Tivoli Common Reporting V2.x Training on Security Permissions

by user

on 15 сентября 2016

Category: Documents

>> Downloads: 7

views

Report

Comments

Description

Download Tivoli Common Reporting V2.x Training on Security Permissions

Transcript

Tivoli Common Reporting V2.x Training on Security Permissions

Tivoli Common Reporting V2.x
Training on
Security Permissions
Preethi C Mohan
Bhanu P Velampati
IBM India Ltd.
India Software Labs, Bangalore
[email protected]
[email protected]
© Copyright IBM Corporation 2012, 2013
This document is the sole property of IBM India Ltd. No part of this
document may be reproduced in any form or by any means - electronic,
mechanical, photocopying, recording or otherwise without the prior
written permission of IBM India Ltd.
Document Control
Revision
1.1
Date
Sep-13-2012
1.2
Jul-12-2013
Author
Preethi C Mohan
Bhanu P Velampati
Preethi C Mohan
1.3
Jul-23-2013
Preethi C Mohan
Summary of Changes
First version
Added Exercise 7 on access
settings at data level
Updated Exercise 7 on user
role access from the report
Reviewers
Name
Dan Krissell
Title
Tivoli Common Reporting Architect
Table of Contents
Overview .......................................................................................... 4
Reference ......................................................................................... 5
Exercise 1: Create a new user for Tivoli Common Reporting............. 6
Exercise 2: Create a group / role ...................................................... 8
Exercise 3: Provide access to Cognos Administration only to selected
users / groups / roles .................................................................... 12
Exercise 4: Deny access to Report Studio only to selected users /
groups / roles................................................................................. 16
Exercise 5: Grant/Deny access to a report package / folder / report
....................................................................................................... 18
Exercise 6: Capabilities settings at report package / folder / report
level ............................................................................................... 25
Exercise 7: Restrict access at the data level ................................... 27
Overview
This document aims at educating report users/executors on security settings that
are available at administration level, studio level, report package level and report
level.
Difference between Tivoli Common Reporting (TCR) and Tivoli Integrated Portal
(TIP) is that, TCR is deployed as a web application on TIP.
Figure 1
Tivoli Common Reporting has already many groups / roles defined. But this
document is going to show on how to create new user and group/role. And provide
permissions to these users/groups/roles to access Administration, Studios/Editors,
Report packages and reports.
The exercises in this document assume Single Computer installation of TCR. For a
distributed TCR installation, VMMProvider is not installed and instead replaced with
the namespace chosen by the end user when configuring LDAP.
Reference
Security Administration in Cognos 8.4.1:
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/index.jsp?topic=/com.ibm.s
wg.im.cognos.ug_cra.8.4.1.doc/ug_cra_i_SecurityModel.html
Security Permissions in TCR 2.x:
https://www.ibm.com/developerworks/mydeveloperworks/files/form/anonymous/a
pi/library/9641dcf4-c5b8-413c-8ae8-9c461dd84a09/document/44868866-14fb44e4-a68ce4be59348b53/media/Security%20Permissions%20in%20TCR%202.x.pdf
Exercise 1: Create a new user for Tivoli Common
Reporting
Purpose: Create a new user who can access Tivoli Common Reporting
Procedure:
1. Login to Tivoli Integrated Portal (TIP) console (Default URL:
https://localhost:16311/ibm/console). Login with administrator rights. In this
example, tipadmin is the administrator user ID.
2. Lets create a new user. Click on Users and Groups -> Manage Users
Figure 2
3. If the list of existing users is not visible, then click on Search button, the
table will show the existing users.
4. Now, click on Create… button
5. In the Create a User page, provide the User ID as user1. Fill all the
mandatory fields. Click Create. Then, click Close.
6. user1 will get listed in the table along with tipadmin.
7. At this point, user1 will not be able to see the Reporting element if logged
into TCR console. So, lets give user1 the rights to login to TCR.
a. Click on Users and Groups -> User Roles
b. Click Search
c. Click on user1 in the table
d. Select tcrPortalOperator from the list of Available Roles
e. Click Save
8. Logout of tipadmin account and login as user1
