New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Hi Dennis,

Don't know that applies to IBM CAoC as well but on-premise go to the main menu -> Manage ->Administration console-> Security -> <your namespace> and search for the user to be deleted from CA.

Click "More..."  and then "Delete this user's profile". Keep in mind that this action takes place immediately and cannot be undone. You will also delete all content from the user's "My content" section in the content store.

If you want a more convenient way I can highly recommend Motio Pi Pro. It is a paid version of Motio Pi and contains a very useful section for user management. I use this tool daily to check if a certain user has access and to which groups and roles.

------------------------------
Robert Dostal
Principal Expert BI
GEMÜ Gebr. Müller Apparatebau GmbH & Co. KG
Kupferzell
------------------------------

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Dennis - 

MetaManager can help with managing security: Quickly understand your security architecture and make bulk updates. Simplify the process of managing security permissions by updating all users and objects in a single view.  MetaManager | BSP Software - a Micro Strategies Company

Let me know if you want to see how we can help.   Thanks 

------------------------------
Daryl Baker
Director of Software Solutions
BSP Software - Micro Strategies Inc.
IL
------------------------------

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Hi Dennis,

There are a few ways to manage this -- however there is not really an "easy way" to make it work as AD does. Ideally, you do not want to place "users" within a cognos group/role for a few reasons. Instead, create an AD group and place the users within the AD group - then link the Cognos Group/Role to the AD group -- this allows you to manage most of the security on the AD side of things. 

Now considering we do not know how many users you have and switching things up might be a big task -- there is another option called the "Audit Extension".  It isn't ideal because it isn't real time like the Cognos UI but it might be worth exploring. There is a little bit of work involved in getting it set up - there is no support from IBM on it.  It can gather a good bit of information from the environment that is super helpful.  The more information you collect from this extension, the longer it takes to collect it (aka - think run it once a day or week depending on your environment).

https://www.ibm.com/support/pages/ibm-cognos-analytics-audit-extension-reports-and-models

Hope this is helpful for you.

John

------------------------------
John Cusack
------------------------------

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Hey John, thank you so much for your thorough response. I inherited the configuration of our install but I would love to know a few of the drawbacks to placing users in direct roles vs. an AD role. I say that because I don't quite understand the process of cleaning things up yet and I will need to gather enough wool to take to leadership for a config change to our offering. I am researching the audit extension right now. Thanks again!

------------------------------
Dennis McClure
------------------------------

Original Message:
Sent: Thu October 16, 2025 09:44 AM
From: John Cusack
Subject: Better User Mgmt Method?

Hi Dennis,

There are a few ways to manage this -- however there is not really an "easy way" to make it work as AD does. Ideally, you do not want to place "users" within a cognos group/role for a few reasons. Instead, create an AD group and place the users within the AD group - then link the Cognos Group/Role to the AD group -- this allows you to manage most of the security on the AD side of things. 

Now considering we do not know how many users you have and switching things up might be a big task -- there is another option called the "Audit Extension".  It isn't ideal because it isn't real time like the Cognos UI but it might be worth exploring. There is a little bit of work involved in getting it set up - there is no support from IBM on it.  It can gather a good bit of information from the environment that is super helpful.  The more information you collect from this extension, the longer it takes to collect it (aka - think run it once a day or week depending on your environment).

https://www.ibm.com/support/pages/ibm-cognos-analytics-audit-extension-reports-and-models

Hope this is helpful for you.

John

------------------------------
John Cusack

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Dennis - 

It is not best practice to place users in direct roles.  It just becomes hard to manage, which is already what you are dealing with.  We have ways to streamline & manage it all, plus look at security concerns and make changes quickly.  But if you are just getting started, documenting everything and understanding what you have is for sure your best first steps.  Which is a great idea by you.  We can speed up that documentation process as well.

------------------------------
Daryl Baker
Director of Software Solutions
BSP Software - Micro Strategies Inc.
IL
------------------------------

Original Message:
Sent: Thu October 16, 2025 12:56 PM
From: Dennis McClure
Subject: Better User Mgmt Method?

Hey John, thank you so much for your thorough response. I inherited the configuration of our install but I would love to know a few of the drawbacks to placing users in direct roles vs. an AD role. I say that because I don't quite understand the process of cleaning things up yet and I will need to gather enough wool to take to leadership for a config change to our offering. I am researching the audit extension right now. Thanks again!

------------------------------
Dennis McClure

Original Message:
Sent: Thu October 16, 2025 09:44 AM
From: John Cusack
Subject: Better User Mgmt Method?

