Rational Insight security tied to user email addresses?
Hello,
We have an installation of Rational Insight 1.1.1.3 on a private network tied to a CLM 4.0.6 installation. For a while, our active directory did not have email addresses for all users. While this was the case, anyone who did not have an email address (displaying as "unknown" in the upper right corner of Insight) could run reports and access data on anyone's project. A little bit ago the sysadmins pushed out email addresses for every LDAP user, and suddenly the security changed. Now, users can only see projects they are a member of.
This security is presumably how things were supposed to work, and is nice, save one use case. We would like our Jazz Admins to be able to query details from all projects without having to be a member of them, as was the case before having emails. I can't determine how to do this in Cognos Administration security, and I'm poking around the ETL now to see if this access is part of the data itself.
Is there a way to let admins override the security policy that binds users to their projects?
We have an installation of Rational Insight 1.1.1.3 on a private network tied to a CLM 4.0.6 installation. For a while, our active directory did not have email addresses for all users. While this was the case, anyone who did not have an email address (displaying as "unknown" in the upper right corner of Insight) could run reports and access data on anyone's project. A little bit ago the sysadmins pushed out email addresses for every LDAP user, and suddenly the security changed. Now, users can only see projects they are a member of.
This security is presumably how things were supposed to work, and is nice, save one use case. We would like our Jazz Admins to be able to query details from all projects without having to be a member of them, as was the case before having emails. I can't determine how to do this in Cognos Administration security, and I'm poking around the ETL now to see if this access is part of the data itself.
Is there a way to let admins override the security policy that binds users to their projects?
Accepted answer
I had the same issue, and added an ETL job to give our admin users access to all projects.
The table RIODS.PROJECT_RESOURCE_LOOKUP is updated every time the JFS ETL is run to reflect the people (resources) that have access to each project.
I run the following ETL that adds a person to all the projects they are not currently linked to:
INSERT INTO RIODS.PROJECT_RESOURCE_LOOKUP (
"PROJECT_ID",
"RESOURCE_ID")
SELECT All_Projects.PROJECT_ID,
(SELECT MIN(RESOURCE_ID) FROM RIODS."RESOURCE" "RESOURCE" WHERE NAME='user_name@company.com' AND ISSOFTDELETED=0) AS Add_RESOURCE_ID
FROM
(SELECT DISTINCT PROJECT.PROJECT_ID
FROM RIODS.PROJECT PROJECT
) AS All_Projects
LEFT OUTER JOIN
(SELECT DISTINCT PROJECT.PROJECT_ID, PROJECT.NAME, RESOURCE.RESOURCE_ID
FROM RIODS.PROJECT PROJECT
INNER JOIN RIODS.PROJECT_RESOURCE_LOOKUP PROJECT_RESOURCE_LOOKUP
ON PROJECT_RESOURCE_LOOKUP.PROJECT_ID=PROJECT.PROJECT_ID
INNER JOIN RIODS.RESOURCE RESOURCE
ON RESOURCE.RESOURCE_ID = PROJECT_RESOURCE_LOOKUP.RESOURCE_ID
WHERE RESOURCE.NAME = 'user_name@company.com'
) AS Project_with_Resource
ON All_Projects.PROJECT_ID=Project_with_Resource.PROJECT_ID
WHERE Project_with_Resource.PROJECT_ID IS NULL
;
Change "user_name@company.com" to one of your admin users, an copy the SQL for each of your users.
This needs to be run every time after the JFS job, as the JFS job reverts the table to just those with access to CLM projects.
The table RIODS.PROJECT_RESOURCE_LOOKUP is updated every time the JFS ETL is run to reflect the people (resources) that have access to each project.