9. Now, user1 will be able to see the Reporting element on the left hand side
Exercise 2: Create a group / role
Purpose: There are 2 ways of creating a user group. One is to create it in Tivoli
Integrated Portal (TIP) and the other in Tivoli Common Reporting (TCR). Both can
be used when setting access rights.
Based on the business need, you can choose where to create the group. If there are
more than one Tivoli product application deployed on TIP and you prefer to have
common groups across the products, then create the group in TIP. Or if you have
configured LDAP, then the groups present in LDAP will appear under the Users and
Groups -> Manage Groups section in TIP.
If you want to store all the groups/roles in the TCR content store, then create the
groups in TCR.
Procedure 1: Create a group in TIP
1. Login to Tivoli Integrated Portal (TIP) console as administrator (tipadmin)
2. Click on Users and Groups -> Manage Groups
3. Click on Create… button.
4. Provide the name, say ‘Group1’. Click Create. It will list the Group1 in the
table.
5. Click Group1 in the table.
6. Click on Members tab. Click on Add Users…
7. In the Add Users to a Group page, click on Search which will list all the
users.
8. Select the users (say, tipadmin) which you would like to add to this group
and click Add.
9. Click Close.
Procedure 2: Create a group/role in TCR
1. Open TCR by clicking on Reporting->Common Reporting
2. Open Administration page by clicking on Launch -> Administration
3. Click on Security tab. By default, Users, Groups and Roles are loaded.
4. Click on Cognos in the table.
5. Click on
6.
7.
8.
9.
to create a new Group. Or click on
to create a new Role.
Let me create a new Group and call it ‘IBM Admin’.
Click Next.
Click Add… link at the bottom of that table.
In the Select entries page, by default, it shows the Navigate mode of
adding users. Go to the Type mode by clicking on Type link on the right
hand side.
Note: In Navigate mode, when we click on VMMProvider, it will not
list the users as TCR has disabled the feature of displaying it. The
reason for this is, if LDAP has too many users, this page tends to
freeze and so, it has been turned off until a better solution is found.
10.
Enter VMMProvider/tipadmin under the Names box and click on
green arrow button.
Alternately, if you want to add a TIP user group to this TCR group, type
VMMProvider/Group1 in the Names box and click on green arrow
button.
11.tipadmin (tipadmin) will get listed under the Selected entries. Click OK.
12.Members tab will list the selected user.
If a group was added, then it will look like this.
13.Click OK.
14.Click Finish in the Select the members… page.
15.Now, IBM Admin group will be listed in the main table.
Exercise 3: Provide access to Cognos
Administration only to selected users / groups /
roles
Purpose: The purpose of this exercise is to restrict the access to the Cognos
Administration to only some users/groups/roles. The users who do not have access
to the Administration page will not be able to add data sources, import/export
report packages or set permissions for other items like reports, report packages,
etc.
**IMPORTANT: The steps in this exercise are a pre-requisite for granting/denying
access to any items in Tivoli Common Reporting.
Procedure:
1. Login to Tivoli Integrated Portal (TIP) console as user1.
2. Click on Reporting -> Common Reporting. Click on Launch. Notice the
option Administration under it.
Figure 3
3. Now lets try to remove access to this Administration page for user1 by
allowing only tipadmin access to this page.
4. Logout of user1 account and login as tipadmin.
5. Click on Reporting -> Common Reporting. Click on Launch>Adminstration
6. Click on Security tab. By default, Users, Groups and Roles page is loaded.
7. Click on Cognos under the list of namespaces.
8. Go to Last page of the table by clicking on the
icon above the table. At the
end of the table, you will find a role with name ‘System Administrators’.
Click on its properties.
Figure 4
9. In the Set Properties page, click on Members tab.
10.Click Add… link at the bottom of that table.
11.Add the TCR user or group to this group
a. Go to the Type mode by clicking on Type link on the right hand side.
b. Enter VMMProvider/tipadmin OR VMMProvider/Group1 under the
Names box and click on green arrow button.
c. tipadmin (tipadmin) or Group1 will get listed under the Selected
entries.
12. OR you can add TIP group/role
a. Click on Cognos under the Available Entries
b. Click on IBM Admin under the Names box and click on green arrow
button.
c. IBM Admin will get listed under the Selected entries.
13.Click OK.
14.Now, in the Members tab, remove Everyone from the list of Members by
