How To
Summary
This Technote only applies to customers who wish to integrate their Controller on Cloud system with Planning Analytics (PA) on Cloud.
Customer has a Controller on Cloud system, which is currently not integrated with Planning Analytics (PA). Therefore they are currently using the default logon method.
- Specifically, users currently logon to Controller client using an Active Directory username/password (which is administered using the system described inside separate IBM Technote #551997).
Customer would like to integrate their Controller-on-Cloud system with Planning Analytics on Cloud. Therefore, Controller must use the same authentication method as PA (users logon using their IBMid).
- In other words, in the future their users will logon to Controller using the username/password that is controlled by this website: https://myibm.ibm.com/
Objective
Customer's users currently logon to the Controller client using an (active directory / CoCns) authentication window similar to this:
Customer would like their users (in the future) to logon to the Controller client using an IBMid authentication window similar to this:
---------------------------------------
Optionally, the customer can also choose to modify the IBMid logons so that they are integrated (also known as 'federated') with their own preferred corporate authentication system (for example, federated against their on-premise corporate active directory).
- This means that the logon box above will ask the end user to logon with their corporate username/password.
---------------------------------------
NOTE: The above logon process is explained in more detail, inside separate IBM Technote #6201752.
- Before launching 'Controller Classic' (the 'main' Controller client which is shown in the picture above) users will still need to logon to the Citrix website using the old IBM Cloud active directory password (the same username/password that they used before the Controller authentication was changed to IBMid).
- The steps in this Technote will also cause the customer's 'Controller Web' to use IBMid authentication
- The reason why the customer needs to authenticate using IBMid is because they want to integrate Controller with PA (to give FAP functionality).
- This requires Controller to use the same authentication mechanism as PA (IBMid).
Environment
The steps listed in this Technote are only applicable for customers who have also purchased Planning Analytics (PA) on Cloud, and wish to integrate PA with Controller (FAP on the cloud).
- For this to work, their Controller environment needs to be converted to using the same IBM ID authentication as their PA-on-Cloud.
Steps
The process is as follows:
1. Customer ensures that they have a working PA-on-Cloud system (which will be required, for the IBMid authentication)
- In other words, they have some users who are already logging onto PA (on Cloud) using IBM id.
2. Customer raises an IBM Support case (ticket) to ask for their Controller system to be modified to use IBMid authentication
3. Inside the support case, customer should provide:
(a) the name of their production PA-on-Cloud environment (for example customer-pro.planning-analytics.ibmcloud.com), which they want to connect to Controller
(b) some acceptable date(s) for downtime (for when the work will occur)
- NOTE: The date(s) should be several weeks in the future, because IBM Cloud will need a reasonable amount of notice to plan/schedule in the work.
4. If the customer's PA licence is based on 'PA Digital Pack' (which is a scaled down version of the 'standard' PA on cloud system), then please let IBM Support know.
- This is because IBM Cloud team may need to provide extra PA licences to cover the Controller-only users who need to logon to the PA IBMid authentication system (but do not need to use the PA software).
5. In preparation of the switchover, customer makes sure that all their Controller users have a Planning Analytics (PA) account (in other words, each and every Controller user has an IBM ID registered on the PA security system) by doing the following:
- Customer's PA superuser launches Planning Analytics Workspace website
- Superuser clicks the 'person' icon (near the top-right corner) and chooses 'Administer':
- Superuser chooses the option to invite new users to PA
- Superuser types in the email addresses of all the Controller users (who are not already registered on the PA system)
- The Controller users will receive an email (invitation). When they accept this, the IBM system tells them what to do.
- For example, if the user does not have an IBMid already, they are invited to create one.
6. On the agreed date, IBM Cloud team modifies the Controller-on-Cloud system to use the IBMid authentication
- TIP: The process will require several hours of downtime
7. Immediately after the change has occurred, the customer's PA superuser should launch Cognos Administration on their production PA-on-Cloud environment
- For example: https://mycustomer-pro.planning-analytics.ibmcloud.com/ibmcognos
8. Superuser adds all the relevant Controller superusers (administrators) into the role: Controller Administrators
In other words, they should:
- Click "Manage" then 'Administration console..."
- On the Security tab, click Users, Groups, and Roles.
