Built in 'Everyone' group and licensing

[mdvriese]

Hi,

During an audit's the question came if:
- anonymous is disabled
- everyone is disabled

I know anonymous should be disabled via config, and we also check 'only allow members of the built in namespace'.
I realize you can also disable (uncheck via portal administration) the built-in everyone group.
But I've never seen (nor can find back now) any recommendation to do that!
I know you have to remove everyone from built in Cognos groups/roles; but nowhere is suggested to disable everyone.
(and Everyone can exceptionally be used to easily grant 'all authenticated users' to something, if you would need to.)

Not sure to what extent this matters If we set only 'allow members of the built in namespace'. Don't think it does..
We manage all our users in AD groups and map those through to Cognos groups.

Is anyone disabling Everyone, and/or have more info in what circumstances this should be done?

[MFGF]

Hi,

During an audit's the question came if:
- anonymous is disabled
- everyone is disabled

I know anonymous should be disabled via config, and we also check 'only allow members of the built in namespace'.
I realize you can also disable (uncheck via portal administration) the built-in everyone group.
But I've never seen (nor can find back now) any recommendation to do that!
I know you have to remove everyone from built in Cognos groups/roles; but nowhere is suggested to disable everyone.
(and Everyone can exceptionally be used to easily grant 'all authenticated users' to something, if you would need to.)

Not sure to what extent this matters If we set only 'allow members of the built in namespace'. Don't think it does..
We manage all our users in AD groups and map those through to Cognos groups.

Is anyone disabling Everyone, and/or have more info in what circumstances this should be done?

I have never heard of a requirement to disable the Everyone group. I'd be concerned that if you do this, it might lock out everyone who doesn't have System Admin privileges. I have always advocated that you should work through all your roles and remove the Everyone group from being a member of each role - and replace with just the required groups. Leave the Everyone group intact, though.

Cheers!

MF.

[sdf]

Yes, it's a bit concerning if you are disabling the 'Everyone' group. This means you need particular groups/roles for each objects you have. Imagine  if you have a public content/object, instead of just using 'Everyone' you then need to add several specific groups to assign permissions.




sdef

[KETINU]

Hi !

I need help setting up roles and permissions in SCI.
What should I do with the "Everyone" and "Anonymous" roles?
When I'm connected via Azure AD SSO, my profile appears as "not provided." Why?

[dougp]

This is a slightly different question, but I'll respond here because it looks like I missed the initial question I can provide different details.

The original question lacks detail.  What kind of audit?  Was this for an IBM license compliance audit?  Or was it a security audit by your local cybersecurity office?

...and what are your needs?  Are you providing reporting through Cognos to the entire planet?

If you use Cognos only internally...
License compliance:  Remove Everyone from the System Administrators role.  Add users and groups to roles and groups as appropriate for your needs.
Security compliance:  I would not disable the Everyone group.  Just remove it from all other groups and roles.  In my case, I had initially added Everyone to Analytics Users to match our license structure.  After discussing with my cybersecurity folks, I added Authenticated Users and removed Everyone.

The new question also doesn't provide enough information.  What are your needs?  I use Cognos only internal to the organization.  So I removed Everyone and Anonymous from all roles and groups.  But if you want to expose Cognos externally (on the Internet) and want users to not need to log in, you'll need one of these groups for that.

I don't know about "not provided" appearing as your profile.  That's probably a question for IBM Support.