User authorization for Cognos folders and reports

A Custom Java Authentication Provider (CJAP) provides authorization for users who access Cognos report folders and reports. You can implement this feature after you implement the HCL® Marketing Software Authentication Provider, which provides single sign-on authentication between HCL Marketing Software applications and Cognos.

Limitations of the HCL Marketing Software Authentication Provider

After Cognos has been configured to use the HCL Marketing Software Authentication Provider, users are authenticated automatically in Cognos when they access reports in an HCL Marketing Software application. If a user accesses the Cognos URL in the same browser session used to access HCL Marketing Software products, Cognos does not prompt the user to log in again.

A user who is logged in to the Cognos user interface becomes a part of the Cognos Everyone group. This is the default Cognos namespace implementation. The Everyone group in Cognos has System Administrator privileges by default. This is a security risk, because every user becomes an admin user. A malicious user can take advantage of this permission to delete or edit reports in public folders.

The HCL Marketing Software Authentication Provider authenticates users in Cognos, but it does not authorize them in Cognos. To correct this limitation, the CJAP implementation makes users visible in the security section of the Cognos namespace. When this is done, you can administer user roles and permissions in Cognos.

Overview of the CJAP implementation

The CJAP implementation brings all users in the HCL Marketing Software application who have report access into a Cognos namespace that you specify. The CJAP associates HCL Marketing Software users with Cognos groups based on their HCL Marketing Software product access. Users who have the ReportsUser role in HCL Marketing Software receive read-only, limited access to Cognos folders and reports. Users who have the ReportsSystem role in HCL Marketing Software receive administrator permission in Cognos. You can also customize groups and roles to secure custom reports and report folders in Cognos.

CJAP prerequisite

Before you implement CJAP, ensure that the HCL Marketing Software Authentication Provider is implemented and tested.