User authorization for Cognos folders and reports

Limitations of the HCL EMM Authentication Provider

After Cognos has been configured to use the HCL EMM Authentication Provider, users are authenticated automatically in Cognos when they access reports in an HCL EMM application. If a user accesses the Cognos URL in the same browser session used to access HCL EMM products, Cognos does not prompt the user to log in again.

A user logged in to the Cognos user interface becomes a part of the Cognos Everyone group. This is the default Cognos namespace implementation. The Everyone group in Cognos has System Administrator privileges by default. This is a security risk, because every user becomes a admin user. A malicious user can take advantage of this permission to delete or edit reports in public folders.

The HCL EMM Authentication Provider authenticates users in Cognos, but it does not authorize them in Cognos. To correct this limitation, the CJAP implementation makes users visible in the security section of the Cognos in namespace. When this is done, you can administer user roles and permissions in Cognos.

Overview of the CJAP implementation

The CJAP implementation brings all users in the HCL EMM application who have report access into a Cognos namespace that you specify. The CJAP associates HCL EMM users with Cognos groups based on their HCL EMM product access. Users who have the ReportsUser role in HCL EMM receive read-only limited access to Cognos folders and reports. Users who have the ReportsSystem role in HCL EMM receive administrator permission in Cognos. You can also customize groups and roles to secure custom reports and report folders in Cognos.

CJAP prerequisite

Before you implement CJAP, ensure that the HCL EMM Authentication Provider is implemented and tested.