Integrating Tivoli Directory Server (TDS) with IBM Cognos BI to provide secure & multitenant environment

IBM Cognos Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness.

IBM Tivoli Directory Server (TDS) is a powerful and authoritative enterprise directory infrastructure that is a critical enabler for enterprise security. It is an important part of the IBM Security Integrated Identity Management portfolio. It plays a key role in building the enterprise identity data infrastructure for applications such as identity management, portals, and web services. It provides a server that stores directory information using a DB2 database. It also provides a proxy server for routing LDAP operations to directory servers with database. IBM Security Directory Server provides client utilities and graphical user interfaces (GUI), such as Instance Administration Tool (idsxinst) and Configuration Tool (idsxcfg), to manage servers.

IBM Tivoli Directory Server provides:

• Industry-standard architecture and broad platform support for a range of operating systems and applications and a variety of heterogeneous environments.
• Strong scalability and flexibility to support hundreds of millions of entries using IBM DB2 technology and a built-in proxy-server.
• Availability to support an identity data infrastructure for global online applications such as consumer-driven web services.
• The ability to help you manage identities in the cloud.
• Robust auditing and reporting that provides insight with connectivity to IBM QRadar SIEM and greater visibility into repository with sample reports.

You can use IBM TDS to provide a trusted identity data infrastructure for authentication. As we know Cognos BI doesn’t provide its own authentication mechanism but leverage your existing mechanism which you are using across enterprise applications. In this blog article our objective is to leverage existing security features for authentication and data transfer of TDS based LDAP with IBM Cognos BI to order to secure BI assets and setup multi-tenancy environment.

This blog article describes the step by step procedure for –

1)     Setting up TDS 6.2 environment on Windows 7 OS

2)     Integrating IBM Cognos BI 10.2.1 Server with TDS 6.2.

3)     Enable Multitenancy for Cognos BI environment

Also see –

1)      Using Apache Directory Server (ApacheDS) based LDAP to secure IBM Cognos 10.2 BI environment

2)      Setting up IBM Cognos BI security using Java based Custom Authentication Provider

3)      Setting up multi-tenancy environment in IBM Cognos 10.2 BI using LDAP

4)      IBM Cognos BI: Setting up multi-tenancy environment using Custom Java Provider

Setting up TDS 6.2 Environment on Windows 7 OS

1)     Installation steps are pretty easy and intuitive for TDS 6.2 by just double clicking install_tds.exe file but if you are using later editions then you need to install it thru IBM Installation Manager. Steps can be found here - http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc_6.3.1/concept/c_ig_InstallationWithIBMInstallationManager.html

2)     On the completion of installation, you can see ‘IBM Tivoli Directory …’ windows services (Start->Programs->Administrative Tools->Services). The default port used by TDS for LDAP service is 389.

3)     To create and manage directory instances click on “Instance Administration Tool” from “IBM Tivoli Directory Server 6.2” folder in Start Menu - > All Programs as shown in snapshot.

4)     Click on “Manage…” button. It’ll open TDS Configuration Tool. Besides getting info about your setup you can also perform many tasks listed on left side panel as shown in below snapshot. Click of “Manage suffixes” task.

5)     We need to add “dc=example,dc=com” as a new suffix before importing our example LDIF. After successful addition you would see it in “Current suffix DNs” list.

6)     Below given is the glimpse of sample LDIF, you can download the attachment (http://www.megafileupload.com/en/file/521432/IBM-TDS62-ldif.html) and change is as per your requirements. I’ve created 11 users having userid admin, user1 – user10 with password – “password”. Lets click on “Import LDIF data”.

7)     Import sample LDIF file.

8)     On successful restoration start the server instance from “Manage Server State” task on the left side, shown in below snapshot.

Integrating IBM Cognos 10.2.1  BI Server with TDS 6.2

It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

1)      In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.

In the Name box, type a name for your authentication namespace (we used ‘IBM_TDS62’ here) and in the Type list, select ‘LDAP – Default values for IBM Tivoli’ and click OK.

2)      Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as TivoliLDAP is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the TDS environment we created in above section.

 3)     If you want the TDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.

4)     You can use user attributes from TDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot. ‘Custom properties’ would be available as session parameters through Framework Manager.

 

 5)     From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot. 

6)     Restart Cognos service from toolbar. 

7)     Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.

