Versions Compared

Version Old Version 11 New Version Current
Changes made by

Saparnell

Saparnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Activity Hub access and security is set by the Data Governance Committee and Data Stewards. 

Image Removed

Reports are saved into folders in Cognos/Tableau. Each folder is then connected to one or more Active Directory (AD) group.

Report development teams or business units then maintain the AD group membership.

 

Image Added

Example:

Folder

AD Group

What can members do?

Team A

TeamA_ProjectA_BI_Developers

TeamA_ProjectA_BI_Consumers

Publish reports into the Team A folder in Cognos & Tableau.

Run reports in Team A folder in Cognos & Tableau.

Cannot see or run reports in Team B folder or Team C folder.

Team B

TeamB_ProjectB_BI_Developers

TeamB_ProjectB_BI_Consumers

Publish reports into the Team B folder in Cognos.

Run reports in Team B folder in Cognos.

Cannot see or run reports in Team A folder or Team C folder.

Team C

TeamC_ProjectC_BI_Developers

TeamC_ProjectC_BI_Consumers

Publish reports into the Team C folder in Tableau.

Run reports in Team C folder in Tableau.

Cannot see or run reports in Team A folder or Team B folder.

Reports / Workbooks

Required: Reports live in Folders in both Cognos and Tableau.  Security is then applied at a BI tool folder level.

Ui expand
titleOptional:  Report developers can limit the data displayed in their reports.  Limiting data creates an additional level of security.

  1. Set filters that the report consumer cannot change.

    1. Cognos Filters Users Cannot Change

    2. Tableau Filters Users Cannot Change

  2. Limit the values in the filters that the report consumer can change.

    1. Cognos Filters Consumers Can Change - Limited Values

    2. Tableau Filters Consumers Can Change - Limited Values

  3. Limit the filters that the report consumer can change to single select.

    1. Cognos Single Select Prompts

    2. Tableau Single Select Prompts

  4. Limit your report to run in HTML only.  Tableau is automatically set to this but you can add it to your Cognos report.

    1. Cognos Limited Run Types

  5. Use both the folder security and data source security for your report.  Cognos is automatically set to this but you can add it to our Tableau report.

    1. Tableau Workbook and Data Source Security

  6. Use your own spreadsheet to associated users with departments in order to secure the report.

    1. Email busintel@ucsd.edu to ask for help setting that up.

Team Folder

Required: The security applied to Cognos Folders and Tableau Projects rely on Active Directory (AD) groups.  Report developers work with their local Departmental Security Administrator (DSA) or local IT Support to create or use existing AD groups.  The report developer then sends the AD group name to the BIA team so that the BIA team can create the team folder and connect it to the team AD group.  The report developer can manage the participants of that AD group in order to manage who has access to the reports saved to that folder.  For the Employee Activity Hub (EAH), Financial Activity Hub (FINAH), Research Activity Hub (RAH) and Student Activity Hub (SAH), access to the report will grant access to the data within the report.

Ui expand
titleHow to set up a Team Folder
These process assumes that you have

report

developer access to Cognos and Tableau.OrderActionWhoNote1Creates ReportReport Developer who have been approved via Blink > Data Sources (https://blink.ucsd.edu/technology/bi/sources/index.html)2Requests FolderReport Developer via email busintel@ucsd.edu with suggested folder name3Request Active Directory (AD) Group

Report Developer via email/ticket to their local Departmental Security Administrator (DSA) or local IT Support Team

BIA recommendation for AD Group naming convention

  • TeamName-Project-BI-Developer for the group of developers who will be building reports
  • TeamName-Project-BI-Consumer for the group of users who will be viewing or using the reports
4Create AD GroupDSA or local IT Support team5Requests AD Group be added to FolderReport Developer via email busintel@ucsd

.

edu

include the folder name and AD Group name(s) to connect

default = can download summary data

Example:  Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder in DEV and QA.  Please also allow "EcoTime_BI_Developer" to view these reports in PROD.

6Adds AD Group to FolderBIA per SNOW ticket from Report Developer7Adds report to FolderReport Developer8Cognos: migrate to Cognos QAReport Developer1st time set-up by BIA required9Cognos: Request migration to Cognos PRODReport Developer via email busintel@ucsd.edu
Ui expand
titleReport Developer: How to find the AD Group on your folder

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

  1. If the report is located on the Business Analytics Hub (BAH), use the 'Request Access' link found on the same page as the report.
  2. If the report is not on BAH, identify the report owner or the folder where the report lives
    1. Tableau: Reports Developers can look up the permissions on a report or folder to identify the report owner and associated AD groups
    2. Cognos: Email busintel@ucsd.edu to ask who the contact person is for the folder and/or report you are interested in.
  3. Contact the report owner
Ui expand
titleReport Developer: How to edit an AD Group

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

If your team manually maintains AD group membership then email or create a ticket for your local Departmental Security Administrator (DSA) or local IT Support Team

Ui expand
titleReport Developer: How to see AD Group membership

Everyone in UCSD can view AD Group membership.

How to View Active Directory Group Membership

Row Level Security

Additional security can be requested in the form of row based security.  The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see.  The most common example of this is userid to department.  Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.

Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.

Currently, only EAH is using row level security.

Activity Hub

At the Activity Hub level there is very limited access:  only Cognos, Tableau and column groups can directly connect to an Activity Hub. 

Report developers and report consumers use Cognos packages or Tableau data sources to access Activity Hub data. Report Consumers use reports/workbooks built by Report Developers to access Activity Hub data.

Data integration developers and integrated applications use column groups to access Activity Hub data.