selecting the checkbox next to Everyone and click the link Remove
15.Click OK on the Members page.
16.Now, logout of tipadmin account and login as user1. Click on Reporting ->
Common Reporting. Click on Launch. Administration will not be visible
there.
Exercise 4: Deny access to Report Studio only to
selected users / groups / roles
Purpose: Deny access to launch Report Studio to user1. Similar procedure can be
followed for other studios under Launch menu. If there are more than one user
then, create a group or role and add the members there and deny access to it. This
exercise will show how to deny access to a single user.
Procedure:
1. Login to Tivoli Integrated Portal (TIP) console as tipadmin
2. Ensure to remove Administration rights to users who you wish to deny access
to the studio. Perform all the steps provided in Exercise 3.
3. Click on Reporting -> Common Reporting. Click on Launch>Administration.
4. Click on Security tab. By default, Users, Groups and Roles page is loaded.
5. Click on Capabilities.
6. Go to Last page of the table by clicking on the
icon above the table.
7. Click on the drop down arrow next to Report Studio and select Set
Properties.
8. In the Set Properties page, click on Permissions tab.
9. Ensure that checkbox for Override is selected
10.Click Add… link at the bottom of that table.
11.To add users/groups. apply step 11 or 12 given in Exercise 3. Say, I added
user1, and under Permissions table, user1 will get listed.
12.Select user1 checkbox. And Deny all permissions to it.
13.Click OK.
14.Now, check the access for user1 by logging out of tipadmin and logging
in as user1.
15.user1 will not be able to see Report Studio under Launch menu.
Exercise 5: Grant/Deny access to a report package
/ folder / report
Purpose: Deny permissions to user/role/group to access a report package. In this
exercise we will show how to deny access to Common Reporting package for user1.
Similar steps can be used for granting/denying access at folder and report level.
Procedure:
1. Login to Tivoli Integrated Portal (TIP) console as tipadmin.
2. Ensure to remove Administration rights to users who you wish to deny access
to the studio. Perform all the steps provided in Exercise 3.
3. Revert the changes made in Exercise 4 to remove access to Report Studio
at the top level. Ensure that you have access to Report Studio. In this
exercise we will show how to deny access to Report Studio at the report
package level.
4. Click on Reporting -> Common Reporting.
5. Open the properties of Common Reporting package by clicking on the Set
Properties icon in the table.
6.
7.
8.
9.
In the Set Properties page, click on Permissions tab.
Ensure that checkbox for Override is selected
Click Add… link at the bottom of that table.
To add users/groups. apply step 11 or 12 given in Exercise 3. Say, I added
user1, and under Permissions table, user1 will get listed.
10.Select user1 checkbox. And Deny all permissions to it. Click OK. With these
settings, Common Reporting package will not appear for user1 at all.
Login as user1 and it will appear as follows
11.Read access. If you want user1 to see the package name but not provide
the link to go inside the package, then grant the read permissions for user1.
When you login as user1, you will see this:
12.Traverse access. If you want user1 to navigate inside the package, but not
run any of the reports, then grant the traverse permission.
When you login as user1, you will be able to go inside Common
Reporting package, and see the report inside it, but you will not be
able to view or run it.
In this mode you will not be able to create a folder as well. Go to the
public folders, and click on folder icon.
Provide Test as the folder name and click on ‘Select another location’.
List of packages will be shown, but user1 will not be able to select Common
Reporting:
13. Write access. Now lets provide Read, Write and Traverse access to
Common Reporting package for user1.
User1 will be able to create folders under Common Reporting
package.
14.Set Policy access. This option is used to allow users to change the
permission settings. Since, user1 is not part of System Administrators group,
user1 will not have access to any of the permission settings pages. But lets
try to override this access by granting access for Common Reporting
package.
a. Login as user1 and go to the properties of Common Reporting, you will
notice that it contains only one tab, that is General.
b. Now, login as tipadmin and go to the Common Reporting properties
and grant Set Policy permission for user1.
c. Now, login as user1 and check the properties of Common Reporting
