IBM Support

How to create a 'special' Controller user whose only rights is to create new users



The customer wishes to create a 'special' user who can create new users, but is unable to run any other functions (for example so that they cannot see any data etc.). How can they do this?


Customer creates a new user (for example 'ADMIN2') inside the top-level group (called 'Main User Group').
  • In other words, ADMIN2 is created next to 'Administrator' (also known as 'ADM'):

This is necessary because the new user must be able to create new users inside every sub-group (for example 'Divisional Users').

However, because the user is now a member of this top-level group, it means that the 'special' user has (by default) administrative access to everything in Controller.

  • Specifically, they can use every menu item, and have administrative access inside all of them:

  • This is not what the customer wants.

Is there a quick and easy way to restrict the new user so that he/she can only create new users (in Controller) ?

Resolving The Problem

There are several rules that you must obey, to create this 'special' user:
(1)Ensure that the new user belongs to the user group 'MAIN'
  • In other words, they must be located inside the 'top-level' user group
  • TIP: If you do not do this, then you will get symptoms such as those described inside separate IBM Technote #123191.
(2) Because they belong to the 'MAIN' user group, they will (by default) have unrestricted rights to many parts of Controller.  Therefore you must use Controller's 'user rights' functionality to restrict the 'special' user's access in terms of what menu items they can use.
  • Specifically, assign the user to belong to a new menu security group which only has access to one menu item ('Maintain - Rights'). For example:
    • Create a new group 'ITDEPT' whose only menu item is the 'Maintain - Rights' menu item
    • Afterwards, add the 'special' user(s) to this group.
  • NOTE: The ADM user is a special user, so cannot be restricted, but other users (who belong in the same top group 'MAIN') can be restricted.
1. Launch Controller, and logon as an administrator (for example the user 'ADM')
2. Click 'Maintain - Rights - Security Groups'
3. Click 'New'
4. Call the new code something sensible (for example 'ITDEPT')
5. Highlight 'Company' and choose 'Not available'
6. Repeat step 5 for the following:
  • Group
  • Reports
  • Transfer
  • Maintain

7. Expand 'Maintain'
8. Highlight 'Rights'
9. Change the Access Rights to 'Normal':

10. Press 'Save'.
  • TIP: This has created a new Security Group (called 'ITDEPT') which has a restricted set of menu items.
    • Any user which is a member of this group, will now get fewer available menu items (inside Controller).

11. Click 'Maintain - Rights - Users'

12. If you have not already created the new user, then:
  • Change the 'Create New' choice to be 'User'
  • Type in the details of the new user, for example:
    • User ID (for example 'ADMIN2')
    • Current Password

    • etc.
    • Make sure that 'User Group Administrator' is ticked
    • Click 'Save'

NOTE: At the current moment, this new user (for example 'ADMIN2') has access to all the menu items in Controller.
  • The next step will restrict access to only one menu item.

13. Highlight the relevant user (for example 'Admin2') and choose 'Limitations'
14. Next to 'Menu Group' click '...' button
15. Choose the security group that we created earlier (for example 'ITDEPT')

16. Save changes
17. Test (by logging on as the new user 'ADMIN2')
  • The choice of menu items should be restricted to only this one:

[{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.3;10.2.1;10.2.0;10.1.1;10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number


Document Information

Modified date:
30 March 2020