Monday, September 26, 2011

Tivoli Common Reporting Security - Removing users from administrator roles

In Tivoli Common Reporting, by default, all users will have administrative privileges.  So, every user you create in TCR will have access to the Launch->Administration option and he/she can edit data sources, cancel scheduled jobs and perform various administrative tasks.   While this is great for test environments, it is absolutely not desirable for production implementations.   So, how do we turn off this major security hole?   Fortunately, there is an easy but not well-documented way.
1. Logon as tipadmin/tcradmin in Tivoli Common Reporting portal and select Reporting->Common Reporting
2. Click Launch->Administration
3. Goto Security Tab.
4. Select Cognos.
5. Make sure you selected, Users, Groups and Roles option in the left pane.
6. The list of roles will be listed. Go to the next page on the list. 
7. Select "System Administrators" role that is listed at the very bottom.
8. Click on the "Properties" option to edit the role settings.
9. Click on the "members" tab.
10. Click on the "Add" link to add specific users to TCR administration role.  Typically, the TCR users you created will be under VMMProvider.
11. Next select the "Everyone" group by selecting the checkbox next to it and click "Remove" link.
12. Click OK to save the changes.
13. Log out and log back in as an ordinary user. Now the "Launch->Administration" option will not appear anymore.
Hope this helps,

No comments: