Multitenancy or Multiple tenant environments support multiple customers or organizations (tenants) by using a single deployment of an application, while ensuring that each tenant can access only the data that it is authorized to use.

Such applications are called multitenant applications.

The benefit of Multitenancy is to minimize the extra costs associated with managing multiple profiles and applications in multiple environments.

!

"

# $%"

"""&

"

"""

""'

" $"%"

"'&

"

('

"") "

*&+ "*&+&

,

Once we decide a multitenant application is a requirement we need to determine how we will identify a tenant.

Before you can modify your configuration for Multitenant applications, you need to identify how tenancy information (grouping) is determined in your environment for the individual users. Then, you associate the tenancy information to specific Multitenancy properties.To enable Cognos Multitenancy capabilities, you set advanced authentication properties on all the computers where the Content Manager is configured, and then restart the IBM Cognos service.

Step 1 - To identify tenancy information - how will we determine this?1) By the Organizational structure built in LDAP2) By an attribute / parameter of the user 3) A variable being passed from a custom security providerIn the example here and within the demo, we use the l attribute of the users

Step 2 - To enable Multitenancy

Open IBM Cognos ConfigurationSetup TenantID properties

Multitenancy properties that you specify for a specific namespace override any Multitenancy properties that you set globally.To configure the tenancy information for one namespace: In Cognos Configuration, in the Explorer window, under Security, click Authentication. Click the namespace that you want to configure.

LDAP Advanced PropertiesMultitenancy.TenantPattern = ~/parameters/tenantID

LDAP Custom PropertiestenantID = l (in this example l is for location)

Restart Services

For more information refer to the IBM Cognos BI v10.2 Administration and Security Guide

New, central UI for managing tenants within IBM Cognos Administration for Tenant content deployment Delete a tenantTenant on-boarding Tenant user profiles Tenant session termination Content utilization reporting

Multitenancy Administration Actions can be accessed via the toolbars or using the down arrow next to the tenant as shown here.

Tenant on-boarding Tenant objects must now be created before a tenant's users can access the Cognos BI systemAbility to delete tenants using IBM Cognos AdministrationSystem Administrators can now easily remove a tenant and all associated BI objects from a Cognos BI platform using IBM Cognos Administration.

Optional deployment of public contentAdministrators of multitenant applications can easily select all objects belonging to a tenant and export them to a Cognos BI deployment archive and can now optionally include or exclude public or non-tenanted content in the same deployment archive in order to easily move an entire application from one Cognos BI platform to another.

Per-tenant default user profilesAccount profiles are used to customize the user experience within Cognos BI. System Administrators can now define default account profiles that can be unique to each tenant's requirements.

-

Tenant user lock-out (disable a tenant)When maintaining multitenant environments, it is often desirable to prevent tenant users from accessing and modifying BI content. System Administrators can now disable access to a Cognos BI application for a tenant; once disabled no user belonging to the disabled tenant ID can access the BI application.

Tenant user session terminationSystem administrators can now terminate all of a tenant's active user sessions from a Cognos BI application without impacting application availability for other users on the system.

Content store utilization reportingService providers for multitenant applications require the ability to understand how individual tenants are utilizing Cognos BI. System Administrators can now easily export Cognos BI content store usage data to be used to fully understand the number of BI objects associated with a tenant along with the size of those objects stored within the Cognos BI content store.will create a csv file containing content store utilization data within \logs

(for example C:\Program Files\IBM\cognos\c10_64\logs\cmUtilization_1363031904149.csv)After Multitenancy is enabled, you can record tenant activities using an audit logging database. IBM Cognos Business Intelligence provides sample audit reports that show how to use the tenancy information to monitor certain user activities. Nothing new here since IBM Cognos BI v10.2

For information about how to use IBM Cognos Configuration to set up a logging database, see the IBM Cognos Business Intelligence Installation and Configuration Guide.

.

/ "*&+&0 #)

#)") 12

&

3*&+ ) 1 &4

"

/

1"/

&

3") #56

!

7&

8

Tenancy checks during object access are evaluated before permissions associated with an object. Therefore, users in a multitenant application see only the objects that are associated with their tenant and objects that are categorized as public.

An object with no tenant id is 'publicPublic objects are visible by all users regardless of the user's tenancy, if the object security policies permit access.Note: Once TenantID set, children of the parent object can not be Public

Note: A user may not belong to multiple tenants. Two logins will be required . But System administrators can impersonate a tenant if they want to create content on behalf of that tenant or for testing purposes, which they could do in 10.2 also.

Procedure1. Ensure that you are logged off from IBM Cognos Connection.2. Click the Log on link in IBM Cognos Connection.3. In the Log on page, append the following parameters to the page URL:

&CAMTenantID=impersonated_tenant_IDFor example, type &CAMTenantID=tenant1

4. Press Enter and continue the logon process.

9

Note: System Administrators when creating content have to obey 'containment rules' that constrain what content can be created by who and where.

Containment rules for multitenancyMultiple tenants can co-exist in a single IBM Cognos content store. The tenantcontainment rules maintain security and ensure isolation between tenants. These rules dictate how the content is created and where it can be located.

Every object in the content store has a tenant ID value that indicates which tenant the object belongs to. This value is based on the tenant ID associated with the session of the user who created the object. Alternatively, system administrators can set the tenant ID value in the user interface, or using the software development kit.

The tenant ID of an object must be the same as the tenant ID of its parent, unless the parent tenant ID is public. If the parent tenant ID is public, the tenant ID for the child can be changed to any value.

System administrators can run a content store consistency check to detect instances of violation of the tenant containment rules.

*

'""&:

$""

1 " '1

"&

"'

;"

6$?>"

@>>">*">4'

+

AB0 A$B1

To find more information on Multitenancy please readDocumentationIBM Cognos BI v10.2.1 New Features GuideIBM Cognos BI v10.2.1 Installation and Configuration GuideIBM Cognos BI v10.2.1 Administration and Security Guide