Configuring IBM Cognos BI security
The IBM® Cognos® Business Intelligence service requires a database for its content store repository. You can enhance security by creating a database user for IBM Cognos BI only.
IBM Cognos BI creates the content store database tables and initializes them during the first startup of IBM Business Monitor. Because this requires full access rights to the content store database, it is a good idea to create a new database user for IBM Cognos BI only.
When IBM Cognos BI is first deployed, the preconfigured group named Everyone belongs to several built-in groups and roles in the IBM Cognos BI namespace, including the System Administrators role. You must remove the Everyone group from all built-in groups and roles, and replace it with groups, roles, or users authorized to restrict access to IBM Cognos BI software and administration.
Authentication aliases
Because IBM Business Monitor keeps the user name and password for the IBM Cognos BI content store database in a Java Authentication and Authorization Service J2C authentication data alias (Cognos_JDBC_Alias), you can maintain all database credentials in one place. Whenever you start the IBM Business Monitor server, the current values are passed to the IBM Cognos BI configuration to allow IBM Cognos BI access to the content store. Because of this integration, you cannot change the content store user name and password using the IBM Cognos BI Configuration application.
Similarly, because IBM Business Monitor keeps the user name and password for the IBM Cognos BI administrative access in the Cognos_Admin_Alias file, you can maintain all system passwords from the administrative console.
Rather than running the IBM Cognos BI Configuration application on each server, you need to update the authentication alias only once. Alternatively, you can use the AdminTask commands (see the related reference link) to set the passwords from a scripting environment.
Single sign-on
If you use Federated repositories or Lightweight Directory Access Protocol (LDAP) on a remote IBM Business Monitor server and you want to support single sign-on with your existing IBM Cognos BI server, you must perform additional configuration steps, as described in "Configuring IBM Cognos BI for single sign-on with LDAP."
- Changing the IBM Cognos BI content store password
When you change the password on the IBM Cognos Business Intelligence content store database, you must change the authentication alias in IBM Business Monitor. Instead of running the IBM Cognos BI Configuration application on each server, you must change the password in only one place. - Changing the IBM Cognos BI administrative password
When you change the password for the IBM Cognos Business Intelligence administrator, you must change the authentication alias in IBM Business Monitor. Instead of running the IBM Cognos BI Configuration application on each server, you need to change the password in only one place. - Configuring an existing IBM Cognos BI service for single sign-on
If you use an existing IBM Cognos Business Intelligence installation rather than using the service created with IBM Business Monitor, and you want to support single sign-on with your existing IBM Cognos BI server, you must perform additional configuration steps.
