AH Security FAQs
- 1 Q: Who can see my report?
- 2 Q: Who decides what consumers get access to Activity Hubs?
- 3 Q: How can people see my report?
- 4 Q: Where can I learn more about Data Governance at UCSD?
- 5 Q: Can I connect directly to the Activity Hubs / Hana?
- 6 Q: How to find the AD Group on your folder?
- 7 Q: How to edit an AD Group?
- 8 Q: How to see AD Group membership?
- 9 Q: How do I make my report available to all UCSD employees?
- 10 Q: How do I make my report available to the entire world?
- 11 Q: If I give my consumer access to my report can they also see the data?
- 12 Q: Who decides what report developers get access to Activity Hubs?
- 13 Q: How do I add people to my Active Directory (AD) group?
- 14 Q: Can I add only myself to the report or folder?
- 15 Q: Can I have different security per report?
- 16 Q: I made a change to my AD group. When with that change be reflected in Cognos/Tableau?
- 17 Q: Can I have subfolders within my folder?
- 18 Q: Can students see my Team Folder?
- 19 Q: Can students see my the Public folder?
- 20 Q: How do I set up a Team Folder?
- 21 Q: Who do I contact to create or edit an AD Group?
Q: Who can see my report?
Only the people in the Active Directory (AD) security group assigned to your team folder can see your report. Only Report Developers who are a member of the team can request that AD groups be assigned or removed from the folder in the BI tool.
Tableau reports saved to your desktop or Cognos reports saved to your ‘My content’ area can only be seen by yourself.
Q: Who decides what consumers get access to Activity Hubs?
At the report level, report developers decide which Active Directory (AD) security groups have access to reports (grouped into folders).
At the row level and Activity Hub level, data stewards decide the requirements for access to the data they steward.
Q: How can people see my report?
Only members of specific Active Directory (AD) groups that have been attached to your team folder in Cognos/Tableau can see your report. See the FAQ on how to set up a Team Folder.
Q: Where can I learn more about Data Governance at UCSD?
Data Governance = https://blink.ucsd.edu/technology/bi/governance/index.html
Data Guidelines = https://blink.ucsd.edu/technology/bi/data-guidelines.html
Q: Can I connect directly to the Activity Hubs / Hana?
No. Access to the Activity Hubs / Hana for analytical needs is available via Cognos or Tableau as a report developer. Access to the Activity Hubs / Hana for data integration needs is available via Column Groups for data integration developers.
Q: How to find the AD Group on your folder?
Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.
If the report is located on the Business Analytics Hub (BAH), use the 'Request Access' link found on the same page as the report.
If the report is not on BAH, identify the report owner or the folder where the report lives
Tableau: Reports Developers can look up the permissions on a report or folder to identify the report owner and associated AD groups
Cognos: Email busintel@ucsd.edu to ask who the contact person is for the folder and/or report you are interested in.
Contact the report owner
Q: How to edit an AD Group?
Different teams choose different processes to maintain their Active Directory (AD) security groups. Some teams maintain their AD group membership via manual processes, others use tools like Service Now to incorporate approval processes.
If your team manually maintains AD group membership then email or create a ticket for your local Departmental Security Administrator (DSA) or local IT Support Team. There is a table at the bottom of this page to assist in finding your AD group support team.
BIA does not have the ability to update AD groups.
Q: How to see AD Group membership?
Everyone in UCSD can view AD Group membership. See details on How to View Active Directory Group Membership
Q: How do I make my report available to all UCSD employees?
In both BI tools there is a ‘Public’ option which is available to all employees found in the ‘Roles_Active_Employees’ Active Directory security group.
You can save your report into the existing ‘Public’ folder or you can create a team folder and apply the ‘Public’ security via the ‘Roles_Active_Employees’ Active Directory security group.
This does not include Affiliates (people not paid via UC Path) or Students.
Q: How do I make my report available to the entire world?
Cognos does not have this ability.
UCSD has a Tableau server dedicated to reports that should be available to the world. See details on https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/445907264 .
Q: If I give my consumer access to my report can they also see the data?
Yes, unless there is row level security applied.
Report developers are responsible for the data they share within the reports they share, therefore, if the report developer provides a consumer with access to the report the consumer will also get access to the data. Row level security (ie. Employee Activity Hub) is separate because the Employee data steward has requested additional approval required for access to the data per department.
Q: Who decides what report developers get access to Activity Hubs?
Data stewards decide the requirements for access to the data they steward.
Q: How do I add people to my Active Directory (AD) group?
The BIA team cannot edit or create AD groups. Report developers can reach out to their DSA or local IT Support team to request that AD groups be created or updated. Once the AD group is updated Cognos will see the changes within an hour, Tableau required a nightly reload to see the new AD group updates. There is a table at the bottom of this page to assist in finding your AD group support team.
