Cognos Analytics

 View Only
Expand all | Collapse all

Allow User Defined SQL to run existing reports, restrict for users who create new reports

  • 1.  Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Thu April 28, 2022 03:04 PM
    Is it possible to enable user-defined SQL to run for existing reports (this is currently enabled), but to also create a role that limits a user's ability to create queries that have user-defined SQL?  

    So, if a user who is not in the restricted user-defined SQL role, creates a report that has user-defined SQL, the user in the restricted SQL role can still run it.  When a user who is in the restricted user-defined SQL role creates a new report, they are unable to populate a query with custom SQL.

    Has anyone set up something like this and if so, how?

    ------------------------------
    Todd Schuman
    ------------------------------

    #CognosAnalyticswithWatson


  • 2.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    IBM Champion
    Posted Thu April 28, 2022 03:18 PM
    Hi Todd,

    Target:
    * group1  ... just consume Reports with UDS (User Defined SQL)
    * group2  ... create reports without access to UDS but still be able to execute reports with UDS from Group1

    got it working.

    Trick was:
    * have capabilities on folders and packages
    * have two different roles with similar caps

    Let's see if our way would work for you.

    Would be happy to jump on a call.


    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber-470425a/
    ------------------------------

    Original Message


  • 3.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Fri April 29, 2022 02:41 AM
    Hi Todd

    There are multiple entries available in the ideas portal on this request and here is one of them that says it is planned for some future release; just that we never know which future release it will be part of. 
    https://ibm-data-and-ai.ideas.ibm.com/ideas/CAOP-I-1104

    The solution that Ralf described could be an option but from my experiences, Cognos behaves in a weird fashion when same user is part of different roles / groups with different capabilities. And if you have to, for some reason, set priority on the roles then it becomes more difficult to replicate the above scenario that Ralf explained ensuring both types of users have correct access.

    @Ralf Roeber - In the solution you explained, will the author be still able to open/edit previously built report (may be by another author) that have user defined sql in it? 

    Regards
    Kiran​

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    Original Message


  • 4.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    IBM Champion
    Posted Fri April 29, 2022 03:49 AM
    Edited by System Fri January 20, 2023 04:17 PM
    Hi Kiran,

    > Cognos behaves in a weird fashion when same user is part of different roles / groups with different capabilities. 

    If the same user is in two Roles with overlapping rights, the DENY always wins.

    Is that what you find weird?

    >In the solution you explained, will the author be still able to open/edit previously built report (may be by another author) that have user defined sql in it? 

    Run: yes
    Edit: yes ... except the UDS part - which is what we wanted to achieve.

    This is why we cloned "Role 1" and put "Deny UDS" on the package on that "Role 2", remove user from "Role 1" and add them to "Role 2". You might not want to do this manually, as it involves a lot of back and forth. BUT, if you have an automation in place, this is easy to handle and straight forward imho.

    Results in:
    * User can execute reports with UDS
    * User can edit reports and get's error msg, when trying to edit a UDS (on a "secured package")

    The err-msg is not nice ... better would be to not show the SQL icon right away. But that's the way it is.

    Until last week, I did not know that packages can have Capabilities defined.
    Always thought it's only the functions/studios and so, that can have capabilities defined.

    To illustrate that a bit more here is part of the XML config that is pushed into the Cognos installation (using CoCoMa)
    [...]
    <permission>

<target>/content/folder[@name='_Templates_']/package[@name='PACKAGE_WITHOUT_ACCESS_TO_UDS']</target>
<read>true</read>
<write>true</write>
<execute>true</execute>
<setPolicy>false</setPolicy>
<traverse>true</traverse>
<members>
   <role>Role1</role>
   <role>Role2</role>
</members>
<policies>
<!-- 
Adaptive Analytics => canUseAdaptiveAnalytics
Administration
┣ Adaptive Analytics Administration => canUseAdaptiveAnalyticsAdministration
┣ Metric Studio Administration => canUseMetricsManagerAdministration
┗ Planning Administration => canUsePlanningAdministration
Allow generation of reports in CSV format. => canGenerateCSVOutput
Allow generation of reports in PDF format. => canGeneratePDFOutput
Allow generation of reports in Excel format. => canGenerateXLSOutput
Allow generation of reports in XML format. => canGenerateXMLOutput
Analysis Studio => canUseAnalysisStudio
EVStudio => canUseEV
Event Studio => canUseEventStudio
Glossary => canUseGlossary
Lineage => canUseLineage
Metric Studio => canUseMetricStudio
┗ Edit View => canUseMetricStudioEditView
Planning Contributor => canUsePlanningContributor
PowerPlay Studio => canUsePowerPlay
Query Studio => canUseQueryStudio
┗ Advanced => canUseQueryStudioAdvancedMode
Report Studio => canUseReportStudio
┣ Allow External Data => canUseExternalData
┣ Bursting => canUseBursting
┣ HTML Items in Report => canUseHTML
┗ User Defined SQL => canUseUserDefinedSQL
Specification Execution => canUseSpecifications
Watch Rules => canUseConditionalSubscriptions
-->
<policy>
<group>Everyone</group>
<capabilities>
<capability access="grant">canUseAdaptiveAnalytics</capability>
<capability access="grant">canUseAdaptiveAnalyticsAdministration</capability>
<capability access="grant">canUseMetricsManagerAdministration</capability>
<capability access="grant">canUsePlanningAdministration</capability>
<capability access="grant">canUseAnalysisStudio</capability>
<capability access="grant">canUseEV</capability>
<capability access="grant">canUseEventStudio</capability>
<capability access="grant">canUseGlossary</capability>
<capability access="grant">canUseLineage</capability>
<capability access="grant">canUseMetricStudio</capability>
<capability access="grant">canUseMetricStudioEditView</capability>
<capability access="grant">canUsePlanningContributor</capability>
<capability access="grant">canUsePowerPlay</capability>
<capability access="grant">canUseQueryStudio</capability>
<capability access="grant">canUseQueryStudioAdvancedMode</capability>
<capability access="grant">canUseReportStudio</capability>
<capability access="grant">canUseBursting</capability>
<capability access="grant">canUseHTML</capability>
<capability access="grant">canUseUserDefinedSQL</capability>
<capability access="grant">canUseSpecifications</capability>
<capability access="grant">canUseConditionalSubscriptions</capability>
</capabilities>
</policy>
<policy>
<role>Role2</role>
<capabilities>
   <capability access="deny">canUseUserDefinedSQL</capability>
</capabilities>
</policy>
</policies>