- Click the Cognos namespace:
- In the Actions column, click More for the Controller Administrators role:
- Click the Members tab and click Add:
- Tick the Show users in the list box and choose Planning Analytics:
- Select one or more users that you want to be administrators (for example, people who have rights to create new users inside the Controller menu item group 'Maintain - Users - Rights).
- Click the (yellow) right arrow to move them into the Selected entries pane and then click OK.
- After you have added all the users who you want to be administrators, highlight the entry for 'Everyone' and remove it from the Controller Administrators role
- Close the Properties window to return to the Users, Groups, Roles tab.
9. Customer's superuser adds all the standard Controller users (administrators) into the role: Controller Users
In other words, they should follow the same steps (as the previous item above), but this time:
- Add the individual names of all the users (who you want to be able to use Controller) into the Controller Users role.
- Afterwards, if there is the entry 'Everyone' in there, then remove it from the Controller Users role.
10. Customer chooses which of their user is going to be the ADM (main) Controller administrator - in other words, which person they want mapped to the 'ADM' user account
- This user should be the first person who launches Controller
- TIP: Make sure that this user is a member of the 'Controller Administrators' role (see above) before logging onto Controller!
- They should log onto the main 'production' database. This process will map that user's IBMid to the Controller 'ADM' account.
11. Inside Controller, that user should click "Maintain - Rights - Users"
12. Select/choose/highlight one of your users (for example 'John Smith')
- Notice how the section 'CAM User' is currently blank (empty) for that user:
13. Click on the box '...' to the right of CAM User:
Choose the IBM ID user which corresponds with the Controller user (for example John Smith) that you selected in step 12
14. Repeat steps 12 & 13 until all your Controller users have a corresponding/matching user inside the section 'CAM User'
15. Save changes
16. Test by asking all users to logon to Controller
17. Repeat steps 10 to 16 for all four Controller databases.
- By doing the above steps, all users should be able to logon to all 4 Controller databases (using their IBMid).
=========================================================
IMPORTANT: After the above change has taken place, users will still need to know/use their old Active Directory username/password. This is because:
- They will first need to logon to the same Citrix website as before, using the same old Active Directory username/password
- Afterwards, when they launch Controller, they will then logon using a different IBM ID username/password.
=========================================================
Optional - Extra steps to enable SAML/Federation
If the customer would like users to logon to IBM ID using their own customer's authentication mechanism (typically their Active Directory, but in some cases it can be other authentication for example Google) then:
18. Customer should raise an IBM Support ticket (case) to ask for the Controller IBM ID authentication to be configured to use SAML
- Customer will be asked to provide some technical details about their authentication source, so that it can be connected (federated) to IBMid.
19. Customer should provide a list of IBM IDs (specifically, a list of email addresses associated with the user's IBM IDs) which they want converted to use 'federation'. These are then processed (on either Tuesday or Friday each week) to be converted to use federated logons.
- TIP: The users do not have to be federated all at once. Therefore, it is suggested that the customer federates one 'test' user first. After this is successful, customer can process more users (convert them to be federated) when convenient.
Additional Information
F.A.Q.
Q1. Is there any other official documentation (explaining some of the above steps) which relates to what the customer needs to do (relating to administering Controller users) inside the CA 'Cognos Administration' website?
A1. Some of the above steps are also described inside this IBM Knowledgecenter article: https://www.ibm.com/support/knowledgecenter/SS9S6B_10.3.0/com.ibm.swg.ba.cognos.ctrl_fap_ug.10.3.0.doc/c_pa_controller_integration_intro.html
Customers can also use the separate IBM Technote #0738277.
Q2. Do customers have to purchase PA-on-Cloud to be able to logon to Controller-on-Cloud via IBMid?
A2. Yes.
Customers who do not purchase PA-on-Cloud (at an additional cost to Controller-on-Cloud) are not allowed/able to convert their system to logon to Controller via IBMid. This is by design, because the Controller-on-Cloud CA system does not have access to IBMid authentication.
Q3. If I have Controller users who will never use PA-on-Cloud, will I need to purchase a PA-on-Cloud licence for them anyway?
A3. No.
All Controller-on-Cloud users need to be added to the Planning Analytics namespace (by sending them an invitation - see instructions earlier in this Technote) to be able to use the IBMid authentication. However, if a Controller user does not access PA (in other words, that user is not defined/listed as having any security rights to access your PA model/system) then IBM will not charge for this 'Controller-only user' to have a PA license.
Q4. Can I easily distinguish between PA users and Controller users by placing users inside different roles (inside Cognos Administration website)?
A4. Partially.
- All Controller users must be members of the role 'Controller Users' (inside the security portion of the website). Therefore it is very easy to distinguish which people are allowed to use Controller
- By default, there is no built-in comparable 'Planning Analytics' role. If the customer wishes, they can choose to manually create this role (and populate it with a list of all their PA users). However:
- It is up to the customer to keep this group list up-to-date and accurate.
- By default, Planning Analytics does not use Cognos security roles in its PA (TM1) security (instead, it is optional). Therefore it is the customer's choice if they want to use any custom 'Planning Analytics' role (that they manually create) inside their model.
Q5. When I first launched the Cognos Administration website (https://mycustomer-pro.planning-analytics.ibmcloud.com/ibmcognos) I found that any of my colleagues could logon and administer the portal. Why is everyone an administrator?
A5. IBM have designed their Cloud products to allow customers to have as much control over them as possible. We therefore give customers the ability to administer their systems in the way that they choose. For example, some customers may have several different users who have administrative rights to different portions of the system (such as PA application administrators, Controller financial administrators, PA/Controller IBMid user account administrators).
Customers can choose how they wish to distribute these tasks/roles among their user population. For example, it may be appropriate (for some customers) that a single person can be an administrator in all parts of the Controller/PA system. Alternatively a different customer may prefer to split roles between different people.
IBM does not know how the customer wishes to operate, and therefore (by default) we give all customer users access to some of the PA/Controller systems. IBM therefore requires the customer to then 'lock the system down' to their preferred configuration.
For most customer's needs, to secure their system (to make sure that only authorised people can make changes in this website) the customer should simply modify the membership of the role 'Directory Administrators':
- Click on the 'Properties' icon (square) on the right-hand side
- Inside 'Members' tab, add the relevant people (perhaps 2 or 3 who will have administrative access to the Cognos Administration security system)
- Afterwards, remove the group 'Everyone'
Q6. When I first launched the Cognos Administration website, I found that the group 'Everyone' was a member of the role 'Controller Administrators'. Why was this?
A6. IBM do not know which user the customer would like to map as the 'ADM' user (in Controller). Therefore, when the system is first given to the customer (immediately after the Controller/PA integration is completed), we (IBM) give the ability for all users to logon to the Controller database and be mapped to 'ADM'. It is the customer's responsibility to:
- Choose which user (IBMid) they wish to be connected to the 'ADM' user.
- Make sure that they first logon (to each and every one of their Controller databases) with that IBMid
- Afterwards, make sure that all the relevant Controller superusers (those who will create/modify users inside the Controller GUI 'Maintain - Rights - Users') are added to the role 'Controller Administrators'
- Finally, remove the group 'Everyone' from the role 'Controller Administrators'
By doing the above, you will have locked down the 'Controller Administrators' role to contain only the users who will use the Controller GUI menu item 'Maintain - Rights - Users'.
==================================================
Extra Information about 'Non-Interactive user' (used in FAP)
Although this information is not related to IBMid authentication, customers may find it useful to be aware that:
- Inside the PA Welcome Kit, the customer is given a 'non-interactive user'
-
As part of the PAoc/CA/CoC integration, one of the steps (related to user security) that the customer needs to do, is to give the non-interactive user administration privileges on the TM1 instance (sometimes known as 'TM1 server'):
- This is to allow the ability to publish data (from Controller) in to a Financial Analytics Publisher (FAP) cube.
- This is documented inside the IBM Knowledgecenter here: https://www.ibm.com/support/knowledgecenter/SS9S6B_10.3.0/com.ibm.swg.ba.cognos.ctrl_fap_ug.10.3.0.doc/t_enable_ldap_user.html)
-
You use the non-interactive user when defining your Data Mart, for example:
==================================================
Related Information
551997 - How to administer Citrix user accounts (create new users, reset passwo…
IBM Knowledgecenter - Adding the non-interactive user to TM1 Server
0738277 - How to administer Security on Cognos Administration website, when int…
6201752 - Description of the logon process for Controller client (for both 'sta…
Was this topic helpful?
Document Information
Modified date:
12 October 2021
UID
ibm10735407