Using HCL EMM Authentication Provider to secure IBM Cognos BI system

By default, the Cognos® system is unsecured because anyone who has access to the IBM® Cognos applications can access the data from the HCL EMM application database. You can secure the Cognos system by using the IBM EMM Authentication Provider.

When your HCL EMM system integrates with the IBM Cognos BI system, the IBM Cognos system provides access to the HCL EMMapplication data in the following ways:

From the HCL EMM applications: when someone requests a report from the HCL EMM interface, the HCL EMM system contacts the IBM Cognos system, which queries the reporting views or tables and then sends the report back to the HCL EMM interface.
From the IBM Cognos applications: when you work with the HCL EMM application data model in Framework Manager or the reports in Report Studio, you connect to the database for the HCL EMM application.

When IBM Cognos is configured to use HCL EMM authentication, the HCL EMM Authentication Provider that is installed on the IBM Cognos BI system communicates with the security layer of the Marketing Platform to authenticate users. For access, the user must be a valid HCL EMM user and must have a role that grants one of the following permissions:

report_system, which also grants access to the reporting configuration options in the HCL EMM interface. The ReportsSystem role grants this permission.
report_user, which grants access to the reports but not to the reporting configuration options in the HCL EMM interface. The ReportsUser role grants this permission.

The following authentication options exist:

authenticated
authenticated per user

Authenticated mode

When the authentication mode is set to authenticated, the communications between the HCL EMM system and the IBM Cognos system are secured at the machine level. To use the authenticated mode for a user, you must configure a report system user and identify the user in the reporting configuration settings.

Complete the following tasks to configure a report system user:

Create the user and assign to it the ReportsSystem role, which grants it access to all reporting functions.
Store login credentials for the IBM Cognos system in a user data source.
Name it, by convention (which is not required), cognos_admin.

The HCL EMM Authentication Provider uses the following method to authenticate report system user:

Each time that an HCL EMM user attempts to display a report, Marketing Platform uses the credentials that are stored in the report system user record in its communication with the Cognos system. The authentication provider verifies the user credentials.
When report authors log in to the IBM Cognos applications, they log in as the report system user, cognos_admin and the authentication provider verifies the user credentials.

Authenticated per user mode

When the authentication mode is set to authenticated per user, the reports system does not use a report system user and evaluates the credentials of each individual user. The HCL EMM Authentication Provider uses the following method in the authenticated per user mode:

Each time that an HCL EMM user attempts to display a report, the Marketing Platform includes the user credentials in its communication with the Cognos system. The authentication provider verifies the user credentials.
When report authors log in to the IBM Cognos applications, they log in as themselves and the authentication provider verifies their credentials.

With the authenticated per user mode, all users must have either the ReportsUser or the ReportsSystem role to see reports. Typically, you assign the ReportsSystem role to one or two administrators and assign the ReportsUser role to the user groups of the HCL EMM users who need to see reports in the HCL EMM interface.

Except for checking for a reporting permission, the authentication provider does not check for other authorization. Report authors who log in to the Cognos applications have access to all the reports on the Cognos system, no matter how their report folder permissions might be set on the HCL EMM system.