Authentication/security Tm1 applications W/O BI

[flesh2011]

Hi.

In Process to set up models in tm1. Want to use applications. version 10.2.2.3
All our usergroups are maintaied in ad.

Then I red in install guide this:

Security considerations when using Cognos TM1 Applications
You can use either IBM® Cognos® TM1® standard security authentication or IBM Cognos security for the Cognos TM1 servers you use with Cognos TM1 Applications.

Meening that we only could use IntegratedSecurityMode=1, right? ( since 5 is not an alternative)

Does that also mean that theres no out of the box way to automate the usage of our AD- groups?

[mvaspal]

you can use mode 1 or 5, so you will need to set up a CAM security and link it to BI.

[paulsimon]

Hi

Just to clarify

If you are using TM1 Applications (or anything that relies on the new Java based TM1 Web then it is Mode 1 or 5, ie TM1 or CAM Authentication. (The old ActiveX based TM1 Web used to be able to do true Windows Authentication (Mode 2 or 3) but that was because it was based on IIS rather than Tomcat).

If you are just using TM1, and no TM1 Web, then you can use Mode 2 or 3 which allows true Integrated Login, ie no need to sign in - everything is authenticated when the user logs in to Windows.

If you are using TM1 Applications, or the new Java based TM1 Web, then use Mode 5 with CAM security. The thing about CAM Security is that it needs an underlying Security Provider which can be something complex of the LDAP SiteMinder variety, but it can also be Windows AD. The only downside is that the user still needs to enter their User Name and Password whenever they first sign in to a Cognos product, however, it will be their Windows User Name and Password, and therefore when they change their Windows Password it automatically effectively changes their password for TM1. You can also drive TM1 Security Groups from AD Security Groups. If they use Cognos BI to report from TM1 then they only get prompted to sign in to Cognos BI. They don't get prompted to sign in to TM1 when BI first runs a query. Their CAM credentials are passed from Cognos BI to TM1.

If you follow the Installation Guide you will find the method needed to configure TM1 to use CAM Security with Windows Authentication. Be sure to follow it to the letter and it will work.

Regards

Paul Simon

[David Usherwood]

@Paul, IBM suggest SSO is supported by BI - see
https://www-01.ibm.com/support/knowledg ... ive_drctry
(Haven't got it to work successfully yet )

[flesh2011]

Thanks for support.

I just need to be 100% sure about the replies.

We do NOT have cognos BI in our portfolio, as mentioned in the subject.

My question is then: Can I still use CAM security? I`ve got an impression that CAM is a tool that needs cognos BI in order to work?
If yes, I will read more documentation and figure it out.

[mvaspal]

Hi,
You can use the BI runtime environment for providing CAM security for TM1, without BI licenses.
At least with 10.1.1, the BI Runtime install was listed on the TM1 install page on Passport Advantage, I am not sure how it works and how you can download with 10.2.2

[David Usherwood]

I've just looked through the Software Access Catalog(ue) on Partnerworld and I can't see the BI Runtime - just the BI server. Since (now) TM1 Enterprise users can use BI (against TM1 content) without further licensing, and BI is a (chargeable) component of Cognos Express 10.2.2, this makes some kind of sense.

[lotsaram]

As far as I'm aware BI runtime doesn't exist past 10.1
You install and use the full 10.2 BI which you are entitled to do as long as only the administration feature is used and nothing else.

[David Usherwood]

Note my post that TM1 Enterprise users can use BI against TM1 without further licensing - yes, I was surprised too

[Paul Segal]

Hi David,

All of BI, or just the admin bit as lotsaram suggests? I mean, just to be clear

[David Usherwood]

Not all (I know Active Reports are not covered, which is probably the component most users would want ) but regular BI reporting against TM1. As I said, I was surprised too!

[mvaspal]

This is described here:
http://www-03.ibm.com/software/sla/slad ... enDocument

According to this page, PM Users, PM Contributors, and PM Explorers are NOT allowed to use Report Studio and other components of BI

Only " IBM Cognos Enterprise User" can use BI studios, except for the legacy studios

An BI Users can access TM1 as a datasource, but only through BI user interfaces

[stephen waters]

This is probably going off topic a bit but to continue the digression about TM1 users and BI license rights (and I really hate the IBM licensing docs that say what roles can't do rather than what they can!)