Directory administrators would have Cognos admin privileges. Go to Cognos administration.

8)     In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (IBM_TDS62). Click on it to view all users belongs to the directory.

Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.

Enable Multitenancy for Cognos BI environment

1) We need to set multitenant properties from IBM Cognos Configuration tool to enable this feature.  In IBM Cognos Configuration tool, select Security->Authentication->IBM_TDS62 in Explorer (left pane) window. Now select ‘Advanced Properties’ from right window (Resource properties) and add two new values before pressing OK button -

a)     Name – ‘multitenancy.TenantPattern’ value – ‘~/parameters/tenantID’

b)     Name – ‘AdditionalUserPropertiesToQuery’ value – ‘parameters’

2) Now, select ‘Custom Properties’ from right window (Resource properties) and add a new value –

Name – ‘tenantID’ value – ‘l’

3) From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

4) Save the configuration and restart Cognos service. Your Cognos multitenancy feature is enabled. 

There are many tasks follows this step to realize benefits of multitenancy in BI project. Please refer to my previous blog article http://vmanoria.blogspot.in/2014/03/ibm-cognos-bi-setting-up-multi-tenancy.html to see how to manage/administrate multi-tenant environment.

IBM Cognos BI: Setting up multi-tenancy environment using Custom Java Provider

In one of my previous blog, we saw how to set up IBM Cognos BI security using Java based Custom Authentication Provider. We’ll use this work as base and advance it here by enabling multitenancy so it is highly recommended to go thru previous blog before proceeding further.  If you are new to multitenancy concept you may also want to go thru “Setting up multi-tenancy environment in IBM Cognos 10.2 BI using LDAP”. Here we’ll see that how we can set up similar multi-tenancy environment in IBM Cognos 10.2.1 BI using Custom Java Provider.

Multitenant environments

Multitenancy provides the capability to support multiple customers or organizations, called tenants, by using a single deployment of an application while ensuring that each tenant users can access only the data that they are authorized to use. Such applications are called multitenant applications. Multitenant applications minimize the extra costs associated with these environments.

IBM Cognos BI provides built-in multitenancy capabilities. It does not require you to perform additional administration tasks to manage tenants because it reuses your existing authentication infrastructure. That means even when multitenancy is enabled you continue manage your users and groups in similar way.

Enabling Multitenancy

Determine whether you must apply the multitenancy settings to all configured namespaces or to individual namespaces. Multitenancy properties for a specific namespace override any multitenancy properties that are set globally. If a namespace is not configured to use multitenancy, then policies and permissions for objects are used to determine who can access the objects. If multitenancy is applied to multiple namespaces, the tenant IDs in all namespaces must be unique.

In our case we created two tables “USERS” & “GROUPS” in DB2 database to be used by MyJavaAuthProvider class. I’ve added few records as shown below.

 

Lets follow the steps to enable multitenancy with “MyJavaAuthProvider” -

1. Open IBM Cognos Configuration.
2. Choose if you want to configure multitenancy settings globally for all namespaces, or for a specific namespace.
• To configure multitenancy for all namespaces, in the Explorer window, for the Security category, click Authentication.

• To configure multitenancy for one namespace like in our case its “MyJavaAuthProvider”, click the namespace that you want to configure.
2. Under Multitenancy, click the edit button for the “Tenant ID Mapping” property. Specify one of the following properties:

Pattern - To use specific object attributes from your authentication provider, such as a TenantID, you could specify the following value for this property:

“~/parameters/tenant” in our case.

Provider class - To use a custom Java class, you only need to specify the name of the Java class that you created.

4. In the Explorer window, right-click Authentication, and click Test. If multitenancy is properly configured, your tenant ID is displayed in the details. If multitenancy is not properly configured, the tenant ID is not displayed. If the latter is true, ensure that the multitenancy property values are correct and test again.

5. I’ve also stopped anonymous access from Cognos Namespace property. From the File menu, click Save.
6. Restart the IBM Cognos service for the changes to take effect. You can observer message “Multi-tenancy is enabled” in Details>> as shown below.

On success service start you can see Login screen before entering Welcome page.

Tenant administration

Tenant administration tasks are performed by members of the System Administrators role. System administrators can view and manage all objects in the content store. By default, objects created by a system administrator are tagged with his or her tenant ID. Because users who belong to the System Administrators role have their own tenant IDs, impersonation (Impersonate Tenant) must be used when performing tasks on behalf of a specific tenant. Here in our case let ‘admin’ user and ‘administrators’ group join System Administrators role. Here are the steps.

