Migrating a Cognos Instance between Authentication Sources

February 13, 2013

Cognos 10, Motio, System Admin & Security

Stress Free Cognos Migrations with Motio

Migrating a Cognos instance between authentication sources can be a scary experience, it's not as simple as moving from point A to point B. A namespace transition can have a profound effect on your Cognos environment’s content and configuration - e.g. the security policies and owners on all Cognos content (objects, scheduled executions, email recipients, group memberships, My Folders, etc.) all depend on CAMIDs from a Cognos namespace.

Some forces that drive the need for migrating a Cognos instance from one authentication source to another are:

  • Migrating Cognos 8 / 10 authentication from Series 7 Access Manager to LDAP or Active Directory
  • Consolidating multiple installations of Cognos
  • Corporate policies which mandate consolidation of identity information
  • Upgrading Cognos to a version which no longer supports your legacy security source

During this webinar, we will how to utilize Motio’s technology to make a Cognos migration a stress free journey.

Business Context

Business user security and ease of access to enterprise information, reports and BI infrastructure is enhanced with a centralized user identity approach. Reducing security risk often mandates a change from multiple, legacy security systems to centralized LDAP or Active Directory systems.

A Motio software-assisted migration that is efficient, timely and stress-free from one authentication source to another can minimize business user access interruption and be done with minimal impact on IT resources.


Motio; Cognos authentication source; LDAP; Active Directory


IT Professionals; IT Developers; DBA’s; Security Administrators; System Administrators


Steve Reed-Pittman

Senturus Consultant

Steve leads the installation and upgrade team at Senturus. He has installed, and configured, and optimized hundreds of Cognos instances from Cognos Series 7 through Cognos 10 on the Windows, UNIX and Linux environments. 

Lance Hankins

Chief Technology Officer, Motio


Migration Scenarios

  • Access Manager (SunONE LDAP) -> Active Directory
  • Access Manager (SunONE LDAP) -> newer LDAP(e.g., Oracle Directory Server, IBM Directory Server)
  • Migration of users between Active Directory domains (e.g., consolidating from multiple domains to one)

Cognos Security ID’s (CAMID) are assigned for:

  • Every security policy
  • Every object’s owner
  • Every object’s contact
  • Schedules
  • Schedule Recipients
  • Burst Slices
  • Cognos Namespace Membership
  • Each User & their Content
    • My Folders
    • Preferences
    • Portal Tabs
    • Watch Items
  • Framework and Transformer models if data level security has been deployed

Migration Options

Changing the authentication source causes the Cognos software to change all of the internal CAMID’s. Therefore the migration options are:

  1. Manually remap each ID in Cognos Connection
  2. Write custom code to migrate using Cognos SDK
  3. Use a packaged namespace migration tool (e.g., Motio)

Motio Cognos Security Migration

Option 1: “Persona IQ” (licensed software)

  • WITHOUT changing the CAMIDs of users, groups & roles
  • Supports Migrating From / To :
    • Access Manager
    • Active Directory
    • LDAP
    • Persona IQ
    • Requires less than five minutes of Cognos downtime.
    • ZERO changes to the Cognos Content Store or FM / Transformer Models
    • Empowers application support personnel while still adhering to corporate authentication standard

Option 2: “Motio Namespace Migration Service” (consulting)

  • Software-assisted, consulting engagement that moves the security namespaces from one instance to another.

The Motio software is not left with the client with this option.

▼ Q&A

With a change from Access Manager to Active Directory, does the access to My Folders change?

Under Option 1 (Motio’s Persona IQ), no it does not (as the CAMID values remain unchanged).

Under Option 2 (Motio’s Migration Service), the My Folders folders are copied and relinked to the new security namespace (and then the old My Folders are deleted).

After a migration, does a new Cognos user have to also be added to Persona IQ?

No. Once the migration is completed, a new Cognos user who is already in the enterprise’s Active Directory system, does not need to be added to Persona IQ. (They will be authenticated to Active Directory, even though Cognos is looking at the Persona IQ data base.)

In the demonstration, Active Directory was the authentication source. Does it also perform as the authorization source after the migration?

No. The security namespace (Active Directory, LDAP, Access Manager, etc.) is the authentication source (who is the user) and that is what is migrated. The authorization source (what can the user access and what can the user do) is still contained in the content store.

When Series 7 is used to manage user classes, can they be migrated as well?

Yes, but if there are a very large number (e.g., 20,000), it may be preferred to leave them in the Persona data base and continue to manage them there. Otherwise, they can be mapped into Active Directory groups or roles (where they’d be managed after the migration).

Does the Motio software work with home-grown authentication sources?


What level of network access is needed to accomplish the migration?

No special network access credential is needed, but access to the namespaces involved and to the Cognos dispatcher is required.

In the conflict identification step of the migration, will a source security system entry of John Lock be matched to a target system entry of Lock, John?

A number of pre-defined as well as custom mapping criteria can be used to match and to identify conflicts. For example, use of some or all of: first name, last name, id, combined fields with prefixes and suffixes (and delimiters) can be used.

Can the software help with a migration from Active Directory to Tivoli Security?

Not at this time, but might be available in the future.

Can Persona IQ handle multiple Active Directory namespaces concurrently, including single sign-on (SSO)?

Yes, both SSO and multiple Active Directory instances can be accessed (as multiple, top-level nodes).

After migration is complete, how long does the intermediate Persona IQ data base need to be maintained?

It is permanent and persists within the Cognos security system (and looks like an additional security provider to the ones initially provided in the Cognos software when installed: Series7, LDAP, Active Directory).