Versions Compared

Old Version 10

changes.mady.by.user Saparnell

Saved on

compared with

New Version Current

changes.mady.by.user Saparnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Activity Hub access and security is set by the Data Governance Committee and Data Stewards. 

Image Removed

Activity Hub

Required: At the Activity Hub level there is very limited access:  only Cognos, Tableau and column groups can directly connect to an Activity Hub.  Report developers and report consumers use Cognos or Tableau to access Activity Hub data.  Data integration developers and integrated application use column groups to access Activity Hub data.

Row Level Security

Additional security can be requested in the form of row based security.  The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see.  The most common example of this is userid to department.  Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.

Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.

Image Added

Example:

FolderAD GroupWhat can members do?
Team A

TeamA_ProjectA_BI_Developers

TeamA_ProjectA_BI_Consumers

Publish reports into the Team A folder in Cognos & Tableau.

Run reports in Team A folder in Cognos & Tableau.

Cannot see or run reports in Team B folder or Team C folder.

Team B

TeamB_ProjectB_BI_Developers

TeamB_ProjectB_BI_Consumers

Publish reports into the Team B folder in Cognos.

Run reports in Team B folder in Cognos.

Cannot see or run reports in Team A folder or Team C folder.

Team C

TeamC_ProjectC_BI_Developers

TeamC_ProjectC_BI_Consumers

Publish reports into the Team C folder in Tableau.

Run reports in Team C folder in Tableau.

Cannot see or run reports in Team A folder or Team B folder.


Reports / Workbooks

Required: Reports live in Folders in both Cognos and Tableau.  Security is then applied at a BI tool folder level.

Ui expand
titleOptional:  Report developers can limit the data displayed in their reports.  Limiting data creates an additional level of security.
  1. Set filters that the report consumer cannot change.
    1. Cognos Filters Users Cannot Change
    2. Tableau Filters Users Cannot Change
  2. Limit the values in the filters that the report consumer can change.
    1. Cognos Filters Consumers Can Change - Limited Values
    2. Tableau Filters Consumers Can Change - Limited Values
  3. Limit the filters that the report consumer can change to single select.
    1. Cognos Single Select Prompts
    2. Tableau Single Select Prompts
  4. Limit your report to run in HTML only.  Tableau is automatically set to this but you can add it to your Cognos report.
    1. Cognos Limited Run Types
  5. Use both the folder security and data source security for your report.  Cognos is automatically set to this but you can add it to our Tableau report.
    1. Tableau Workbook and Data Source Security
  6. Use your own spreadsheet to associated users with departments in order to secure the report.
    1. Email busintel@ucsd.edu to ask for help setting that up.


Team Folder

Required: The security applied to Cognos Folders and Tableau Projects rely on Active Directory (AD) groups.  Report developers work with their local Departmental Security Administrator (DSA) or local IT Support to create or use existing AD

...

groups.  The report developer then sends the AD group name to the BIA team so that the BIA team can create the team folder and connect it to the team AD group.  The report developer can manage the participants of that AD group in order to manage who has access to the reports saved to that folder.  For the Employee Activity Hub (EAH), Financial Activity Hub (FINAH), Research Activity Hub (RAH) and Student Activity Hub (SAH), access to the report will grant access to the data within the report.


Ui expand
titleHow to set up a Team Folder

These process assumes that you have report developer access to Cognos and Tableau.

...

OrderActionWhoNote
1Creates ReportReport Developer who have been approved via Blink > Data Sources (https://blink.ucsd.edu/technology/bi/sources/index.html)
2Requests FolderReport Developer via email busintel@ucsd.edu with suggested folder name
3Request Active Directory (AD) Group

Report Developer via email/ticket to their local Departmental Security Administrator (DSA) or local IT Support Team

...

  1. BIA recommends creating two AD groups per folder:  FolderName_BI_Developer and FolderName_BI_Consumer.
  2. FolderName_BI_Developer will be for report developers on your team who want to publish reports to that folder.
  3. FolderName_BI_Consumer will be for consumers who will be able to run and interact with the report.

...

BIA recommendation for AD Group naming convention

  • TeamName-Project-BI-Developer for the group of developers who will be building reports
  • TeamName-Project-BI-Consumer for the group of users who will be viewing or using the reports
4Create AD GroupDSA or local IT Support team
5Requests AD Group be added to Folder

Report Developer via email busintel@ucsd.edu

include the folder name and AD Group name(s) to connect

default = can download summary data

Example:  Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder in DEV and QA.  Please also allow "EcoTime_BI_Developer" to view these reports in PROD.

...

6Adds AD Group to FolderBIA per SNOW ticket from Report Developer
7Adds report to FolderReport Developer
8Cognos: migrate to Cognos QAReport Developer1st time set-up by BIA required
9Cognos: Request migration to Cognos PRODReport Developer via email busintel@ucsd.edu



Ui expand
title

...

Report Developer: How to find the AD Group on your folder

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

  1. If the report is located on the Business Analytics Hub (BAH), use the 'Request Access' link found on the same page as the report.
  2. If the report is not on BAH, identify the report owner or the folder where the report lives
    1. Tableau: Reports Developers can look up the permissions on a report or folder to identify the report owner and associated AD groups
    2. Cognos: Email busintel@ucsd.edu to ask who the contact person is for the folder and/or report you are interested in.
  3. Contact the report owner


Ui expand

Report / Workbook

Optional:  Report developers can limit the data displayed in their reports.  Limiting data creates an additional level of security.

...

  1. Cognos Filters Users Cannot Change
  2. Tableau Filters Users Cannot Change

...

  1. Cognos Filters Consumers Can Change - Limited Values
  2. Tableau Filters Consumers Can Change - Limited Values

...

  1. Cognos Single Select Prompts
  2. Tableau Single Select Prompts

...

  1. Cognos Limited Run Types

...

  1. Tableau Workbook and Data Source Security

...

titleReport Developer: How to edit an AD Group

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

If your team manually maintains AD group membership then email or create a ticket for your local Departmental Security Administrator (DSA) or local IT Support Team


Ui expand
titleReport Developer: How to see AD Group membership

Everyone in UCSD can view AD Group membership.

How to View Active Directory Group Membership


Row Level Security

Additional security can be requested in the form of row based security.  The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see.  The most common example of this is userid to department.  Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.

Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.

Currently, only EAH is using row level security.

Activity Hub

At the Activity Hub level there is very limited access:  only Cognos, Tableau and column groups can directly connect to an Activity Hub. 

Report developers and report consumers use Cognos packages or Tableau data sources to access Activity Hub data. Report Consumers use reports/workbooks built by Report Developers to access Activity Hub data.

Data integration developers and integrated applications use column groups to access Activity Hub data.