Create Member-Based Security - IBM Cognos User Manual

A role is a grouping that typically includes users who have similar responsibilities
and privileges in your organization. Roles can include users, groups, and other
roles.
Individual users can belong to several groups or roles.
Group and role names must be unique.

Create Member-based Security

You add member-based security to a model by creating custom views of the data,
and then assigning the custom views to individual cubes. When you create a
custom view, you select security objects (users, groups, and roles) configured in
your IBM Cognos namespaces, and then define a specific view of the data for
those security objects using dimension filtering methods, such as apexing or
cloaking.
The security you specify for an object is passed on to the drill-through reports that
reference that secured object. Only users with permission to see the secured object
are able to see it in the published cube.
With Cognos Transformer, you can also create hierarchical custom views.
Hierarchical custom views allow you to restrict the data accessible in the
descendant views, without having to recreate full custom views. This is similar to
how user class views were used in Cognos Transformer version 7.x.
You can update the model security at any time.
When you make changes to the security objects in your configured namespaces,
you do not need to rebuild the cube to reflect the changes. PowerCubes reflect the
applied member-based security at run time. For example, if you use a group called
System Administrators in a custom view within Cognos Transformer, and then
change the users who belong to that group in the authentication provider, the
PowerCube reflects the changes automatically. However, when you make changes
to the custom views, you must rebuild the cube for the changes to take effect.
Consider the following:
v You can reuse custom views on any cube within a model.
v If your model contains cube groups, apply member-based security in the
v With hierarchical custom views, each descendant inherits the parent view.
v Individual groups or roles cannot appear more than once in the same
v Each custom view must be applied individually to the cube. The only exception
following way:
– For time-based partitioned cube groups, assign the custom view to the control
cube only. Each member cube will automatically inherit security from the
control cube.
– For regular cube groups, assign the custom view to each member cube
individually.
hierarchical custom view.
is when you apply a descendant custom view to a cube. In this situation, the
parent views are automatically added to the cube.
Chapter 7. Adding Security
149