1.      Login as admin user and open Security tab from Cognos Administration screen.

2.      Click on Cognos Namespace.

3.      Last entry would be “System Administrators”. Open its ‘properties’, go to ‘members’ tab and add ‘admin’ user and ‘administrators’ group from ‘MyJavaAuthProvider’. Click OK.

System administrators must create a tenant in Cognos Administration before the tenant users can access Cognos server. The Multitenancy tab in IBM Cognos Administration is the central area for tenant administration. On this tab, the administrator can view and manage all tenants registered in the current Cognos environment. Lets register our tenants –

1.      In IBM Cognos Administration, click the Multitenancy tab. On the toolbar, click the New Tenant icon.

2.      Specify the Name and Tenant ID parameters as shown below. Name can be anything but Tenant IDs should be same if you are using the same data shown in above tables.

Name: Customer – A           Tenant ID: CustomerA

Name: Customer – B           Tenant ID: CustomerB

If you want to update the tenant settings later, from the tenant Actions drop-down menu, click Set properties and change the settings on the General tab. For example, you can change the tenant name.

Assigning tentant IDs to existing content

After multitenancy is enabled and the tenant object is created in Cognos Administration, the system administrator assigns tenant IDs to the existing BI objects. All objects belonging to a tenant have the same tenant ID. The tenant IDs are created when a user from a specific tenant logs on to Cognos or the system administrator impersonates the tenant. Tenant IDs can also be created using the software development kit.

In a multitenant environment, all objects in the content store are either public or belong to a single tenant. As a system administrator, you must ensure that the existing objects have a proper tenant ID or are meant to remain public. For example, you can assign tenant IDs to data source connections, but leave the data source itself public.

If the tenant content is not organized into separate folders, you can create a root folder in Cognos Connection for each tenant. This helps to preserve the uniqueness of names in the Cognos BI environment. The Tenant ID is displayed on the General tab in the object properties page. The tenant name associated with each object is shown in the Tenant column in Cognos Connection and Cognos Administration.

Tenant content Deployment

You can export and import the tenant content. You can export:

• Content that belongs to the selected tenants and public content
• Content that belongs to the selected tenants only.
• Public content only

Later, you can import the archive into the target environment. The tenant content can be imported from the deployment archive into the target environment.

When public content is excluded from the tenant export, and a tenant object has public ancestors, the public ancestors are included in the export so that the content references can be preserved in the target system. For example, in a situation where a data source connection belongs to a tenant, but the data source itself is public, the data source is exported.

In Cognos BI version 10.2.0 there was no option to exclude user account information when public content was deployed. This option exists in the product starting with version 10.2.1.

Export operation can be performed from Multitenancy tab In IBM Cognos Administration from the tenant Actions drop-down menu.

Disabling or Deleting tenants

You can disable a tenant when you want to prevent the tenant users from accessing Cognos BI and modifying the tenant content. This should typically be done before deploying a tenant and all of the tenant content. As a best practice, you should disable the tenant before terminating its active user sessions.

You can delete a tenant from Cognos BI environment. This might be needed if the tenant was permanently moved to a different or no longer required. Before deleting a tenant, you must terminate the tenant active user sessions. Otherwise, you will not be able to delete the tenant.

When you delete a tenant, you also delete all content associated with the tenant, such as reports, user profiles, or content store utilization tasks.

Both the operations can be performed from Multitenancy tab In IBM Cognos Administration from the tenant Actions drop-down menu.

 

References - 

IBM Cognos Business Intelligence 10.2.1 Administration and Security Guide 
Hint: On Windows Cognos server you'll find it here - C:/Program Files/IBM/cognos/c10_64/webcontent/documentation/en/ug_cra.pdf

Enable Auditing in Multitenant Environment of IBM Cognos 10.2 BI

In today’s scenarios where many ISVs and partners are willing to provide ‘Analytics as a service’, they need a Business Intelligence platform which provide multitenancy environment with auditing/logging capabilities yet easy to manage. The IBM Cognos platform provides complete auditing capabilities that enable auditing and managing system usage in multitenancy environment. The information logged by IBM Cognos Platform auditing can be used to support administrative requirements such as:

• Capacity planning

• Planning down time by identifying quiet periods.