package, you will notice the Permissions tab for it.
d. You will notice that user1 will not be able to view all the other groups
or users names. However, user1 still has the option to remove the
other groups or edit their permissions as it has ‘Set Policy’ permission
enabled.
15. Execute access. You have to grant Read, Execute and Traverse
permissions at a minimum to be able to execute reports in a package. For
reports which contain javascript in an html tag which is meant to alter the
report xml during runtime, will need Write permissions as well.
When you login as user1, you will find that the report name will be a link and
also run report icon will be available for the report.
16.To be able to edit and execute a report, you will need Read, Write, Execute
and Traverse permissions.
When logged in as user1, you will find the Report Studio icon available for
the reports under Common Reporting package. (Provided you have not
denied access to Report Studio in the Administration Settings)
Exercise 6: Capabilities settings at report package / folder /
report level
Purpose: Lets learn how to control the access by using the capabilities settings.
Procedure:
1. Login to Tivoli Integrated Portal (TIP) console as tipadmin.
2. Ensure to remove Administration rights to users who you wish to deny access
to the studio. Perform all the steps provided in Exercise 3.
3. Revert the changes made in Exercise 4 to remove access to Report Studio
at the top level. Ensure that you have access to Report Studio. In this
exercise we will show how to deny access to Report Studio at the report
package level.
4. Click on Reporting -> Common Reporting.
5. Open the properties of Common Reporting package by clicking on the Set
Properties icon in the table.
6. Go to Permissions tab and remove user1 from there to ensure default grant
settings for user1. So, user1 has permissions on all items under Common
Reporting. Check it by logging in as user1.
7. Log back in as tipadmin and go to the properties of Common Reporting.
8. Go to the Capabilities tab. By default Everyone has access to all the
capabilities.
9. Click on the Override checkbox.
10.Add user1 by clicking on Add… and perform the steps that are needed to
add user1 to this list.
11.Select the checkbox of user1 and from the Capabilities list, deny permission
to use ‘HTML Items in Report’ under Report Studio.
12. Notice the first table where user1 is listed. Report Studio icon will appear.
13.Click OK.
14.Logout of tipadmin account and login as user1.
15.Click on Reporting->Common Reporting.
16.Click on Common Reporting package listed in Connection page.
17.Run the Reporting Overview report by clicking on the report name in the
table.
18.Report will throw the following error as it contains HTML items in it
Thus, you can restrict executing reports which contain dynamic code (like
javascript) in the report.
Exercise 7: Restrict access at the data level
Purpose: A user is required to view the data to which he/she has access to, in a
report.
Use Case:
1. Access TCR
2. Select a report and run it
3. The prompt page lists a pull-down menu which shows only those servers
which the logged in user has access to
4. Select the target system from the system list pull-down menu.
5. Click OK to generate the report for the selected system.
For this, you need a table which maps the user ID with the data in the database.
My sample Tivoli Data Warehouse does not have the mapping between user and the
server this user has access to, so, I will create a new table to hold this information.
I will use a sample report package (Test Package) to showcase the data level
access. You can use the report package that is available in your setup.
Procedure:
1. Create a new table to hold the mapping of users to servers. If you are using a
database which already has this mapping, then you can skip this step.
Note: In place of users, you can create ROLE_NAME to be able to link more than
one user to an asset. Refer the exercises above on how to create groups. Ensure
that user and role/group names are unique, i.e. a user name and role name
should not be same. Here will we directly use the user names.
1.1.
Create a table called USER_SERVER_MAPPING
CREATE TABLE ITMUSER.USER_SERVER_MAPPING
(USER_NAME VARCHAR (250) NOT NULL,
SERVER_NAME VARCHAR (250) NOT NULL)
1.2.
This sample Tivoli Data Warehouse contains only 3 servers. I will insert
the following user-server mapping
INSERT INTO ITMUSER.USER_SERVER_MAPPING
VALUES ('user1', 'winserver1'),
('tipadmin', 'winserver1'),
('tipadmin', 'bladex1_ACChassis_AEM'),
('tipadmin', 'bladex1_ACChassis_CUSTOM')
1.3.
After executing the above commands, I see the following in my
