User authorization for Cognos folders and reports

A Custom Java Authentication Provider (CJAP) provides authorization for users accessing Cognos report folders and reports. You can implement this feature after you implement the IBM® EMM Authentication Provider, which provides single sign-on authentication between IBM EMM applications and Cognos.

Limitations of the IBM EMM Authentication Provider

After Cognos has been configured to use the IBM EMM Authentication Provider, users are authenticated automatically in Cognos when they access reports in an IBM EMM application. If a user accesses the Cognos URL in the same browser session used to access IBM EMM products, Cognos does not prompt the user to log in again.

A user logged in to the Cognos user interface becomes a part of the Cognos Everyone group. This is the default Cognos namespace implementation. The Everyone group in Cognos has System Administrator privileges by default. This is a security risk, because every user becomes a admin user. A malicious user can take advantage of this permission to delete or edit reports in public folders.

The IBM EMM Authentication Provider authenticates users in Cognos, but it does not authorize them in Cognos. To correct this limitation, the CJAP implementation makes users visible in the security section of the Cognos in namespace. When this is done, you can administer user roles and permissions in Cognos.

Overview of the CJAP implementation

The CJAP implementation brings all users in the IBM EMM application who have report access into a Cognos namespace that you specify. The CJAP associates IBM EMM users with Cognos groups based on their IBM EMM product access. Users who have the ReportsUser role in IBM EMM receive read-only limited access to Cognos folders and reports. Users who have the ReportsSystem role in IBM EMM receive administrator permission in Cognos. You can also customize groups and roles to secure custom reports and report folders in Cognos.

CJAP prerequisite

Before you implement CJAP, ensure that the IBM EMM Authentication Provider is implemented and tested.