I run the following ETL that adds a person to all the projects they are not currently linked to:
INSERT INTO RIODS.PROJECT_RESOURCE_LOOKUP (
"PROJECT_ID",
"RESOURCE_ID")
SELECT All_Projects.PROJECT_ID,
(SELECT MIN(RESOURCE_ID) FROM RIODS."RESOURCE" "RESOURCE" WHERE NAME='user_name@company.com' AND ISSOFTDELETED=0) AS Add_RESOURCE_ID
FROM
(SELECT DISTINCT PROJECT.PROJECT_ID
FROM RIODS.PROJECT PROJECT
) AS All_Projects
LEFT OUTER JOIN
(SELECT DISTINCT PROJECT.PROJECT_ID, PROJECT.NAME, RESOURCE.RESOURCE_ID
FROM RIODS.PROJECT PROJECT
INNER JOIN RIODS.PROJECT_RESOURCE_LOOKUP PROJECT_RESOURCE_LOOKUP
ON PROJECT_RESOURCE_LOOKUP.PROJECT_ID=PROJECT.PROJECT_ID
INNER JOIN RIODS.RESOURCE RESOURCE
ON RESOURCE.RESOURCE_ID = PROJECT_RESOURCE_LOOKUP.RESOURCE_ID
WHERE RESOURCE.NAME = 'user_name@company.com'
) AS Project_with_Resource
ON All_Projects.PROJECT_ID=Project_with_Resource.PROJECT_ID
WHERE Project_with_Resource.PROJECT_ID IS NULL
;
Change "user_name@company.com" to one of your admin users, an copy the SQL for each of your users.
This needs to be run every time after the JFS job, as the JFS job reverts the table to just those with access to CLM projects.
2 other answers
Hello June,
another option would be to change the data model for the reports the administrator users execute to use the unrestricted data model.
Details in:
Switching to the unrestricted data model
http://www-01.ibm.com/support/knowledgecenter/SSYMRC_5.0.2/com.ibm.rational.rrdi.admin.doc/topics/t_admin_switch_data_models.html
Please note that this model has the same name and default location of the restricted data model, so you will need to import it to a different location.
From Report Studio you can change the data model that a report uses from File > Report Package...
Best Regards,
Francesco Chiossi
another option would be to change the data model for the reports the administrator users execute to use the unrestricted data model.
Details in:
Switching to the unrestricted data model
http://www-01.ibm.com/support/knowledgecenter/SSYMRC_5.0.2/com.ibm.rational.rrdi.admin.doc/topics/t_admin_switch_data_models.html
Please note that this model has the same name and default location of the restricted data model, so you will need to import it to a different location.
From Report Studio you can change the data model that a report uses from File > Report Package...
Best Regards,
Francesco Chiossi
Comments
The disadvantage to using this technique is that since we modify the data model as part of this organization's Insight customization, we would have to replicate the changes to both data models each time, possibly with some variation based on security integration. Maintaining two separate data models is an extra amount of work that is not very feasible.
Hello June,
if you customize your data model it should be pretty easy to generate 2 versions (one with and one without security) because there is only 1 parameter to change: IsSecurityEnabled. You can maintain a single customized model and just publish it once with the parameter enabled and once with the parameter disabled.
See for reference:
Integrating the Collaborative Lifecycle Management Framework Manager packages with Rational Insight
https://jazz.net/help-dev/rational-insight/index.jsp?topic=%2Fcom.ibm.rational.rrdi.admin.doc%2Ftopics%2Ft_import_clm301_fm_ri.html
More about the security parameter
Setting the value of the IsSecurityEnabled parameter to 1 enables the project-level security feature of Framework Manager. The security feature lets you restrict users from accessing the data stored in the data warehouse by using a user's email address as the lookup key for access permissions. The security feature must be enabled so that a user can view reports that contain linked data collected from the several CLM applications or from more than one CLM installation.
Best Regards,
Francesco Chiossi
if you customize your data model it should be pretty easy to generate 2 versions (one with and one without security) because there is only 1 parameter to change: IsSecurityEnabled. You can maintain a single customized model and just publish it once with the parameter enabled and once with the parameter disabled.
See for reference:
Integrating the Collaborative Lifecycle Management Framework Manager packages with Rational Insight
https://jazz.net/help-dev/rational-insight/index.jsp?topic=%2Fcom.ibm.rational.rrdi.admin.doc%2Ftopics%2Ft_import_clm301_fm_ri.html
More about the security parameter
Setting the value of the IsSecurityEnabled parameter to 1 enables the project-level security feature of Framework Manager. The security feature lets you restrict users from accessing the data stored in the data warehouse by using a user's email address as the lookup key for access permissions. The security feature must be enabled so that a user can view reports that contain linked data collected from the several CLM applications or from more than one CLM installation.
Best Regards,
Francesco Chiossi