</permission>


​


    Edit: 09.05.2022 - after further testing

    * We deny access to /content for users, which makes it impossible for them to see packages in /
    * We then enable access on per package basis
    * For Report Authors, we copy package to a visible folder and set UDS=DENY on each package
    * Results in two packages: 1 - invisible, but executable with UDS ... 2 - visible and usable for ReportStudio but without UDS

    Drawback:
    * If a user knows the path of a "package with UDS allowed", they can edit XML-specs of a report to use that package and ... here you go, now they are able to use UDS without further restrictions 


    Hope that helps. 


    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber/
    ------------------------------
    #CognosAnalyticswithWatson


  • 5.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Fri April 29, 2022 04:21 AM
    Hi Ralf, 

    Thanks for the inputs. We typically remove access to a particular capability instead of explicitly denying; probably that's the reason we observed unexpected behaviour sometimes. And though we are aware of the package capabilities, never tried to take advantage of those. I am sure this solution would help many out there. 

    Regards,

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    Original Message


  • 6.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    IBM Champion
    Posted Fri April 29, 2022 05:41 AM
    Hi Kiran,

    thanks for pointing us to the ideas portal. 

    Looked up the roadmap ... found this 
    "Separate User defined SQL and HTML item capabilities as run vs create | To allow users run reports with custom SQL without the ability to create and edit them."
    announced for Q2 2022.

    So, there is something coming up.

    Regards,
    Ralf



    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber-470425a/
    ------------------------------

    Original Message


  • 7.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Fri April 29, 2022 06:24 AM
    Thanks for sharing that information Ralf. 

    Regards,

    ------------------------------
    Kiran Passumarthi
    www.linkedin.com/in/kiranpassumarthi
    ------------------------------

    Original Message


  • 8.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Mon May 02, 2022 09:23 AM
    Hi Ralf,

    I am asked to same question as Todd. Can you elaborate a bit more in detail about your solution?
    I tried to figure it out but I think I am overlooking a few steps.

    Regards,
    Danny Casteels

    ------------------------------
    Danny Casteels
    ------------------------------

    Original Message


  • 9.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    IBM Champion
    Posted Mon May 02, 2022 02:47 PM
    Hi Danny,

    Thank you for you feedback.

    I find it hard to elaborate the complete solution to a level of detail that fits anybody.

    I would appreciate your help on this.

    Why don't we jump on a call, I explain what we did in a screensharing and we try to gather  the missing information together?

    If that is something that would help you and Todd, great.

    See my calendar at https://cal.com/ralf/


    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber/
    ------------------------------

    Original Message


  • 10.  RE: Allow User Defined SQL to run existing reports, restrict for users who create new reports

    Posted Tue February 07, 2023 10:38 AM
    More granular Reporting capabilities - 11.2.3
    https://www.ibm.com/docs/en/cognos-analytics/11.2.0?topic=reporting-more-granular-capabilities

    Now there is a separate secured feature for each task:

    • Edit Burst Definition allows users to author burst reports.
    • Generate Burst Output allows users to run burst reports.
    • Edit HTML Items allows users to edit the HTMLItem button and hyperlink elements of the report specification when they author reports.
    • Run HTML Items allows users to use the HTMLItem button and hyperlinks.
    • Edit User Defined SQL allows users to edit the SQL statements directly in the query specification.
    • Run User Defined SQL allows users to run the query specifications that contain SQL statements.


    ------------------------------
    DEAN BLACK
    ------------------------------

    Original Message