Authentication/security Tm1 applications W/O BI
-
- Posts: 17
- Joined: Fri Feb 11, 2011 11:10 am
- OLAP Product: tm1
- Version: 10.1.1
- Excel Version: 2010
Authentication/security Tm1 applications W/O BI
Hi.
In Process to set up models in tm1. Want to use applications. version 10.2.2.3
All our usergroups are maintaied in ad.
Then I red in install guide this:
Security considerations when using Cognos TM1 Applications
You can use either IBM® Cognos® TM1® standard security authentication or IBM Cognos security for the Cognos TM1 servers you use with Cognos TM1 Applications.
Meening that we only could use IntegratedSecurityMode=1, right? ( since 5 is not an alternative)
Does that also mean that theres no out of the box way to automate the usage of our AD- groups?
In Process to set up models in tm1. Want to use applications. version 10.2.2.3
All our usergroups are maintaied in ad.
Then I red in install guide this:
Security considerations when using Cognos TM1 Applications
You can use either IBM® Cognos® TM1® standard security authentication or IBM Cognos security for the Cognos TM1 servers you use with Cognos TM1 Applications.
Meening that we only could use IntegratedSecurityMode=1, right? ( since 5 is not an alternative)
Does that also mean that theres no out of the box way to automate the usage of our AD- groups?
-
- Community Contributor
- Posts: 341
- Joined: Wed Nov 03, 2010 9:16 pm
- OLAP Product: tm1
- Version: 10 2 2 - 2.0.5
- Excel Version: From 2007 to 2013
- Location: Earth
Re: Authentication/security Tm1 applications W/O BI
you can use mode 1 or 5, so you will need to set up a CAM security and link it to BI.
- paulsimon
- MVP
- Posts: 808
- Joined: Sat Sep 03, 2011 11:10 pm
- OLAP Product: TM1
- Version: PA 2.0.5
- Excel Version: 2016
- Contact:
Re: Authentication/security Tm1 applications W/O BI
Hi
Just to clarify
If you are using TM1 Applications (or anything that relies on the new Java based TM1 Web then it is Mode 1 or 5, ie TM1 or CAM Authentication. (The old ActiveX based TM1 Web used to be able to do true Windows Authentication (Mode 2 or 3) but that was because it was based on IIS rather than Tomcat).
If you are just using TM1, and no TM1 Web, then you can use Mode 2 or 3 which allows true Integrated Login, ie no need to sign in - everything is authenticated when the user logs in to Windows.
If you are using TM1 Applications, or the new Java based TM1 Web, then use Mode 5 with CAM security. The thing about CAM Security is that it needs an underlying Security Provider which can be something complex of the LDAP SiteMinder variety, but it can also be Windows AD. The only downside is that the user still needs to enter their User Name and Password whenever they first sign in to a Cognos product, however, it will be their Windows User Name and Password, and therefore when they change their Windows Password it automatically effectively changes their password for TM1. You can also drive TM1 Security Groups from AD Security Groups. If they use Cognos BI to report from TM1 then they only get prompted to sign in to Cognos BI. They don't get prompted to sign in to TM1 when BI first runs a query. Their CAM credentials are passed from Cognos BI to TM1.
If you follow the Installation Guide you will find the method needed to configure TM1 to use CAM Security with Windows Authentication. Be sure to follow it to the letter and it will work.
Regards
Paul Simon
Just to clarify
If you are using TM1 Applications (or anything that relies on the new Java based TM1 Web then it is Mode 1 or 5, ie TM1 or CAM Authentication. (The old ActiveX based TM1 Web used to be able to do true Windows Authentication (Mode 2 or 3) but that was because it was based on IIS rather than Tomcat).
If you are just using TM1, and no TM1 Web, then you can use Mode 2 or 3 which allows true Integrated Login, ie no need to sign in - everything is authenticated when the user logs in to Windows.
If you are using TM1 Applications, or the new Java based TM1 Web, then use Mode 5 with CAM security. The thing about CAM Security is that it needs an underlying Security Provider which can be something complex of the LDAP SiteMinder variety, but it can also be Windows AD. The only downside is that the user still needs to enter their User Name and Password whenever they first sign in to a Cognos product, however, it will be their Windows User Name and Password, and therefore when they change their Windows Password it automatically effectively changes their password for TM1. You can also drive TM1 Security Groups from AD Security Groups. If they use Cognos BI to report from TM1 then they only get prompted to sign in to Cognos BI. They don't get prompted to sign in to TM1 when BI first runs a query. Their CAM credentials are passed from Cognos BI to TM1.
If you follow the Installation Guide you will find the method needed to configure TM1 to use CAM Security with Windows Authentication. Be sure to follow it to the letter and it will work.
