Versions Compared

Version Old Version 10 New Version Current
Changes made by

Saparnell

Saparnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Activity Hub access and security is set by the Data Governance Committee and Data Stewards.

...

Image Removed

Activity Hub

Required: At the Activity Hub level there is very limited access:  only Cognos, Tableau and column groups can directly connect to an Activity Hub.  Report developers and report consumers use Cognos or Tableau to access Activity Hub data.  Data integration developers and integrated application use column groups to access Activity Hub data.

Row Level Security

Additional security can be requested in the form of row based security.  The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see.  The most common example of this is userid to department.  Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.

Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.

Currently, only EAH is using row level security.

Team Folder

Required: The security applied to Cognos Folders and Tableau Projects rely on Active Directory (AD) groups.  Report developers work with their local Departmental Security Administrator (DSA) to create or use existing AD group.  The report developer then sends the AD group name to the BIA team so that the BIA team can create the team folder and connect it to the team AD group.  The report developer can manage the participants of that AD group in order to manage who has access to the reports saved to that folder.  For the Employee Activity Hub (EAH), Financial Activity Hub (FINAH), Research Activity Hub (RAH) and Student Activity Hub (SAH), access to the report will grant access to the data within the report.

Ui expand
titleHow to set up a Team Folder

These process assumes that you have report developer access to Cognos and Tableau.

  1. Contact your local Departmental Security Administrator (DSA) or local IT Support Team to request a new AD group be created.  Find your DSA by email lookup or by your department
    1. BIA recommends creating two AD groups per folder:  FolderName_BI_Developer and FolderName_BI_Consumer.
    2. FolderName_BI_Developer will be for report developers on your team who want to publish reports to that folder.
    3. FolderName_BI_Consumer will be for consumers who will be able to run and interact with the report.
  2. Email busintel@ucsd.edu with the name of the Team Folder you would like created and the name of the AD group you would like added to that folder.
    1. Example:  Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder in DEV and QA.  Please also allow "EcoTime_BI_Developer" to view these reports in PROD.
  3. Move your reports into your new folder.
    1. For Tableau, publish directly to the folder in Tableau Production.
    2. For Cognos, save your report to the folder in Cognos DEV.  Email busintel@ucsd.edu to have your reports within your new Team Folder migrated into Cognos QA (1st time only - user can complete the migration after that) or Cognos Production (every time).
Ui expand
titleHow to gain access to a Team Folder

Different teams choose different processes to maintain their AD groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

Email busintel@ucsd.edu to ask who the contact person is for the folder and/or report you are interested in.

Report / Workbook

Reports are saved into folders in Cognos/Tableau. Each folder is then connected to one or more Active Directory (AD) group.

Report development teams or business units then maintain the AD group membership.

 

Image Added

Example:

Folder

AD Group

What can members do?

Team A

TeamA_ProjectA_BI_Developers

TeamA_ProjectA_BI_Consumers

Publish reports into the Team A folder in Cognos & Tableau.

Run reports in Team A folder in Cognos & Tableau.

Cannot see or run reports in Team B folder or Team C folder.

Team B

TeamB_ProjectB_BI_Developers

TeamB_ProjectB_BI_Consumers

Publish reports into the Team B folder in Cognos.

Run reports in Team B folder in Cognos.

Cannot see or run reports in Team A folder or Team C folder.

Team C

TeamC_ProjectC_BI_Developers

TeamC_ProjectC_BI_Consumers

Publish reports into the Team C folder in Tableau.

Run reports in Team C folder in Tableau.

Cannot see or run reports in Team A folder or Team B folder.

Reports / Workbooks

Required: Reports live in Folders in both Cognos and Tableau.  Security is then applied at a BI tool folder level.

Ui expand
titleOptional:  Report developers can limit the data displayed in their reports.  Limiting data creates an additional level of security.

  1. Set filters that the report consumer cannot change.

    1. Cognos Filters Users Cannot Change

    2. Tableau Filters Users Cannot Change

  2. Limit the values in the filters that the report consumer can change.

    1. Cognos Filters Consumers Can Change - Limited Values

    2. Tableau Filters Consumers Can Change - Limited Values

  3. Limit the filters that the report consumer can change to single select.

    1. Cognos Single Select Prompts

    2. Tableau Single Select Prompts

  4. Limit your report to run in HTML only.  Tableau is automatically set to this but you can add it to your Cognos report.

    1. Cognos Limited Run Types

  5. Use both the folder security and data source security for your report.  Cognos is automatically set to this but you can add it to our Tableau report.

    1. Tableau Workbook and Data Source Security

  6. Use your own spreadsheet to associated users with departments in order to secure the report.

    1. Email busintel@ucsd.edu to ask for help setting that up.

Team Folder

Required: The security applied to Cognos Folders and Tableau Projects rely on Active Directory (AD) groups.  Report developers work with their local Departmental Security Administrator (DSA) or local IT Support to create or use existing AD groups.  The report developer then sends the AD group name to the BIA team so that the BIA team can create the team folder and connect it to the team AD group.  The report developer can manage the participants of that AD group in order to manage who has access to the reports saved to that folder.  For the Employee Activity Hub (EAH), Financial Activity Hub (FINAH), Research Activity Hub (RAH) and Student Activity Hub (SAH), access to the report will grant access to the data within the report.

Row Level Security

Additional security can be requested in the form of row based security.  The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see.  The most common example of this is userid to department.  Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.

Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.

Currently, only EAH is using row level security.

Activity Hub

At the Activity Hub level there is very limited access:  only Cognos, Tableau and column groups can directly connect to an Activity Hub. 

Report developers and report consumers use Cognos packages or Tableau data sources to access Activity Hub data. Report Consumers use reports/workbooks built by Report Developers to access Activity Hub data.

Data integration developers and integrated applications use column groups to access Activity Hub data.