Hi Dennis,

There are a few ways to manage this -- however there is not really an "easy way" to make it work as AD does. Ideally, you do not want to place "users" within a cognos group/role for a few reasons. Instead, create an AD group and place the users within the AD group - then link the Cognos Group/Role to the AD group -- this allows you to manage most of the security on the AD side of things. 

Now considering we do not know how many users you have and switching things up might be a big task -- there is another option called the "Audit Extension".  It isn't ideal because it isn't real time like the Cognos UI but it might be worth exploring. There is a little bit of work involved in getting it set up - there is no support from IBM on it.  It can gather a good bit of information from the environment that is super helpful.  The more information you collect from this extension, the longer it takes to collect it (aka - think run it once a day or week depending on your environment).

https://www.ibm.com/support/pages/ibm-cognos-analytics-audit-extension-reports-and-models

Hope this is helpful for you.

John

------------------------------
John Cusack

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Dennis,

A relatively unnoticed new feature was added to 12.1 that allows administrators to view groups and roles of users. You have to navigate through the licenses interface which can make it a little challenging to find the user. This is similar to how we could always view groups and roles from our profile and would often ask the target user to provide a screen shot of theirs. That could be a sensitive request in some cases. One important point that I've noticed so far is the new feature through the licenses feature is that the groups and roles appear to be cached from the user's last login so recent changes aren't necessarily reflected until they log in again. See administration-viewing-user-groups-roles-from-licenses-panel for more information.

------------------------------
Robert Hofstetter
------------------------------

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------

Hi Dennis,

> Dennis writes: New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Hi Dennis,

I am a former Cognos product manager and run a company called Attain Insight, which has been an IBM partner for almost 20 years now founded in 2008. We specialize in security for Cognos, and we sell a product that does what you describe called WebGrant.

WebGrant is designed for non-technical users to perform basic user administration.  You don't have to know much about Cognos to use WebGrant, and that is by intention.  It allows designated individuals to manage user access, add or remove users from groups and roles. As well WebGrant includes audit tracking and license compliance reports (all Cognos reports).  This means that common user access questions can be answered without needing IT intervention. It addresses all the needs you've described.

The Attain Insight team gave a presentation on WebGrant at the Toronto User group yesterday.  WebGrant customers vary in size from a single Cognos administrator up to customers with over 50 administrators.  It is a very popular product. 

> Dennis writes: Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

WebGrant resolves the search issue you mentioned as well as for namespace types where Cognos is not able to search.  Possibly of central interest is that WebGrant allows you to put one or more users, into one or more groups and / or roles, at once.  This feature can be a significant time-saver for administrators.

Any of us at Attain Insight would be happy to give you a short demo and discuss either with you directly or what you might want to call out to your management team as reasons to review your current security. 

> Dennis writes: Hey John, thank you so much for your thorough response. I inherited the configuration of our install but I would love to know a few of the drawbacks to placing users in direct roles vs. an AD role. I say that because I don't quite understand the process of cleaning things up yet and I will need to gather enough wool to take to leadership for a config change to our offering. I am researching the audit extension right now. Thanks again!

You are not alone! Many customers have managed security manually often for years. Over time and with turnover of Cognos Administrators, new administrators like yourself can end up being not really sure of how complete or vulnerable the security they have inherited is.

With Cognos security, the main thing is to be systematic and organized in your approach whether adding users directly to groups and roles or using something indirect such as group. Automation of security management is possibly the second most important thing, though a bit of deeper discussion (the days of manually creating and managing groups should now be in the past).

A product like WebGrant will apply security consistently and uniformly so you, or any other administrator, doesn't miss things.  WebGrant will expose vulnerabilities before they become an issue.  Our new AI agent will allow you to ask questions also so you can find vulnerabilities in your security model (and allow others to use AI to answer questions about what a user has access to).

Dennis, please let me know if you would like more information or a demonstration / discussion.

Best Paul

paul.hulford@attaininsight.com

info@attaininsight.com

------------------------------
Paul Hulford
------------------------------

Original Message:
Sent: Wed October 15, 2025 09:01 AM
From: Dennis McClure
Subject: Better User Mgmt Method?

New admin here. I would like to know if there is another way to manage users in Cognos. If I get asked if an employee has access, I find myself manually going through each & every group/role looking for the user. If I get asked to remove a user, I have to manually go through each group/role again. I have later found that I did not find all the groups/roles a user had membership in because I missed it during my manual search.

Why can't I use the search function and it work the same as when you search on the AD side of the Accounts screen? TIA for any advice given. 

------------------------------
Dennis McClure
------------------------------