IBM Support

** Troubleshooting ** 'The user currently logged in is not authorized to use this method' when creating new users

Troubleshooting


Problem

User launches Controller and clicks on to 'Maintain - Rights - User'.

  • User receives an error.

After clicking OK, the user sees the user screen, but cannot view/change any other user's CAM usernames (for example "NAMESPACE\Username"). In other words, the field "Cam User" is blank (white) and the user cannot modify the settings for any user.

For more information, see Unable to add new user.

Symptom

Information

The user currently logged in is not authorized to use this method.
OK

Cause

Controller system does not believe that the current logged on user is a member of the group "Controller Administrators".

More Information:
By default, inside Cognos Connection (inside the namespace "Cognos") there are two Controller-related groups:

  • Controller Users
  • Controller Administrators


By design (if Cognos security is enabled) Controller requires that all users who perform security modifications (inside Controller) must belong to the Cognos security group 'Controller Administrators'.

Therefore, there are several possible causes for the problem:

Scenario #1 - (Most likely) Current logged on user is not a member of the Cognos security group 'Controller Administrators' (inside Cognos Connection).
  • This IBM Technote shall concentrate on this scenario.
 
Scenario #2 - The Controller system cannot read the membership of the group "Controller Administrators" quickly due to the connection to the authentication source (e.g. Active Directory) being inefficiently/incorrectly configured.
  • In other words, the Cognos security is configured to use a 'slow' namespace
  • For more details, see 'Cause #1' inside separate IBM Technote #1361744.
 
Scenario #3 - "Controller Administrators" contains a 'bad' group which is blocking the Controller system from reading its contents correctly.
  • For more details, see 'Cause #2 inside separate IBM Technote #1361744.
 
Scenario #4 - "Controller Administrators" contains 'bad' user(s) which is(are) blocking the Controller system from reading its contents correctly.
  • For example, one single person my have a Windows domain account in two separate/different Windows domains (e.g. OLD\JSMITH and NEW\JSMITH). In some circumstances, if both accounts are members of 'Controller Administrators' group, this can cause this issue.
  • For more details, see separate IBM Technote #1620794.
 
Scenario #5 - Cognos Configuration has been incorrectly configured when using 'native' (non-Cognos) security.
  • Specifically, if you are using "Native" security, then the setting "Allow Anonymous Access" was (incorrectly) configured to be "FALSE".
  • For more details, see separate IBM Technote #1427502.
 
Scenario #6 - Invalid setting inside 'Admin Groups' (inside Controller Configuration)
  • For example, there may be a 'space' next to the comma (in between separate groups)
  • For more details, see separate IBM Technote #1988675.
 
Scenario #7 - The list of members of the Cognos security role "Controller Users" is so large that it is causing a timeout.
  • Specifically, it is trying to check if the user is a member of 'User Groups', but first it is checking 'Controller Users' because that role is listed first (see below) inside 'Server Authentication'
  
Scenario #8 - Intermittent problem caused by a limitation of Controller-on-Cloud
  • For more details, see separate IBM Technote #1138288.

Environment

Controller configured to use Cognos security (also known as 'CAM' security).

  • This is different from the default (Native) security.

Resolving The Problem

Scenario #1

Add the relevant user(s) to be members of the group 'COGNOS\Controller Administrators' inside Cognos Connection.

 
Steps:
The steps vary slightly depending on the version of Cognos Analytics (or Cognos BI) you are using.

1. Launch Cognos Connection: http://servername/ibmcognos
2. Navigate to "IBM Cognos Administration"
3. Click "Security" tab
4. Open the security namespace "Cognos"

5. Click on the 'properties' tab to the right of 'Controller Administrators'

6. Click on the 'members' tab
7. Click 'add' and browse to the relevant user(s) that you wish to add, and complete this wizard.
  • Ensure that all the relevant users (those who will create/edit users) are members of this group.
   

Scenario #2

Reconfigure the Cognos security namespace inside "Cognos Configuration" to be more efficient.

  • For more details, see 'Cause #1' inside separate IBM Technote #1361744.

   

Scenario #3

Modify the membership of the "Controller Administrators" group to ensure that there are no 'bad' Active Directory groups listed in there, which are causing problems. Afterwards, add each Controller administrator's username individually to "Controller Administrators" (in other words, add the users individually instead of as part of a large group).

  • For more details, see 'Cause #2' inside separate IBM Technote #1361744.

   

Scenario #4

Check/modify the user membership of the group "Controller Administrators", especially for similar-looking "duplicate" entries.

  • For more details, see separate IBM Technote #1620794.

  

Scenario #5

Launch "IBM Cognos Configuration" then navigate to "Security > Authentication > Cognos". Because you are not using a Cognos namespace (you are using Controller 'Native' Security) you should modify "Allow Anonymous Access" to be "TRUE". Save changes and restart the service.

  • For more details, see separate IBM Technote #1427502.

   

Scenario #6

Ensure that the setting 'Admin Groups' (inside Controller Configuration):

  • contains only the groups that require administrative access to Controller
  • are only separated with a comma (no extra spaces).

For more details, see separate IBM Technote #1988675.

  

Scenario #7

Reverse the order of the entries inside 'User Groups' (in Controller Configuration), so that (when a user opens the user administrative menu) Controller checks for membership of 'Controller Administrators' first (before checking 'Controller Users').

  • For more details, see separate IBM Technote #0718375.
   

Scenario #8

Known limitation of Controller-on-Cloud

  • For more details, see separate IBM Technote #1138288.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

1035417

Document Information

Modified date:
20 April 2021

UID

swg21371155