database
2. Create a report with prompt page for server list
a. Login to TIP as tipadmin
b. From Common Reporting page, launch Report Studio
c. Choose Test Package as the report package
d. Click Create New and then choose Blank in the list of templates. Click
OK.
e. Add few blocks and a list into the Page 1
f. Drag and drop the data items from the Insertable Objects into the list
on Page 1
g. Update the query properties to have the aggregate functions to Average
for the AVG_%_Processor_Time. I also changed the name of the query
to List_Query.
h. Now, let me run the report just to check if I can see the data. Click on
menu Run-> Run Report – HTML
i.
I see the following
j. Now, let me create a prompt page, and add a drop down to select the
server
k. Go to Page Explorer, click Prompt Pages.
l.
Drag and drop a page. Open the PromptPage1
m. Drag and drop a table into the prompt page. Adjust the width of the table
so it aligns well.
n. Add a label for the input field and create a Value Prompt to load the
server names in it. On the page explorer, this is how it will look
o.
I changed the query name to ServerName_Query.
p. Run the report. The prompt page will show the list of servers.
q. Select a server and run the report. Say, I will select winserver1
r. I see the following
3. Use the USER_SERVER_MAPPING to filter the server list based in the prompt
page based on the user access settings for the server
3.1.
First, get the USER_SERVER_MAPPING into the report. If you have
access to the data model / report package, then you can import it in the
model and publish it. But here I will use the direct SQL and load the table
directly in the report.
a. In the Query Explorer, drag and drop SQL.
b. Update the query name to User_Server_Mapping_Query and set
the Processing property of the Query to Limited Local.
c. Select SQL, and set the Data Source to WAREHOUS
d. Set the SQL to the following
select * from ITMUSER.USER_SERVER_MAPPING
e. Double click on User_Server_Mapping_Query to view the data
items
3.2
Now, create a new join query to link the ServerName_Query and
User_Server_Mapping_Query.
a. Drag and drop Join from the Insertable Objects. Drag
ServerName_Query into the first box and
User_Server_Mapping_Query in the second box.
b. Set the Join relationship with the cardinality setting as shown below
c. Open Query 1, drag and drop Server_Name and USER_NAME into
the data items box.
3.3
Now add a filter to filter by logged in user.
3.3.1 Drag and drop the USER_NAME from the Data Items box to the
Detail Filters
3.3.2 Set the following expression
[USER_NAME] = #sq($account.personalInfo.userName)#
Note: If you use roles, then the expression will be as follows:
position('''' || [ROLE_NAME] || '''', #sq(CSVIdentityNameList(','))#) > 0
Where the macro #sq(CSVIdentityNameList(','))# is used to fetch the
list of roles and groups that the logged in user belongs to. And we used
the position function to find if the role name exists in the list. In the
expression above, we have prefixed and appended ROLE_NAME with
single quotes to ensure the complete role name is matched.
Example: Output of #sq(CSVIdentityNameList(','))# will look like this :
'Adaptive Analytics Users','All Authenticated Users','Analysis
Users','Authors','Cognos','Cognos Insight Users','Consumers','Controller Users','Data
Manager Authors','Everyone','Express Authors','Metrics Authors','Metrics Users','Mobile
Users','Planning Contributor Users','PowerPlay Users','Query Users','Readers','Statistics
Authors','System Administrators','VMMProvider','tipadmin'
3.3.3 Now, go to the prompt page, select the Value prompt and
change the query setting from ServerName_Query to Query1
3.4
3.5
Now, save the report. Call it as ‘Data Level Access Report’.
Go to the main Reporting page (Connection page). Click the properties
of this report.
3.6
Go to the Report tab. Update Default action to ‘Run the report’ else it
will always show cached data of the last 5 mins.
3.7
3.8
Click OK
Run the report from Connection page
3.8.1 If you run the report as tipadmin, you will see all the servers in
the drop-down.
3.9
Now, login as user1. Open Common Reporting. On the connection
page, check if the correct user is displayed. If you still see the previous
user, just refresh the browser page. Sometimes, browsers tend to
cache the page.
3.10 Now, run the report, here is the list I see in the drop down
Note:
 Based on the business case, you can set the filter. In case you do not
want a prompt, then you can create a join of the List_Query and
User_Server_Mapping_Query and set the filter inside the joined query
to show the servers that the logged in user has access to.