Under Enterprise TM1 licensing:
- TM1 Modelers can use Framework Manager, Report Studio, Workspace Advanced and Workspace to set up connections and and develop BI reports from a TM1 Server only

- TM1 Performance Management and Explorer users can use Workspace to view those reports.

As David mentioned further up the page, this doesn't cover active reports.

How useful this is I am not sure; most of our clients in this situation are perfectly happy with "standard" TM1 report types, (Excel and TM1 Web) since these are quick to develop, within their normal working skill set and they don't need addition training on Cognos BI. We have some clients using BI on top of TM1 but they are mainly those who have migrated from Cognos Planning, who already have BI licenses and are not familiar with TM1 reporting.

You can also get user licenses that combine TM1 and full BI functionality to report on non-TM1 sources.

nb Cognos Express licensing is different!

[paulsimon]

Hi David

I only mentioned BI to illustrate the fact that Single Sign On for CAM doesn't mean full Windows Authentication, just that you only sign on to Cognos products once so a signon in BI can be passed to TM1. Sorry if that confused the issue.

However, the original question was about TM1 Applications, which effectively means TM1 Web, and in 10.2 that means Java based TM1 Web. From what have read in the IBM documentation that means that you cannot do full WIndows Authentication since that can only happen if you are using IIS as the Web Server, but 10.2 TM1 Web has to use a Java based Web Server such as Tomcat, Websphere, etc.

If you do manage to get real Windows Authentication working in BI using IIS, then I would be interested.

The major bad point of CAM Security is that you cannot set up a user in advance. As you know the user is only created when they first sign in. Whoever set up the security at my site used a rule in }ClientGroups to make all users members of the Everyone group (a non-CAM group). Some Cube access comes from that. The problem is that when a new user signs in the rule makes them a member of the Everyone group but this does nothing until Security is Refreshed, so if the user immediately tries to access certain cubes, they get a security access error. It would just be a lot cleaner if users could be set up in advance as they can be in standard TM1 security. We could create an AD version of the Everyone group but that is a fair amount of work now.

The other issue is the frequent timeouts in CAM which seem to be based on a fixed time period, rather than an idle time period. These mean that users frequently have to re-enter their User Id and Password.

If we could use Windows Authentication, there would be no need for this.

Regards

Paul Simon

[japwah]

Hi Everyone,

Does anyone know what tool can be used in place in Cognos Business Intelligence so that I can use CAM security (IntegratedSecurityMode = 5) with TM1 10.2.2? The client does not have Cognos Business Intelligence and does not have intentions to do so.

So far I have gotten mixed information such as BI Runtime and BI Server. I don't see any documentation regarding BI Runtime with TM1 10.2.2, and I see no documentation at all regarding BI Server.

Thanks!

[lotsaram]

Does anyone know what tool can be used in place in Cognos Business Intelligence so that I can use CAM security (IntegratedSecurityMode = 5) with TM1 10.2.2? The client does not have Cognos Business Intelligence and does not have intentions to do so.

You do realize that this is a complete oxymoron?
Cognos Access Manager (CAM) is a component of Cognos Administration is a component of Cognos BI server.
Needless to say you can't have CAM authentication without having Cognos.

Cognos BI runtime went the way of the Dodo with 10.1 as far as I know. For later releases the solution is to install the full Cognos BI server but only use the Cognos Administration part to set up users and groups and not use any of the studios. The TM1 licensing allows for this usage with no additional license charges. If you search this forum you will find this discussed (including in this very thread!)

[mcguija]

Hi, I do have my TM1 connecting to CAM/Cognos BI using Level 5.

I don't want to use a Cognos BI license though, like Consumer. How can I achieve this?

Thanks
Jason

[lotsaram]

Hi, I do have my TM1 connecting to CAM/Cognos BI using Level 5.

I don't want to use a Cognos BI license though, like Consumer. How can I achieve this?

Thanks
Jason

How about reading the previous post? TM1 license is sufficient to use CAM.

[PlanningDev]

Hi David

The major bad point of CAM Security is that you cannot set up a user in advance. As you know the user is only created when they first sign in.

Paul Simon

Ahh but you can! Now that TM1 has Java Functions you can call the BI SDK to get the CAMID of any user you wish to add to TM1. This allows you to pre-populate users and setup access.

The only thing is I think you have to be licensed for the SDK in order to do this.

[paulsimon]

Hi

Thanks for the information. It still seems a lot more hassle than the non-CAM method. Do you have some sample code that you could share?

Regards

Paul Simon