[Go] Use LDAP ous to restrict access

Restricting access using LDAP ous

Http://www-01.ibm.com/support/knowledgecenter/api/content/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.crn_ Arch.10.2.2.doc/c_restrict_access_using_ldap_organizational_units.html#restrict_access_using_ldap_ Organizational_units?locale=zh

you can grant ibm®cognos®connection access to a specific organizational unit (OU) in the LDAP directory or to a descendant of a specific OU. Typically, an OU represents a part of an organization.

For this method to take effect, you must correctly set the basic distinguished name and user lookup properties under the security, authentication category in IBM Cognos Configuration. By using different values for these properties, you can grant access to different OUs in the LDAP directory structure.

Please consider the following directory tree:

Figure 1 Organizational unit tree of virtual companies divided into eastern and western

If only users in the "East" OU need access to IBM Cognos Connection, you can specify values as listed in the following table.

Table 1. The basic distinguished name and user lookup value of the Eastern organizational unit

Properties	value
Basic Distinguished Name	Ou=east,ou=people,dc=abc,dc=com
User Lookup	Uid=${userid}

If users in the east and West OUs require access, you can specify values as listed in the following table.

Table 2. Basic distinguished name and user lookup values for East and West organizational units

Properties	value
Basic Distinguished Name	Ou=people,dc=abc,dc=com
User Lookup	(Uid=${userid})

The parentheses () in the user lookup attribute are used as filters that can be searched for all OUs located under the specified base DN. In the first example, the "east" OU is searched for only the user account. In the second example, the "East" and "west" OUs are searched.

However, in the two examples above, the group's access to IBM Cognos Connection is excluded because they are located in different branches of the directory tree than the user. To include groups and users, the "base DN" must be in the root directory of the directory tree. The values are then listed in the following table.

Table 3. Basic distinguished names and user lookup values for groups and users on the directory root directory

Properties	value
Basic Distinguished Name	Dc=abc,dc=com
User Lookup	(Uid=${userid})

Therefore, all users in the directory have access to the IBM Cognos Connection.

The last example shows that using OUs is not always the most efficient way to secure access for IBM Cognos Connection. You can use this method if you want to grant access to all users in a specific OU. If you only want to grant access to specific users, you may want to consider creating the specified IBM Cognos BI group or role on the directory server and grant access to IBM Cognos Connection for this group or role.

[Go] Use LDAP ous to restrict access