognos environment. In the initial configuration, this role has no members and capabilities. Only System Administrators can add members and assign access permissions and capabilities for this role.