Who Can See My Reports?

Q: Who can see my report?

Only the people in the Active Directory (AD) security group assigned to your team folder can see your report. Only Report Developers who are a member of the team can request that AD groups be assigned or removed from the folder in the BI tool.

Tableau reports saved to your desktop or Cognos reports saved to your ‘My content’ area can only be seen by yourself.

Q: Who decides what consumers get access to Activity Hubs?

At the report level, report developers decide which Active Directory (AD) security groups have access to reports (grouped into folders).

At the row level and Activity Hub level, data stewards decide the requirements for access to the data they steward.

Q: How can people see my report?

Only members of specific Active Directory (AD) groups that have been attached to your team folder in Cognos/Tableau can see your report. See the FAQ on how to set up a Team Folder.

Q: How do I make my report available to all UCSD employees?

In both BI tools there is a ‘Public’ option which is available to all employees found in the ‘Roles_Active_Employees’ Active Directory security group.

You can save your report into the existing ‘Public’ folder or you can create a team folder and apply the ‘Public’ security via the ‘Roles_Active_Employees’ Active Directory security group.

This does not include Affiliates (people not paid via UC Path) or Students.

Q: How do I make my report available to the entire world?

Cognos does not have this ability.

UCSD has a Tableau server dedicated to reports that should be available to the world. See details on https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/445907264 .

Q: If I give my consumer access to my report can they also see the data?

Yes, unless there is row level security applied.

Report developers are responsible for the data they share within the reports they share, therefore, if the report developer provides a consumer with access to the report the consumer will also get access to the data. Row level security (ie. Employee Activity Hub) is separate because the Employee data steward has requested additional approval required for access to the data per department.

Q: Can you copy my consumer access to another person?

No. Data access has trainings and approvals that are required. New Report Consumers need:

1. Complete trainings listed on the access request forms.

2. Submit report access request for each area of reports: See the Business Analytics Hub.

Who Can Build Reports?

Q: Can I connect directly to the Activity Hubs / Hana?

No. Access to the Activity Hubs / Hana for analytical needs is available via Cognos or Tableau as a report developer. Access to the Activity Hubs / Hana for data integration needs is available via Column Groups for data integration developers.

Q: Who decides what report developers get access to Activity Hubs?

Data stewards decide the requirements for access to the data they steward.

Q: Can you copy my report developer access to another person?

No. Data access has trainings and approvals that are required. New Report Developers need:

1. Complete trainings listed on access request forms.

2. Submit data access requests: See Blink > Data Sources.

3. Request that your AD admin add your team AD groups so they can publish to your folders.

4. Tableau only - request a Tableau developer license: See Blink > Tableau > Licensing for the current version of Tableau Server.

Active Directory Questions

Q: How to find the AD Group on your folder?

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

1. If the report is located on the Business Analytics Hub (BAH), use the 'Request Access' link found on the same page as the report.

2. If the report is not on BAH, identify the report owner or the folder where the report lives

   1. Tableau: Reports Developers can look up the permissions on a report or folder to identify the report owner and associated AD groups

   2. Cognos: Email busintel@ucsd.edu to ask who the contact person is for the folder and/or report you are interested in.

3. Contact the report owner

Q: How to edit an AD Group?

Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.

If your team manually maintains AD group membership then email or create a ticket for your local Departmental Security Administrator (DSA) or local IT Support Team. There is a table at the bottom of this page to assist in finding your AD group support team.

BIA does not have the ability to update customer AD groups.

Q: How to see AD Group membership?

Everyone in UCSD can view AD Group membership. See details on How to View Active Directory Group Membership

Q: How do I add people to my Active Directory (AD) group?

The BIA team cannot edit or create AD groups. Report developers can reach out to their DSA or local IT Support team to request that AD groups be created or updated. Once the AD group is updated Cognos will see the changes within an hour, Tableau required a nightly reload to see the new AD group updates. There is a table at the bottom of this page to assist in finding your AD group support team.

Q: I made a change to my AD group. When with that change be reflected in Cognos/Tableau?

If that AD group is already attached to a folder in Cognos or Tableau then you will see the change in Cognos the same day and see the change in Tableau after the over-night sync.

Folder / Report Questions?

Q: Can I add only myself to the report or folder?

No. The BIA team is not large enough to support adding individual people to reports or folders. Security is assigned at an AD Group to folder level.

Q: Can I have different security per report?

No. The BIA team is not large enough to support adding different AD groups to each report. Security is assigned at an AD Group to folder level.

Q: Can I have subfolders within my folder?

In Cognos, yes. You can have subfolders with different security.

In Tableau, kinda. You can have subfolders but the security must be the same as the top level team folder. We have found there is a security risk if the subfolder security does not match the top level team folder so we no longer allow subfolders in Tableau to have different security.

Q: Can students see my Team Folder?

Yes, if you have added the student to the AD Group that has access to the folder.

Q: Can students see my the Public folder?

Not by default. The Public folders in Cognos and Tableau are available to all employees found in the ‘Roles_Active_Employees’ Active Directory security group. By default, students are not added to this group even if they are student employees. Managers can request that their student employees be added to the ‘Roles_Active_Employees’ Active Directory security group by opening a ticket with the Service Desk.

Resources

Q: Where can I learn more about Data Governance at UCSD?

Data Governance = https://blink.ucsd.edu/technology/bi/governance/index.html

Data Guidelines = https://blink.ucsd.edu/technology/bi/data-guidelines.html

Q: Where can I learn more about access and security?

https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/11173991

https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/11175458

Q: How do I set up a Team Folder? popular

These process assumes that you have report developer access to Cognos and Tableau.

Order	Action	Who	Note

Order	Action	Who	Note
1	Creates Report	Report Developer who have been approved via Blink > Data Sources (https://blink.ucsd.edu/technology/bi/sources/index.html)
2	Requests Folder	Report Developer via email busintel@ucsd.edu with suggested folder name
3	Request new Active Directory (AD) Group or modifications to existing AD Group	Report Developer via email/ticket to their local Departmental Security Administrator (DSA) or local IT Support Team	BIA recommendation for AD Group naming convention TeamName-Project-BI-Developer for the group of developers who will be building reports TeamName-Project-BI-Consumer for the group of users who will be viewing or using the reports
4	Create AD Group	DSA or local IT Support team See Table below for more information.	Along with providing a group name and AD usernames to be added as members, request the following AD group settings: Group scope = Universal Group type = Security Open
5	Requests AD Group be added to Folder	Report Developer via email busintel@ucsd.edu include the folder name and AD Group name(s) to connect AD Group access can be one of three options: Developer access Consumer access - can download summary data and images Consumer Restricted access - cannot download summary data and images (Tableau only, in Cognos the report developer would set this limitation)	Cognos Example:  Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder in DEV.  Please also allow “EcoTime_BI_Developer” and "EcoTime_BI_Consumer" to view these reports in QA and Prod.   Tableau Example:  Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder.  Please also allow "EcoTime_BI_Consumer" to view these reports but NOT download summary data.
6	Adds AD Group to Folder	BIA per SNOW ticket from Report Developer
7	Adds report to Folder	Report Developer
8	Cognos: migrate to Cognos QA	Report Developer	1st time set-up by BIA required
9	Cognos: Request migration to Cognos PROD	Report Developer via email busintel@ucsd.edu

Q: Who do I contact to create or edit an AD Group? popular