Configuring the IBMConnectionsMetricsAdmin role on Cognos®

Configure the IBMConnectionsMetricsAdmin role in Cognos® Business Intelligence to ensure that the Metrics administrator has access to features and reports.

Before you begin

The default custom authentication provider is configured automatically in Cognos® during installation and configuration. When configuring the IBMConnectionsMetricsAdmin role, you must be logged in using the Cognos® administrator account specified during Cognos installation. If the Cognos® administrator cannot view and add other users, consult your LDAP administrator.

Note: After completing this configuration, all users who can access the global metrics also become administrators of Cognos BI. If you are concerned about the Cognos security control, perform the following steps to limit these Metrics users only to be able to view global metrics but not to have administrator rights for Cognos.
  1. Perform steps 3 through 7 to add the global metrics users who do not need to have administrator rights to the IBMConnectionsMetricsReader role instead.
  2. Repeat step 8 to remove these users from the member list of IBMConnectionsMetricsAdmin role.

About this task

After you have configured LDAP authentication for Cognos® Business Intelligence, you must configure the IBMConnectionsMetricsAdmin role so that specified LDAP users can access Cognos® features. In particular, you will want to add the following users to this role:
  • The user assigned to the Cognos® administrator account

    The Cognos® administrator is the primary person responsible for configuring Cognos® features and reports.

  • All users who have been assigned to the admin role for Connections

    Anyone tasked with administering the Connections deployment should have access to Cognos® features to ensure they can manage the full deployment as needed.

  • All users who have been assigned to the metrics-report-run role

    Users who have been authorized to run global metrics reports require access to Cognos before they can work with the reports. You can also add these users to IBMConnectionsMetricsReader role instead, if you do not want the users to become administrators of Cognos BI.

Procedure

  1. Set cognos.admin.username as an administrator for WebSphere® Application Server as follows:
    Note: This setting should have been configured automatically by the Cognos Installation Wizard. Check the setting in the Deployment Manager (DM) Console. Only perform the following steps if the Cognos administrative user cannot be found in the Administrator role of DM.
    cognos.admin.username is a substitution variable, not a literal string that you need to add. The actual string is the variable's value set in the cognos-setup.properties file. The path information for that file should be provided, which can be found by inspecting the COG_ROOT WAS environment variable.
    1. Start the Deployment Manager (DM) and then log into the DM.
    2. Click Users and Groups > Administrative user roles and then click Add.
    3. Select Administrator from Roles and then search for the user cognos.admin.username, which is specified in cognos-setup.properties file.
    4. Select the target user and click the move button to move the user name to the Mapped to role field.
    5. Click OK and then click Save.
    6. Log out of the DM.
    7. Restart the DM and the nodes.
    8. Restart Cognos® server.
    9. Log into the DM using cognos.admin.username. Make sure the user cognos.admin.username can search for users and groups in WebSphere® Application Server Integrated Solutions Console.
  2. Use a browser to navigate to the Cognos® deployment with the following address: http://Host_Name:Port/Context_Root/servlet/dispatch/ext
    where:
    • Host_Name is the fully qualified host name of the Cognos® server; for example, host.example.com. This value is specified in the was.fqdn.hostname property in the cognos-setup.properties file used for installing the server.
    • Port is the port that the Cognos® server is listening on. To find the port, in the Integrated Solutions Console, navigate to Servers > Server Types > WebSphere application servers > -> <cognos server> > Ports and locating the value of WC_defaulthost.
    • Context_Root is the context root to which you installed the Cognos® server; for example, cognos. This value is specified in the ognos.contextroot property in the cognos-setup.properties file; its default value is "cognos".
  3. Log in to Cognos® using the Cognos® administrator account that you set up previously.
  4. On the next page, click Launch and then select IBM Cognos Administration.
  5. Select the Security tab.
  6. On the Directory page, select Cognos from the list.
  7. Add users to the IBMConnectionsMetricsAdmin role:
    1. Locate the IBMConnectionsMetricsAdmin role and click the More button that follows it.

      By default the list displays 15 roles at a time. To see more roles, use the arrow keys to scroll through the list or edit the number of entries displayed at one time.

    2. Click the Set properties icon.
    3. In the properties window, click the Members tab, and then click Add.
    4. In the Add window, click Show users in the list.
    5. Select the directory named with the value specified in cognos.namespace in cognos-setup.properties file from the Directory list.
    6. Select all users who require administrator access to Cognos® Business Intelligence, and click Add to add them to the role.
      Use the Search button to search for a particular user. Remember to add at least the following users:
      • The Cognos® administrator
      • All Connections administrators
      • All users assigned to the metrics-report-run role
      Note: If a folder icon displays next to a user’s name and you cannot select that user, this may indicate the Cognos® is treating the user as a folder instead of as a user. For instructions on correcting this problem, see Troubleshooting the Cognos® BI Server.
    7. Click OK to save the change.
  8. Limit access to the System Administrators role by removing Everyone from the members list:
    1. Back in the Cognos® roles list, locate the System Administrators role click the More button that follows it.
    2. Click the Set properties icon.
    3. In the properties window, click the Members tab.
    4. In the Members window, select Everyone, and then click Remove to delete it from the list of members.
    5. Click OK to save the change.
  9. Disable the anonymous access for Cognos® BI server using the Cognos® Configuration tool as follows:
    Note: If your AIX® or Linux server does not support a graphical user interface, refer to the sample in Configuring HTTP manually for Cognos® BI Server to see how to modify the Cognos® configuration setting without a graphical user interface by editing the cogstartup.xml file.
    1. Navigate to the /bin64 subdirectory of the Cognos® BI Server installation directory, for example:
      • AIX® or Linux: /opt/IBM/Cognos64/bin64/
      • Windows: C:\COG_ROOT\Cognos\bin64
    2. Start the Cognos® Configuration tool by running the following command:
      • AIX® or Linux: ./cogconfig.sh
      • Windows: cogconfigw.exe
    3. Expand Local Configuration > Security > Authentication > Cognos to set Allow anonymous access? to False.
    4. Click File > Save.
    5. Exit the Cognos® Configuration tool, making sure to select No at the following prompt: 
      The service 'IBM Cognos' is not running on the local computer. Before you can use it your computer must start the service. Do you want to start this service before exiting?
    6. Restart Cognos® server.