Persona IQ Securely Migrates HealthPort’s Cognos Authentication

THE CHALLENGE

Since 2006, HealthPort has made heavy use of IBM Cognos to provide actionable insight into the operational and strategic decisions at all levels of the company. As a company at the forefront of HIPAA compliance, security is always a key concern. “One of our recent initiatives has been to consolidate the authentication of multiple existing applications against a common, tightly controlled Active Directory infrastructure,” said Lisa Kelley, Director of Financial Reporting. “This presented significant challenges for our Cognos applications, which have historically authenticated against a separate Access Manager instance.” Like many IBM Cognos customers, they discovered that migrating their Cognos applications from one authentication source to another was going to create a sizable amount of work for their BI and testing teams. “Since migrating a Cognos instance from one authentication source to another causes the CAMIDs of users, groups and roles to change, it can impact everything from security policies and group memberships to scheduled deliveries and data level security,” said Lance Hankins, CTO of Motio. “In the case of HealthPort, we’re talking about an organization which has invested a considerable amount of time and energy in carefully configuring and verifying the security policies which govern each BI application and the data which it exposes.” “If we had attempted this transition manually, there would have been a huge amount of work involved,” said Lovemore Nyazema, BI Architect Lead. “Manually finding and updating all of the appropriate user, group and role references and then re-verifying access and data level security would’ve been a far more expensive and error-prone process.” Another key challenge for HealthPort involved periodic verification of security policies and row-level security during and after each new release of BI content. “We always want to ensure that our BI content is secured properly. Each time we do a new release, we need to verify that the appropriate security policies are still in place,” said Nyazema. Attempting to verify the correct level of data access for various classes of users is very challenging in a tightly controlled Active Directory environment.

THE SOLUTION

After carefully researching their options, HealthPort chose Persona IQ as the solution for their migration from Access Manager to Active Directory. The unique and patent-pending ability of Persona IQ to migrate Cognos environments between authentication sources without affecting the CAMIDs of users, groups and roles ensured that all of HealthPort’s Cognos content, schedules and security configuration continued to function exactly as it had before. “Finding a solution which minimized risk and guaranteed that our existing security policies remained intact was very important to us,” said Kelley. “We were very impressed with the smoothness of the transition.” Post-migration, HealthPort also began utilizing several Persona IQ features designed to assist BI administrators in better supporting their end user communities. The audited impersonation feature of Persona IQ empowered HealthPort administrators to better troubleshoot user-reported issues. By leveraging audited impersonation, an authorized administrator can create a secure viewport into a managed Cognos environment as a different user. “Impersonation was a must-have feature. We don’t know what we would do without it. It would be painful to do desktop support when one of our users reports a problem. This capability has empowered us to view exactly what our end-users are seeing at their security level, yet in a very controlled and secure way,” said Kelley. Impersonation offers the support team a more proactive approach to immediately investigate and troubleshoot incoming support requests. “Persona is a much more secure solution. From a security and HIPAA point of view, we get a controlled viewport in the Cognos environment that allows us to see the problems our end-users are reporting without having to have access to those users’ Active Directory credentials,” said Nyazema. HealthPort also benefitted from the ability of Persona IQ to blend centrally controlled principals from Active Directory with departmentally controlled principals dened only in the BI realm. “Persona IQ gives us the independence to do what we need to do as a BI team while still adhering to our corporate authentication standards. We don’t have to make requests to another department to create and manage roles and groups which are very specific to the BI applications,” said Nyazema. Finally, end user satisfaction has improved since the transition. Users are grateful for the improved support processes as well as the transparent single sign-on capability between Cognos and Active Directory. “The user community appreciates SSO as well as not having to manage yet another password,” said Kelley.

THE RESULTS

HealthPort’s migration of their Cognos applications from Series 7 Access Manager to Active Directory was a seamless transition that required minimal downtime and zero updates to existing Cognos content or models. Persona IQ has also allowed HealthPort to streamline several work processes, resulting in significant time and cost savings. “We were very impressed with how smooth the transition was from Access Manager to Active Directory. It was a pleasant experience all the way around. The Motio software did exactly what it was supposed to do,” concluded Kelley.

Providence St. Joseph Health chose IBM Cognos Analytics for its self-service capabilities and MotioCI for its version control features. Cognos Analytics allowed more people at Providence St. Joseph to take on the role of report development, while MotioCI provided an audit trail of BI development and prevented multiple people from developing the same content. Version control empowered Providence St. Joseph to achieve their standardization requirements and saved them time and money previously associated with deployments and rework.

Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.