THE CHALLENGE
Since 2006, HealthPort has made heavy use of IBM Cognos to provide actionable insight into the operational and strategic decisions at all levels of the company. As a company at the forefront of HIPAA compliance, security is always a key concern. “One of our recent initiatives has been to consolidate the authentication of multiple existing applications against a common, tightly controlled Active Directory infrastructure,” said Lisa Kelley, Director of Financial Reporting. “This presented significant challenges for our Cognos applications, which have historically authenticated against a separate Access Manager instance.” Like many IBM Cognos customers, they discovered that migrating their Cognos applications from one authentication source to another was going to create a sizable amount of work for their BI and testing teams. “Since migrating a Cognos instance from one authentication source to another causes the CAMIDs of users, groups and roles to change, it can impact everything from security policies and group memberships to scheduled deliveries and data level security,” said Lance Hankins, CTO of Motio. “In the case of HealthPort, we’re talking about an organization which has invested a considerable amount of time and energy in carefully configuring and verifying the security policies which govern each BI application and the data which it exposes.” “If we had attempted this transition manually, there would have been a huge amount of work involved,” said Lovemore Nyazema, BI Architect Lead. “Manually finding and updating all of the appropriate user, group and role references and then re-verifying access and data level security would’ve been a far more expensive and error-prone process.” Another key challenge for HealthPort involved periodic verification of security policies and row-level security during and after each new release of BI content. “We always want to ensure that our BI content is secured properly. Each time we do a new release, we need to verify that the appropriate security policies are still in place,” said Nyazema. Attempting to verify the correct level of data access for various classes of users is very challenging in a tightly controlled Active Directory environment.
THE SOLUTION
After carefully researching their options, HealthPort chose Persona IQ as the solution for their migration from Access Manager to Active Directory. The unique and patent-pending ability of Persona IQ to migrate Cognos environments between authentication sources without affecting the CAMIDs of users, groups and roles ensured that all of HealthPort’s Cognos content, schedules and security configuration continued to function exactly as it had before. “Finding a solution which minimized risk and guaranteed that our existing security policies remained intact was very important to us,” said Kelley. “We were very impressed with the smoothness of the transition.” Post-migration, HealthPort also began utilizing several Persona IQ features designed to assist BI administrators in better supporting their end user communities. The audited impersonation feature of Persona IQ empowered HealthPort administrators to better troubleshoot user-reported issues. By leveraging audited impersonation, an authorized administrator can create a secure viewport into a managed Cognos environment as a different user. “Impersonation was a must-have feature. We don’t know what we would do without it. It would be painful to do desktop support when one of our users reports a problem. This capability has empowered us to view exactly what our end-users are seeing at their security level, yet in a very controlled and secure way,” said Kelley. Impersonation offers the support team a more proactive approach to immediately investigate and troubleshoot incoming support requests. “Persona is a much more secure solution. From a security and HIPAA point of view, we get a controlled viewport in the Cognos environment that allows us to see the problems our end-users are reporting without having to have access to those users’ Active Directory credentials,” said Nyazema. HealthPort also benefitted from the ability of Persona IQ to blend centrally controlled principals from Active Directory with departmentally controlled principals dened only in the BI realm. “Persona IQ gives us the independence to do what we need to do as a BI team while still adhering to our corporate authentication standards. We don’t have to make requests to another department to create and manage roles and groups which are very specific to the BI applications,” said Nyazema. Finally, end user satisfaction has improved since the transition. Users are grateful for the improved support processes as well as the transparent single sign-on capability between Cognos and Active Directory. “The user community appreciates SSO as well as not having to manage yet another password,” said Kelley.
THE RESULTS
HealthPort’s migration of their Cognos applications from Series 7 Access Manager to Active Directory was a seamless transition that required minimal downtime and zero updates to existing Cognos content or models. Persona IQ has also allowed HealthPort to streamline several work processes, resulting in significant time and cost savings. “We were very impressed with how smooth the transition was from Access Manager to Active Directory. It was a pleasant experience all the way around. The Motio software did exactly what it was supposed to do,” concluded Kelley.
Providence St. Joseph Health chose IBM Cognos Analytics for its self-service capabilities and MotioCI for its version control features. Cognos Analytics allowed more people at Providence St. Joseph to take on the role of report development, while MotioCI provided an audit trail of BI development and prevented multiple people from developing the same content. Version control empowered Providence St. Joseph to achieve their standardization requirements and saved them time and money previously associated with deployments and rework.