• Justifying additional infrastructure requirements.

• Tenant specific usage and activity tracking

• Support for Pay-as-use model

• Licensing conformance reporting

• Performance monitoring

• Identifying unused content

Multitenancy provides the capability to support multiple customers or organizations (tenants) by using a single deployment of an application, while ensuring that the users belonging to each tenant can access only the data that they are authorized to use. Such applications are called multi-tenant applications. IBM Cognos Business Intelligence (BI) provides capabilities that make it easier to administer and secure multi-tenant applications at the same time minimize the extra costs associated with these environments.

After multi-tenancy is enabled, you can record tenant activities using an audit logging database. IBM Cognos Business Intelligence provides sample audit reports that show how to use the tenancy information to monitor certain user activities. Since the tenants are now sharing the same application deployment, it is important to consider how to separate the log files for each tenant so that a tenant can only view the logging messages that were generated by its own executions. Separating out the trace files and log files by tenant helps the administrators troubleshoot issues that are specific to a certain account.

This article describes the step by step procedure to -

1)     Setting up Audit reporting environment

2)     Working with sample model & reports for customized auditing

Setting up Audit reporting environment

However sample audit reports that come with IBM Cognos software can be setup and used without enabling multitenancy also. We’ll set up Cognos 10.2 BI multitenancy environment here because our focus is to make tenant specific audit & log information available to them. If you are new and need help in setting up multi-tenant environment with Cognos 10.2, check out my blog -

Setting up multi-tenancy environment in IBM Cognos 10.2 BI using LDAP

 
The IBM Cognos services send information about errors and events to a local log server. Use the data contained in the default log files primarily for troubleshooting and not for tracking usage. IBM Cognos BI provides the ability to output usage information to a relational database. With the usage audit data stored in a relational data source, reporting then becomes possible.

1) Configure the audit database –

Open ‘IBM Cognos Configuration’ (Start -> All Programs -> IBM Cognos 10 (‘IBM Cognos 10 – 64’ in case of 64-bit installation).  In the Explorer pane, expand Environment, right-click Logging, and then click New Resource -> Destination. Type a name (we used AuditDBCon here) and click Database as the type.

Right-click the newly created AuditDBCon database and click New Resource -> Database. In the dialog box, type the database name (COGAUDIT in our case) and using the drop-down menu, click the type of database target (DB2 in our case).

You can choose among DB2, Informix, Oracle, Microsoft SQL Server and Sybase. The auditing database like content store is populated via a JDBC connection by the Content Manager Service so ensure that the appropriate JDBC drivers are available/copied in “<C10_install>\webapps\p2pd\WEB-INF\lib” folder.

In the Explorer pane, click on COGAUDIT and type the necessary parameters, such as database host name and port number, database login credentials, and the database name, into the fields in the ‘Resource Properties’ pane.

Test the audit database connectivity by selecting COGAUDIT and clicking the Test icon from the IBM Cognos Configuration toolbar.

If successful then save the configuration and restart Cognos services from toolbar.

2) During the start phase, the configuration change is identified, which prompts the application to create the necessary tables within the configured database (Administrator schema in GS_DB database in this case). When the service starts, 21 tables are added to the audit database. To avoid name conflicts with database keywords, all tables and column names in the database have the prefix "COGIPF". If you don’t find these tables, please check cogserver.log to for errors.

3) Set Logging Levels –

There are four report validation levels and five logging levels. The following table shows the correspondence between them.

Report validation level	Logging level
Error	Minimal, Basic
Warning	Request
Key Transformation	Trace
Information	Full

 
The higher you set the logging level, the more it degrades system performance. Normally, you set the level to Minimal or Basic to collect errors, or to Request to collect errors and warnings.

The following table indicates the details that each logging level logs.

Setting the audit levels is done through the dispatchers and services task in the administration console in IBM Cognos Connection:

1. From within IBM Cognos Connection, click Launch -> IBM Cognos Administration to launch the IBM Cognos administration console.

1. Click the Configuration tab, and then click Dispatchers and Services.

1. On the Configuration pane of the Dispatchers and Services window, click the Set properties - Configuration icon on the main toolbar.

4. When presented with the Set Properties dialog box, click the Settings tab.

5. Filter the displayed settings to show only settings related to logging by clicking the Category drop-down menu, and then clicking Logging.

