Groups and Roles
Groups and roles represent collections of users that perform similar functions, or have a similar status in an organization. Examples of groups are Employees, Developers, or Sales Personnel. Members of groups can be users and other groups. When users log on, they cannot select a group they want to use for a session. They always log on with all the permissions associated with the groups to which they belong.
Roles in IBM® Cognos® software have a similar function as groups. Members of roles can be users, groups, and other roles.
The following diagram shows the structure of groups and roles.
Users can become members of groups and roles defined in IBM Cognos software, and groups and roles defined in authentication providers. A user can belong to one or more groups or roles. If users are members of more than one group, their access permissions are merged.
You create Cognos groups and roles when
- you cannot create groups or roles in your authentication provider
- groups or roles are required that span multiple namespaces
- portable groups and roles are required that can be deployed
Create the required groups and roles in your authentication provider, and add them to the appropriate Cognos groups and roles.
- you want to address specific needs of IBM Cognos administration
- you want to avoid cluttering your organization security systems with information used only in IBM Cognos software
Series 7 Roles
If you have configured the IBM Cognos Series 7 authentication provider, user collections known as user classes in Series 7 appear as roles in IBM Cognos software. You can access Series 7 and IBM Cognos software using a single logon. If you start your session by logging on to Series 7, and then access IBM Cognos software, you automatically assume the roles that were in effect for you in Series 7 when you first logged on. You cannot assume different Series 7 roles. For more information on configuring the authentication provider, see Authentication Providers.
Users can assume different roles in Series 7 after they access IBM Cognos software.
Roles Used to Run Reports and Jobs
The roles used to run reports and jobs are associated with the users who run the reports interactively , who are the report owners, and whose credentials are used to run scheduled reports and jobs . Depending on the options selected to run reports, different roles can be assumed by the process. For more information, see View, Run, or Open a Report and Schedule Management.
- When a report runs that has the run as the owner option selected, the process assumes all the roles associated with the report owner.
- When a scheduled report or job runs, the session assumes all the roles associated with the user whose credentials were used to process the request Trusted credentials.
Distribution Lists as Members of Groups and Roles
In some namespaces, such as Microsoft Active Directory, a distribution list may appear on the Members tab of the Set properties page for a group or role. However, you cannot add distribution lists to a group or role membership, and you cannot use them to set access permissions for entries in the IBM Cognos user interface.
You can add an IBM Cognos distribution list to a Cognos group or role membership using the Software Development Kit. However, the Software Development Kit cannot be used to add an Active Directory distribution list to an Active Directory group. The Active Directory management tools must be used to do this.
IBM Cognos Controller Groups and Roles
For IBM Cognos software, use IBM Cognos Controller groups and roles to configure security. For information about using these groups and roles to configure security, see the IBM Cognos Controller Installation and Configuration Guide.