Cognos Analytics

Have a client that is currently using a 3^rd party e-directory system and are moving to a normal Windows Active Directory. We understand how we will need to recreate the namespace and point Cognos to the new server, but the concern is if all the users have the same name in the new AD system, will Cognos recognize them as new entities or would they still have access to their existing objects: reports, My Reports folder, schedules, etc?

I understand we will need to map the new AD groups to the Cognos groups but those will also retain the same name and hierarchy.

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

Hi,
I had a different experience. It is like a similar one.

I wrongly deleted the Cognos AD directory from AD and lost the cognos authentication. The content store stored all the authentication information and we need to match it.

I created the same AD namespace in AD Directory to retrieve the AD Groups, cognos user list and make sure the exact look-up detail in the cognos configuration. ( actually, I did not do anything in the cognos configuration file). You have to make sure the exact path to retrieve the users and group structure in your case.

On the Cognos side, each user validates the user information from my preference to match the CAMID.

Thanks,
Ram

------------------------------
Ramanujam Rajagopal
------------------------------

Original Message:
Sent: Thu July 29, 2021 08:35 AM
From: brenda grossnickle
Subject: Active Directory Migration - will all users lose owned objects?

Have a client that is currently using a 3^rd party e-directory system and are moving to a normal Windows Active Directory. We understand how we will need to recreate the namespace and point Cognos to the new server, but the concern is if all the users have the same name in the new AD system, will Cognos recognize them as new entities or would they still have access to their existing objects: reports, My Reports folder, schedules, etc?

I understand we will need to map the new AD groups to the Cognos groups but those will also retain the same name and hierarchy.

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

In our case, we migrated from a different kind of LDAP to Active Directory. This required a diferent set of connection properties in Cognos Configuration. Also, the path in Active Directory was different then in the original LDAP. Consequently, yes, Cognos understood the users to be different people. We have about 100 users with relatively little in My Content and relatively little vis-a-vis security (roles and groups in Cognos). So, I was able manually to recreate everything. I manually moved the My Content for those who had it from their LDAP account in Cognos to their Active Directory account in Cognos. I was told that the alternative would have been to use the SDK or hire IBM to script the changes. I have hoped that Cognos would change their architecture so that there would be exactly one reference in Cognos per user with pointers thereto so that when folks change LDAPs there would only need to be one value changed per user. That's not the way it works I guess. I think the attribute or attributes representing (pointing to) the LDAP user is stored in multiple (maybe many) places in the Cognos content store.

Mike Sullivan
North Shore Community College
msulliva@northshore.edu

------------------------------
Michael Sullivan
------------------------------

Original Message:
Sent: Thu July 29, 2021 08:35 AM
From: brenda grossnickle
Subject: Active Directory Migration - will all users lose owned objects?

Have a client that is currently using a 3^rd party e-directory system and are moving to a normal Windows Active Directory. We understand how we will need to recreate the namespace and point Cognos to the new server, but the concern is if all the users have the same name in the new AD system, will Cognos recognize them as new entities or would they still have access to their existing objects: reports, My Reports folder, schedules, etc?

I understand we will need to map the new AD groups to the Cognos groups but those will also retain the same name and hierarchy.

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

Brenda,

It isn't that attributes are stored in multiple places but rather that different name space types use different unique attributes. This is more apparent if you configure a name space that is of type LDAP. If you select LDAP with values for AD then you should notice the unique identifier by default is object GUID whereas a generic LDAP will have DN as the unique identifier. Certain name spaces, such as Active Directory, the unique identifier is not configurable. It will again use object GUID just like the LDAP variant for AD defaults to. This challenge is compounded by any LDAP name space that has left DN as the default because DN is an exact path within the LDAP to the user. This means if that user changes departments the DN will most likely change except where customers have a flat LDAP structure for users. You will need to check what was used for a unique identifier against e-directory and hopefully be able to map to the same attribute in Active Directory. Then you could use the LDAP with values for AD but modify the unique identifier. If you cannot map it then you are looking at having to perform a name space migration whether that be with the help of IBM services or manually as Michael mentioned. One other tid bit of advice would be, if you do have to perform a migration, consider using email as the unique identifier. More than likely, eventually you'll shift from Active Directory to ADFS via IBM's OpenID Connect integration and that will default to using email. That is configurable but depends on the attributes available.

------------------------------
Robert Hofstetter
------------------------------

Original Message:
Sent: Fri July 30, 2021 09:08 AM
From: Michael Sullivan
Subject: Active Directory Migration - will all users lose owned objects?

In our case, we migrated from a different kind of LDAP to Active Directory. This required a diferent set of connection properties in Cognos Configuration. Also, the path in Active Directory was different then in the original LDAP. Consequently, yes, Cognos understood the users to be different people. We have about 100 users with relatively little in My Content and relatively little vis-a-vis security (roles and groups in Cognos). So, I was able manually to recreate everything. I manually moved the My Content for those who had it from their LDAP account in Cognos to their Active Directory account in Cognos. I was told that the alternative would have been to use the SDK or hire IBM to script the changes. I have hoped that Cognos would change their architecture so that there would be exactly one reference in Cognos per user with pointers thereto so that when folks change LDAPs there would only need to be one value changed per user. That's not the way it works I guess. I think the attribute or attributes representing (pointing to) the LDAP user is stored in multiple (maybe many) places in the Cognos content store.

Mike Sullivan
North Shore Community College
msulliva@northshore.edu

------------------------------
Michael Sullivan

Original Message:
Sent: Thu July 29, 2021 08:35 AM
From: brenda grossnickle
Subject: Active Directory Migration - will all users lose owned objects?

Have a client that is currently using a 3^rd party e-directory system and are moving to a normal Windows Active Directory. We understand how we will need to recreate the namespace and point Cognos to the new server, but the concern is if all the users have the same name in the new AD system, will Cognos recognize them as new entities or would they still have access to their existing objects: reports, My Reports folder, schedules, etc?

I understand we will need to map the new AD groups to the Cognos groups but those will also retain the same name and hierarchy.

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson