Enhanced Security in IBM Cognos BI 10.2.1 Dynamic Cubes
The IBM Cognos BI 10.2.1 release made significant enhancements to the Dynamic Cube options available in the product. One major boost to functionality is that you can now add enhanced security within Cube Designer and not have to restart the Dynamic Cube, and there are many other similar benefits included as well.
The enhanced security features listed below have been added in the 10.2.1 release:
- Dynamic Cube Security Refresh: It is now possible to refresh security without having to restart a Dynamic Cube as long as there is no model change.
- Role-Based Security:
Dimension Security: It is now possible to secure entire dimensions within a dynamic cube.
Attribute Security: You can now restrict user access to specific member attributes in a hierarchy.
- Lookup Table-Based Security:
Security can now be implemented at the member level within a Dynamic Cube.
If security rules are stored in a relational database table, you can import the data source and use the lookup table in a security filter.
Note: A design change to the cube model (like adding new level to a hierarchy), will still require restarting the Dynamic Cube.
Implementing Enhanced Security on Lookup Tables
Lookup tables must contain the following:
- User identity information (username, groups, or roles).
- Data values corresponding to hierarchy level keys in the hierarchy.
- (Optional) Additional columns to refine filtering based on scope and/or access type, for example, scopes like members, members and descendants, etc. and access types like grant or deny.
Lookup database table-based security can be implemented in following three steps:
1. Add the lookup table as a query subject in the Dynamic Cube model.
2. Within a dimension hierarchy, match query items in the query subject to member keys in the level(s).
3. Add a filter expression that serves as selection criteria for records in the lookup table. The filter express may contain session parameter macros like $account.personalInfo.userName.
Implementing Role-Based Security
Role-based security in Dynamic Cubes can still be implemented in three steps. These steps are:
1. Create a member filter on a Dimension Hierarchy (grant or deny members with or without ancestors/descendants).
2. Create cube views on the security tab of the Dynamic Cube. Select which hierarchy filters to apply to the view, and which measures to grant or deny.
3. In Cognos Administration, under the data source connection, assign groups/roles/users to the cube view that you created in step.
You can combine lookup table-based and role-based security filters. For example, you can restrict access to finance data to the Finance user group by using a security view and then use IBM Cognos Administration to further restrict access for each finance team member in the lookup table for payroll data. Alternatively, you could restrict the view of a Dynamic Cube to the finance group in the portal, and then use the lookup table to grant/deny access to different areas of the hierarchy to individual member of finance team.
If you’d like to unlock the power of Dynamic Cubes in your Cognos environment, Ironside can help. In our IBM Cognos Dynamic Cubes course, our expert instructors equip you with all the fundamental and advanced insights required to make Dynamic Cubes fit seamlessly in your environment. Find a public course today or reach out and ask how you can schedule a private course for a group at your home location.