Reference:
Http://www-01.ibm.com/support/knowledgecenter/api/content/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.crn_ Arch.10.2.2.doc/c_restrict_access_using_ldap_groups_or_roles.html#restrict_access_using_ldap_groups_or_roles? Locale=zh
Restricting access using LDAP groups or rolesnot all users in the LDAP directory must use Ibm®cognos®bi. Grant only the specified user access to the IBM Cognos Connection. You can do this by creating an IBM Cognos BI specific group or role in the directory server, adding the required users to their membership, and granting the group or role access to the IBM Cognos Connection.
An alternative approach is based on using an LDAP organizational unit (OU).
Whether you must create a group or role depends on the authentication provider. If you use an Oracle directory server, you must create roles because this provider uses role membership as part of its user account information. If you use Active Directory, you must create groups because this provider uses group memberships as part of their user account information.
Using roles
Use an Oracle directory server to create a role for this technology. For more information about creating this type of role, see the Oracle directory Server documentation.
Ensure that the following parameters are correctly defined in the security, authentication category of the IBM Cognos Configuration .
- User Lookup
Configures the user lookup string to contain the property that will be used to authenticate ${userID} the variable. This variable takes the user name entered at logon, replaces the variable with a value, and then passes the search string to the directory server. The distinguished name (DN) of the role must also be included in the string.
The following is an example of finding a string:
(&(uid=${userID})(nsrole=cn=Cognos,ou=people,dc=cognos,dc=com))
In this example, all members of the IBM Cognos BI role (named people) in the organizational unit (OU) have access to IBM Cognos Connection.
- Do you use external identities?
If single sign-on is enabled, set the value to True.
- External Identity Mapping
If external identities are used? If set to True, specify this property.
Constructs a string to locate the user in the LDAP directory server. When you log on, the environment variables in this string are replaced with the ${environment("REMOTE_USER")} user name.
In the following example, the Web browser sets the environment variable REMOTE_USER that matches the user's uid properties:
(&(uid=${environment("REMOTE_USER")})(nsrole=cn=Cognos,ou=people,dc=cognos,dc=com))
In some cases, REMOTE_USER a variable (usually the DOMAIN\username format) cannot match any user uid property. To resolve this problem, replace include the function in the string, as shown in the following example:
(&(uid=${replace(${environment("REMOTE_USER")},"ABC\\","")})(nsrole=cn=Cognos,ou=people,dc=cognos,dc=com))
If replace the function is included, the domain name (ABC in this example) is replaced with an empty string, and only the user name is passed to the directory server.
Domain names are case-sensitive in this context.
After creating the role, configure it with IBM Cognos configuration to access the IBM Cognos Connection. Roles can also be added to the Cognos namespace.
Working with Groups
Use Active Directory to create groups for this technology. This technique involves modifications to the user lookup string. Because Active Directory does not have this property, it cannot be used. Instead, use the associated LDAP provider.
Ensure that the following parameters are correctly specified in the security, authentication category of the IBM Cognos Configuration .
- User Lookup
Configures the lookup string to contain the property that will be used to authenticate ${userID} the variable. This variable takes the user name entered at logon, replaces the variable with a value, and then passes the search string to the directory server. The distinguished name (DN) of the group must also be included in the string.
The following is an example of finding a string:(&(sAMAccountName=${userID})(memberOf=cn=ReportNet,ou=Groups,dc=cognos,dc=com))
- Do you use external identities?
If single sign-on is enabled, set the value to True.
- External identity mapping
If external identities are used? If set to True, specify this property.
Constructs a string to locate the user in the LDAP directory server. At logon, the environment variables in this string are ${environment("REMOTE_USER")} replaced by the user name, and the string is passed to the directory server.
In the following example, the Web browser sets the environment variable REMOTE_USER that matches the user's uid properties. Read environment variables from a browser session instead of replacing hard-coded sAMAccountName values with ${userID} .(&(sAMAccountName=${environment("REMOTE_USER")})(memberOf=cn=Cognos,cn=Groups,dc=cognos,dc=com))
After creating the group, configure it with IBM Cognos configuration to access the IBM Cognos Connection. Groups can also be added to the Cognos namespace.
[Go] Use LDAP groups or roles to restrict access, including partial single sign-on SSO instructions