Q: Can I add only myself to the report or folder?
No. The BIA team is not large enough to support adding individual people to reports or folders. Security is assigned at an AD Group to folder level.
Q: Can I have different security per report?
No. The BIA team is not large enough to support adding different AD groups to each report. Security is assigned at an AD Group to folder level.
Q: I made a change to my AD group. When with that change be reflected in Cognos/Tableau?
If that AD group is already attached to a folder in Cognos or Tableau then you will see the change in Cognos the same day and see the change in Tableau after the over-night sync.
Q: Can I have subfolders within my folder?
In Cognos, yes. You can have subfolders with different security.
In Tableau, kinda. You can have subfolders but the security must be the same as the top level team folder. We have found there is a security risk if the subfolder security does not match the top level team folder so we no longer allow subfolders in Tableau to have different security.
Q: Can students see my Team Folder?
Yes, if you have added the student to the AD Group that has access to the folder.
Q: Can students see my the Public folder?
Not by default. The Public folders in Cognos and Tableau are available to all employees found in the ‘Roles_Active_Employees’ Active Directory security group. By default, students are not added to this group even if they are student employees. Managers can request that their student employees be added to the ‘Roles_Active_Employees’ Active Directory security group by opening a ticket with the Service Desk.
Q: How do I set up a Team Folder?
These process assumes that you have report developer access to Cognos and Tableau.
Order | Action | Who | Note |
|---|---|---|---|
1 | Creates Report | Report Developer who have been approved via Blink > Data Sources (https://blink.ucsd.edu/technology/bi/sources/index.html) |
|
2 | Requests Folder | Report Developer via email busintel@ucsd.edu with suggested folder name |
|
3 | Request new Active Directory (AD) Group or modifications to existing AD Group | Report Developer via email/ticket to their local Departmental Security Administrator (DSA) or local IT Support Team | BIA recommendation for AD Group naming convention
|
4 | Create AD Group | DSA or local IT Support team See Table below for more information. | Along with providing a group name and AD usernames to be added as members, request the following AD group settings: Group scope = Universal Group type = Security 
|
5 | Requests AD Group be added to Folder | Report Developer via email busintel@ucsd.edu include the folder name and AD Group name(s) to connect AD Group access can be one of three options:
| Cognos Example: Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder in DEV. Please also allow “EcoTime_BI_Developer” and "EcoTime_BI_Consumer" to view these reports in QA and Prod.
Tableau Example: Please create a new folder called "EcoTime Reports" and allow AD group "EcoTime_BI_Developer" to publish reports to this folder. Please also allow "EcoTime_BI_Consumer" to view these reports but NOT download summary data. |
6 | Adds AD Group to Folder | BIA per SNOW ticket from Report Developer |
|
7 | Adds report to Folder | Report Developer |
|
8 | Cognos: migrate to Cognos QA | Report Developer | 1st time set-up by BIA required |
9 | Cognos: Request migration to Cognos PROD | Report Developer via email busintel@ucsd.edu |
|
Q: Who do I contact to create or edit an AD Group?
Report Developer Department | AD Group Support Team | AD Group Location |
|---|---|---|
Biological Sciences | Local IT |
|
Admissions | ITS-FieldSupport-CentralCampus | AD.UCSD.EDU/Student Affairs/Admissions & Enrollment Services |
Enrollment Management | Contact Bernard Lam or Angela Liewen |
|
Health | Assignment Group: ITS-WorkstationLifeCycle OR Should create a Health System Service Desk ticket (https://blink.ucsd.edu/technology/help-desk/ucsd-health/index.html https://blink.ucsd.edu/technology/help-desk/ucsd-health/index.html ). Alternate option is emailing the Health IS team via itsm@health.ucsd.edu. If you don’t get a response, try contacting Glenn Strout (gstrout@ucsd.edu) | OU = UCSD Healthcare/AHS/Groups/BADG |
IR | ITS-OIA-ADTeam |
|
JSOE or Jacobs School or Engineering | JSOE Help Desk email. |
|
OCGA | ITS-WorkStationLifeCycle | OU = Research Affairs/ORA/Groups/Security Groups/Cognos |
SIO or Marine Sciences | SIO Help Desk email. |
|
VCSA | ITS-SIS-StudentAffairs |
|
| ITS-WorkStationLifeCycle |
|
AD group starting with Roles_ | ITS-OIA-IAM-AccessProv |
|
My department is not listed in this table | Open a SNOW ticket for ITS and request the ticket be assigned to the Active Directory (AD) group management team. |
|