6. From the Value menu, set the auditing level for each of the services that make up the IBM Cognos BI environment. If you want to create audit reports that include the queries that are run against your reporting data source, you must enable native query logging. You can use native query logging to learn what kinds of information users want or whether a report is running efficiently.

7. After the all 33 levels have been specified for the desired services, click OK to save the new parameter values.

Create data source connections and import audit reports

The database used to record audit information for IBM Cognos BI (GS_DB in our case) can also be used as a reporting data source for system administrators. IBM Cognos BI can be used to create reports to show information from the audit database and provide insight into what is happening on the entire IBM Cognos Platform. IBM provides sample reports to be used for various auditing scenarios. Given that the audit information for IBM Cognos BI is stored in a relational database, administrators can also use SQL queries to get a detailed view of system activities.

1) Create a data source connection to the logging database from Cognos Administrator -> Configuration Tab -> Datasource Connections -> New Data Source. The logging database and data source in IBM Cognos Connection must be named ‘Audit’.

2) If you are using the default application server (Tomcat) that is provided with IBM Cognos BI, then in a text editor, open the web.xml file located at c10_location\webapps\p2pd\WEB-INF, and add the following XML fragment:

<servlet>

      <servlet-name>DSServlet</servlet-name>

   <servlet-class>com.cognos.demo.DSServlet</servlet-class>

</servlet>

<servlet-mapping>

      <servlet-name>DSServlet</servlet-name>

      <url-pattern>/cognos/DSServlet.jsp</url-pattern>

</servlet-mapping>

Note that the url-pattern value can be anything you choose.

3) If you are using an application server other than Tomcat, or if Content Manager and Application Tier Components are installed in separate locations, add the XML fragment from step 1 to the following files:

·                         c10_location\webapps\p2pd\WEB-INF\web.xml.noCM

·                         c10_location\webapps\p2pd\WEB-INF\web.xml.withCM

4) If you do not have the following directory on your system, create it:

c10_location\webapps\p2pd\WEB-INF\classes\com\cognos\demo.

5) Copy the file build.bat for Microsoft Windows operating system or build.sh for UNIX operating system located in c10_location\webapps\Audit to c10_location\webapps\p2pd\WEB-INF\classes\com\cognos\demo.

6) Edit the build file to ensure the JAVA_HOME definition points to your JDK and ensure the CRN_HOME definition points to your IBM Cognos location.

7) If it is not already there, copy the DSServlet.java file from the c10_location\webapps\Audit directory to c10_location\webapps\p2pd\WEB-INF\classes\com\cognos\demo.

Do one of the following in the DSServlet.java file:

·         If you are allowing anonymous logon, comment out the following line: binding.logon(...)

·         If you are not allowing anonymous logon, make sure that the username, password, and namespace are correct and uncomment the following line: binding.logon(...)

At a command prompt, run build.bat or build.sh from c10_location\webapps\p2pd\WEB-INF\classes\com\cognos\demo to compile the Java source file into the class file.

8) Restart IBM Cognos services. If you are using an application server other than Tomcat, rebuild the application file and then redeploy IBM Cognos BI to the application server.

9) Create a data source connection named url_xml to the XML data source. In the Connection string field, enter the connection string. If you used the defaults, the connection string is http://localhost:9300/p2pd/cognos/DSServlet.jsp. Click OK.

10) Before you can use them, you must set up the sample audit reports. The default location is c10_location/webcontent/samples/content/IBM_Cognos_Audit.zip. Copy the file to c10_location/deployment, and then import the sample IBM_Cognos_Audit.zip from Cognos Administrator -> Configuration Tab -> Content Administration -> New Import.

11) In IBM Cognos Connection, click Public Folders > Samples_Audit > Audit, and click the audit report that you want to run. The Multi-tenancy reports folder contains the sample reports for a multi-tenant environment. Depending on the audit report that you select, you are prompted for report criteria.

Working with sample model & reports for customized auditing

The database used to record audit information for IBM Cognos BI can also be used as a reporting data source for system administrators. IBM Cognos BI can be used to create reports to show information from the audit database and provide insight into what is happening on the entire IBM Cognos Platform. IBM provides sample reports to be used for various auditing scenarios. Given that the audit information for IBM Cognos BI is stored in a relational database, administrators can also use SQL queries to get a detailed view of system activities.

