Find who’s been tampering in the content store

Today I was poking around in Production and noticed the modified date on a report of yesterday. After asking around my team, it became apparent that none of us had made the change… was there a security hole?

select 
	a.*,
	s.COGIPF_USERNAME from dbo.COGIPF_ACTION a
join dbo.COGIPF_USERLOGON s
on a.COGIPF_SESSIONID = s.COGIPF_SESSIONID 
-- modified date was between 22 and 24 hours ago
where a.COGIPF_LOCALTIMESTAMP between GETDATE() - .9 and GETDATE() - 1
and s.COGIPF_LOGON_OPERATION  = 'Logon'

This query allowed me to identify who made the change… and as it turns out the modified date can be updated by quite a few scenarios in Cognos, including any user creating a view in their My Folders. Oh well, here’s the query for next time!

2 Comments

  1. CognosPaul says:

    That’s really interesting. Is the modified date affected if the user doesn’t have write permissions to the original report?

Leave a Comment