News
Abstract
The integration of Cognos Analytics on Cloud and Planning Analytics on Cloud allows users to seamlessly move between Cognos Analytics and Planning Analytics. This document describes issues related to managing users in this integrated environment.
This documentation and the features/issues described are not applicable to Cognos Analytics on Cloud on Demand or Planning Analytics on Cloud on Demand.
Content
Requirements for Cognos Analytics and Planning Analytics Integration (Single Sign-On)
- Requires CA 11.1.7
- Requires PA 2.0.8 IF2 and higher
- Requires the client to use IBMid for both Cognos Analytics and Planning Analytics
User management notes
Be aware of these details while managing users in your integrated environment.
NOTE: Cognos Analytics on Cloud and Planning Analytics on Cloud Integration uses one namespace that is pre-configured for single sign-on with IBMid. This namespace is identified as Business Analytics for new customers, and is identified as Planning Analytics for existing customers. For the remainder of this document, the namespace is referred to as 'the SSO namespace,' and is applicable to both existing and new customers.
Cognos Analytics
- Cognos Analytics on Cloud with IBMid requires users to be imported before they can access Cognos Analytics on Cloud. Planning Analytics on Cloud users do not need to be imported because of new predefined roles in the Cognos namespace implemented in conjunction with the Planning Analytics on Cloud user invitation process. However, import of Planning Analytics on Cloud is possible.
- Imported Cognos Analytics on Cloud users will not have access to Planning Analytics on Cloud components unless they are explicitly invited in Planning Analytics. Planning Analytics on Cloud components include Planning Analytics Workspace, TM1 Web, Architect, and Planning Analytics for Excel. (See the following section for issues related to Planning Analytics for Excel.)
- Imported Cognos Analytics on Cloud users can access Cognos Analytics content that uses a Planning Analytics data connection, even without a Planning Analytics user invitation.
- A Planning Analytics on Cloud user will not appear in the SSO namespace until they login or if they are imported.
- Until the user is in the SSO namespace, the user can not be added to groups or roles. To avoid this issue, consider importing all Planning Analytics users into the SSO namespace.
- Until the user is in the SSO namespace, the user can not be applied to TM1 Database security permissions for cubes, dimensions, elements, cells, etc. To avoid this issue, consider importing all Planning Analytics users into the SSO namespace.
Planning Analytics for Excel
- Imported Cognos Analytics on Cloud users cannot use Planning Analytics connections in Planning Analytics for Excel due to the absence of a Planning Analytics on Cloud user invitation. Use of Planning Analytics connections requires a paid Planning Analytics subscription.
- Imported Cognos Analytics on Cloud users can use Cognos Analytics connections in Planning Analytics for Excel.
Planning Analytics
- Planning Analytics on Cloud requires the user invitation process for users to access Planning Analytics on Cloud components such as Planning Analytics Workspace, Planning Anlaytics for Excel, TM1 Web, Architect, etc.
- There are two groups in the SSO namespace based on Planning Analytics on Cloud:
- “PA Workspace Administrators” group contains all users with the Administrator role in Planning Analytics Workspace
- “All PA Users” group contains all users invited to Planning Analytics
- All other Planning Analytics Workspace groups are not available in the SSO namespace. They are only available for securing Workspace content.
- "PANS Users" is a new role in the Cognos namespace.
- The "All PA Users" group is a member of the "PANS User" role.
- The "PANS User" role is a member of the "Consumers" role.
- "PANS Admin Users" is a new role in the Cognos namespace. The "PA Workspace Administrators" group is a member of the "PANS Admin Users" role. The “PANS Admins Users” role is a member of the "Directory Administrators" role.
Known user management issues in Cognos Analytics and Planning Analytics Integration (Single Sign-On)
The following items describe known issues with Cognos Analytics and Planning Analytics Integration.
Planning Analytics users are not displayed in Cognos Analytics by default
Issue:
Users in Planning Analytics only appear in Cognos Analytics after they log in to Cognos Analytics.
Users in Planning Analytics only appear in Cognos Analytics after they log in to Cognos Analytics.
Resolution:
This is expected behavior. User profiles are created when a user logs into Cognos Analytics. Alternatively, administrators have the option of doing a bulk import of users via a .csv file is they want to create the user profiles. Bulk import is described in Creating and managing groups and roles on IBM Knowledge Center.
Note that bulk import should be used only to create users. Don't create groups with bulk import. Groups don’t have any purpose in the SSO namespace (other than the provided All PA Users and PA Workspace Administrators groups).
After user profiles are created, a Cognos Analytics user is assigned to the Consumer role by default.
Planning Analytics users are prefixed with "Pans:u: in Cognos Analytics
Issue:
This issue is only applicable to existing Cognos Analytics on Cloud and Planning Analytics on Cloud customers who are upgrading.
When a member of a Planning Analytics navigates to Cognos Analytics, members are displayed under the SSO namespace. The names of all members who have not yet logged in to Cognos Analytics are prefixed with 'pans:u:' - for example, pans:u:james@example.com.