1) To design your own auditing model and reports you need to know audit tables in details. Here is the brief detail -

Table Name	Description
COGIPF_ACTION	Stores information about operations performed on objects
COGIPF_AGENTBUILD	Stores information about agent mail delivery
COGIPF_AGENTRUN	Stores information about agent activity including tasks and delivery
COGIPF_ANNOTATIONSERVICE	Stores audit information about Annotation service operations
COGIPF_EDITQUERY	Stores information about query runs
COGIPF_HUMANTASKSERVICE	Stores audit information about Human Task service operations (tasks and corresponding task states)
COGIPF_HUMANTASKSERVICE _DETAIL	Stores additional details about Human Task service operations (not necessarily required for every audit entry, for example, notification details and human role details)
COGIPF_NATIVEQUERY	Stores information about queries that IBM Cognos software makes to other components
COGIPF_PARAMETER	Stores parameter information logged by a component
COGIPF_RUNJOB	Stores information about job runs
COGIPF_RUNJOBSTEP	Stores information about job step runs
COGIPF_RUNREPORT	Stores information about report runs
COGIPF_THRESHOLD _VIOLATIONS	Stores information about threshold violations for system metrics
COGIPF_USERLOGON	Stores user logon and logoff information
COGIPF_VIEWREPORT	Stores information about report view requests

The COGIPF_SYSPROPS table contains a single record that indicates logging version detail. The COGIPF_MIGRATION table is reserved for an upcoming migration application, and the COGIPF_THRESHOLD_VIOLATIONS records metric threshold exception details that are derived from the IBM Cognos BI system metrics.

Logging into IBM Cognos Connection causes audit data to be written into two tables:

a. COGIPF_USERLOGON (consists of TENANTID as a column)

b. COGIPF_ACTION

Details about user sessions, logons, security events, and so on can be obtained by query interactions with the COGIPF_USERLOGON table using COGIPF_SESSIONID. Detailed information about jobs and job steps can be obtained from the COGIPF_RUNJOB and COGIPF_RUNJOBSTEP tables using COGIPF_REQUESTID.

By joining the COGIPF_VIEWREPORT and COGIPF_PARAMETER tables on COGIPF_REQUESTID, additional information can be obtained, such as the package used and the format in which the report was viewed.

2) To work with audit tables you may want to build a model from scratch or use provided sample audit model to start with and change it to suit your requirements. You can get this sample model in “c10_location/webcontent/samples/models/Audit/Audit.cpf” location. Let us start with it.

Open ‘IBM Framework Manager’ (Start -> All Programs -> IBM Cognos 10).  Open the project using Audit.cpf file. Notice the query subjects under ‘Audit’ namespace, two data sources url_xml & audit and a package named ‘Audit’ in Project viewer pane. In properties pane, I have set properties based on my DB2 audit database (GS_DB). You can also analyze the relationships between the query subjects and test sample scenarios here. All audit reports are based on this model. You may want to change and republish ‘audit’ package as per your reporting requirements.

Keep in mind that additional changes might cause the provided reports in the audit content package to fail when executed.  

3) Here we’ll make all audit reports available to all tenants but tenants would be able to see the data specific to them not for others. Query subject COGIPF_USERLOGON had TENANT_ID as a query item. Open its definition window by double clicking on query subject. Add a new filter from ‘Filter’ tab by adding “[Audit].[COGIPF_USERLOGON].[TENANTID] = #sq($tenantID)#” as expression. Tenant ID relevant for your multi-tenant environment can be found in “Session Parameters” from Parameters tab.

From ‘Test’ tab you can test the results. Save the changes and re-publish ‘Audit’ package on Cognos connection. Now login as ‘user1’ and open report ‘Logon operation by tenant’. Notice that only tenant with ID no. 1 is available in list box. On submission all login & logoff can be seen for user1 only.

Similarly all tenants can see log and audit details for their activities and usage. 