The first time a member logs in to Cognos Analytics, the 'pans:u:' prefix is removed and a standard user name is created. For instance, 'pans:u:james@example.com' is converted to 'James (james@example.com)'.
Resolution:
As noted, names are converted the first time a user logs in to Cognos Analytics. No action is necessary.
Alternatively, this issue can be addressed by performing a bulk import of the users into Cognos Analytics via a .csv file, as described in Creating and managing groups and roles. Imported users do not include the 'pans:u:' prefix in the SSO namespace.
Revoked/deleted Planning Analytics users remain in Cognos Analytics, but are unable to log in to either Planning Analytics or Cognos Analytics
Scenario:
- Invite a new user to Planning Analytics. The user accepts the invitation and logs in to Planning Analytics.
- Navigate to Cognos Analytics and notice that the user name appears under the SSO namespace.
- In Planning Analytics, click Administer > Users.
- On the Users administration page, click Manage Subscriptions to open the Subscription and Subscriber Management tool.
- Delete the new user.
- Close and reopen your browser, then log back in to Planning Analytics as Admin.
- Confirm that the user is removed from the user list in Planning Analytics.
- Navigate to Cognos Analytics and review the users under the SSO namespace. Note that the new user still exists in Cognos Analytics.
Issue:
The user remains in the SSO namespace, but receives an authentication error when attempting to log in to either Cognos Analytics or Planning Analytics.
Resolution:
This is expected behavior. The user is a member of the SSO namespace, but is not assigned any groups or roles from the Cognos namespace. Once the user is removed from Planning Analytics they are no longer a member of the All PA Users group, which is used to enable access to Cognos Analytics.
This is expected behavior. The user is a member of the SSO namespace, but is not assigned any groups or roles from the Cognos namespace. Once the user is removed from Planning Analytics they are no longer a member of the All PA Users group, which is used to enable access to Cognos Analytics.
Revoked/deleted Planning Analytics users remain in Cognos Analytics, unable to log in to Planning Analytics but can log in to Cognos Analytics
Scenario:
- Invite a new user to Planning Analytics. The user accepts the invitation and logs in to Planning Analytics.
- Navigate to Cognos Analytics and notice that the user name appears under the SSO namespace.
- Add the new user to a Cognos Analytics group and apply.
- In Planning Analytics, click Administer > Users.
- On the Users administration page, click Manage Subscriptions to open the Subscription and Subscriber Management tool.
- Delete the new user.
- Close and reopen your browser, then log back in to Planning Analytics as Admin.
- Confirm that the user is removed from the user list in Planning Analytics.
- Navigate to Cognos Analytics and check the user name under the SSO namespace. Note that the Cognos Analytics group association remains.
The user remains in Cognos Analytics, and can log in to Cognos Analytics directly. Any attempt to log in to Planning Analytics fails with an authentication error.
Resolution:
This is by design and is expected behavior. Once a user is added to a group in the Cognos namespace, the user has access to Cognos Analytics.
Adding a Planning Analytics user directly to a Cognos Analytics role grants explicit access to Cognos Analytics for that user.
If you want a user to have access to Cognos Analytics only as a result of being a Planning Analytics user, use either the All PA Users or PA Workspace Administrators groups to control access for Planning Analytics users. That way, when a user is removed from Planning Analytics, they will no longer exist in those groups and will no longer have access to Cognos Analytics.
UI provides the ability to import and add new Business Analytics groups in Cognos Analytics, but Planning Analytics groups are not available in Cognos Analytics
Issue:
Cognos Analytics includes user interface options to create or import new groups under the SSO namespace.
Resolution:
While this user interface (which cannot be disabled) does allow you to add or import groups into the SSO namespace, you should not use these options. Any groups created in this manner will not be linked to Planning Analytics and there is no way to manage members of these groups.
Group names are not updated in TM1 after upgrading
Issue:
The current version of Planning Analytics includes two predefined groups: PA Workspace Administrators and All PA Users. These group names have been updated from the names used in previous versions of Planning Analytics.
PA Workspace Administrators was previously named Subscription Administrators. All PA Users was previously named All Users.
Though the names have changed, the CAMIDs for these groups remain constant. PA Workspace Administrators and Subscription Administrators use the same CAMID (“pans:g:Subscription Administrators”). All PA Users and All Users use the same CAMID (pans:g:All Users”).
If you imported these groups into your TM1 security model prior to the name changes, you will see an inconsistency between the (old) group name displayed in TM1 and the (new) group names used in Planning Analytics.
Resolution:
This is a display issue only. As the old and new groups use the same CAMIDs, there is no impact on security.
For the sake of consistency and to simplify administration, you should re-import the new groups from Planning Analytics. This will ensure that the group names are consistent across applications.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl6JAAS","label":"Installation and Configuration->SSO"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
12 August 2020
UID
ibm16255690