4) Sample audit reports which we imported in previous section can also be changed to suit your auditing requirements. If you have changed model as shown in previous step using Framework Manager, you can add/update existing entries in audit reports. They can also be copied, renamed and customized for tenants by using TENANTID. Here’s the detail about default sample reports -

Audit report name	Description
Agent execution history by user	Lists agent execution history by user and date and time range and includes a bar chart. It also includes the total number of times each agent was executed and the total number of agents that were executed. You can select a date and time range.
Daily average and poor exceptions - all services	Shows how to monitor daily average and poor exceptions of thresholds set in IBM Cognos Administration for all services using an agent. An email with attached report output is sent to the administrator when average and poor exceptions occur. To run this report properly, you must first set thresholds in IBM Cognos Administration (see System Performance Metrics). To receive an email, you must specify a mail server account. For more information, see the IBM Cognos Business Intelligence Installation and Configuration Guide For more information on setting thresholds in IBM Cognos Administration, see System Performance Metrics.
Daily metric exceptions	Lists daily metric exceptions for all services.
Execute reports by package and report	Lists the reports that were run, by package. It also includes the user, timestamp, and execution time in milliseconds for each report. You can select a date and time range, one or more users, one or more packages, and one or more reports.
Execute reports by user	Lists the reports that were run, by user and by package. It also includes the timestamp and execution time in milliseconds for each report. You can select a date and time range, one or more users, one or more packages, and one or more reports.
Execution history by user	Lists the reports that were run alphabetically, along with the package and timestamp, by user, since the logging database was created. It includes the total number of reports each user ran and the total number of times each user ran each report. It also includes the total number of reports run by all users. You can select one or more users for the report. After you run the audit report, you can choose to view the statistics for a particular report or for all reports.
Failed report executions - by package	Lists report failure executions by package and includes a pie chart, which also shows the failed percentage of each package.
Failed service requests detect agent - all services	Detects preset thresholds for service request failures that are exceeded. An email is sent to the administrator with service failure metrics information. The report Service requests metrics - day report is run. To run this report properly, you must first set thresholds in IBM Cognos Administration (see System Performance Metrics). To receive an email, you must specify a mail server account. For more information, see the IBM Cognos Business Intelligence Installation and Configuration Guide.
Logon operations by time stamp	Shows logon and logoff timestamps and operations, by user. It also includes the total number of logons and the total number of logons for each user. You can select the time period and one or more users for the report.
Logon operations by user name	Shows logon and logoff timestamp by user, along with the type of logoff operation that occurred. It includes the total number of logons and the total number of logons for each user. You can select one or more users for the report.
Migration exceptions	A list report shows exceptions for migration tasks.
Operations by selected object and users	Shows the operations that are performed on target objects, by user. It includes the target object path, timestamp, and the status of the operation. You can select one or more objects, operations, or users for the report.
Report execution history (detailed report)	Lists reports alphabetically along with the associated package and the timestamp for each time the report was executed. It also shows the total number of times each report was executed and the total number of reports that were executed. It also includes a color-coded pie chart that gives an overview of how often the reports are used.
Report execution and user logon history	This active report displays the report execution history and user logon information for a specified period of time.
Report execution history (summary report)	Lists reports alphabetically along with the timestamp for each time the report was run since the logging database was created.
Report usage	Lists reports by frequency of use. For each report, it lists the user and the number of times it was run by the user since the logging database was created. This report can help you determine if there are any reports that are not being used. If so, you may want to remove them.
Service requests metrics - day report	Shows percentage of successful and failed requests for IBM Cognos services for the current day. Includes a bar chart.
User session - abnormal termination	Shows logon date and time of abnormally terminated user sessions. It also includes a total of session termination for all dates. You can select a date and time range.
User session - details	Shows user session details, including the logon time, logoff time, logoff operation, and session duration. It also includes the total amount of session time for each user and the total amount of session time for all users. You can select a date and time range and one or more users.
User session - logon errors for past 30 days chart	This audit report shows a bar graph of logon failures for the past 30 days.
User session - summary	This audit report shows the average session duration by user. It also shows the total average session duration by user. You can select a date and time range and one or more users.

These reports can be found under ‘Multi-tenancy reports’ folder:

Execute reports by tenant	Lists the tenant IDs and tenant users. This report provides package, report, and time stamp information.
Logon operations by tenant	Lists the logon actions for each tenant ID and provides the total number of logons for each user and tenant ID.
Report execution history by tenant	Lists the executed reports, timestamps, and the associated package names for a tenant. This report provides a summary of total activity and the report can by filtered for a specific tenant.
View reports by package and report	Lists users, reports, timestamps, and packages for the tenant that you select.

For more information, see the IBM Cognos Business Intelligence Administration and Security Guide.