Regards
Paul Simon
-
- Site Admin
- Posts: 1454
- Joined: Wed May 28, 2008 9:09 am
Re: Authentication/security Tm1 applications W/O BI
@Paul, IBM suggest SSO is supported by BI - see
https://www-01.ibm.com/support/knowledg ... ive_drctry
(Haven't got it to work successfully yet )
https://www-01.ibm.com/support/knowledg ... ive_drctry
(Haven't got it to work successfully yet )
-
- Posts: 17
- Joined: Fri Feb 11, 2011 11:10 am
- OLAP Product: tm1
- Version: 10.1.1
- Excel Version: 2010
Re: Authentication/security Tm1 applications W/O BI
Thanks for support.
I just need to be 100% sure about the replies.
We do NOT have cognos BI in our portfolio, as mentioned in the subject.
My question is then: Can I still use CAM security? I`ve got an impression that CAM is a tool that needs cognos BI in order to work?
If yes, I will read more documentation and figure it out.
I just need to be 100% sure about the replies.
We do NOT have cognos BI in our portfolio, as mentioned in the subject.
My question is then: Can I still use CAM security? I`ve got an impression that CAM is a tool that needs cognos BI in order to work?
If yes, I will read more documentation and figure it out.
-
- Community Contributor
- Posts: 341
- Joined: Wed Nov 03, 2010 9:16 pm
- OLAP Product: tm1
- Version: 10 2 2 - 2.0.5
- Excel Version: From 2007 to 2013
- Location: Earth
Re: Authentication/security Tm1 applications W/O BI
Hi,
You can use the BI runtime environment for providing CAM security for TM1, without BI licenses.
At least with 10.1.1, the BI Runtime install was listed on the TM1 install page on Passport Advantage, I am not sure how it works and how you can download with 10.2.2
You can use the BI runtime environment for providing CAM security for TM1, without BI licenses.
At least with 10.1.1, the BI Runtime install was listed on the TM1 install page on Passport Advantage, I am not sure how it works and how you can download with 10.2.2
-
- Site Admin
- Posts: 1454
- Joined: Wed May 28, 2008 9:09 am
Re: Authentication/security Tm1 applications W/O BI
I've just looked through the Software Access Catalog(ue) on Partnerworld and I can't see the BI Runtime - just the BI server. Since (now) TM1 Enterprise users can use BI (against TM1 content) without further licensing, and BI is a (chargeable) component of Cognos Express 10.2.2, this makes some kind of sense.
-
- MVP
- Posts: 3653
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: Authentication/security Tm1 applications W/O BI
As far as I'm aware BI runtime doesn't exist past 10.1
You install and use the full 10.2 BI which you are entitled to do as long as only the administration feature is used and nothing else.
You install and use the full 10.2 BI which you are entitled to do as long as only the administration feature is used and nothing else.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
-
- Site Admin
- Posts: 1454
- Joined: Wed May 28, 2008 9:09 am
Re: Authentication/security Tm1 applications W/O BI
Note my post that TM1 Enterprise users can use BI against TM1 without further licensing - yes, I was surprised too
-
- Community Contributor
- Posts: 306
- Joined: Mon May 12, 2008 8:11 am
- OLAP Product: TM1
- Version: TM1 11 and up
- Excel Version: Too many to count
Re: Authentication/security Tm1 applications W/O BI
Hi David,
All of BI, or just the admin bit as lotsaram suggests? I mean, just to be clear
All of BI, or just the admin bit as lotsaram suggests? I mean, just to be clear
Paul
-
- Site Admin
- Posts: 1454
- Joined: Wed May 28, 2008 9:09 am
Re: Authentication/security Tm1 applications W/O BI
Not all (I know Active Reports are not covered, which is probably the component most users would want ) but regular BI reporting against TM1. As I said, I was surprised too!
-
- Community Contributor
- Posts: 341
- Joined: Wed Nov 03, 2010 9:16 pm
- OLAP Product: tm1
- Version: 10 2 2 - 2.0.5
- Excel Version: From 2007 to 2013
- Location: Earth
Re: Authentication/security Tm1 applications W/O BI
This is described here:
http://www-03.ibm.com/software/sla/slad ... enDocument
According to this page, PM Users, PM Contributors, and PM Explorers are NOT allowed to use Report Studio and other components of BI
Only " IBM Cognos Enterprise User" can use BI studios, except for the legacy studios
An BI Users can access TM1 as a datasource, but only through BI user interfaces
http://www-03.ibm.com/software/sla/slad ... enDocument
According to this page, PM Users, PM Contributors, and PM Explorers are NOT allowed to use Report Studio and other components of BI
Only " IBM Cognos Enterprise User" can use BI studios, except for the legacy studios
An BI Users can access TM1 as a datasource, but only through BI user interfaces
- stephen waters
- MVP
- Posts: 324
- Joined: Mon Jun 30, 2008 12:59 pm
- OLAP Product: TM1
- Version: 10_2_2
- Excel Version: Excel 2010
Re: Authentication/security Tm1 applications W/O BI
This is probably going off topic a bit but to continue the digression about TM1 users and BI license rights (and I really hate the IBM licensing docs that say what roles can't do rather than what they can!)
Under Enterprise TM1 licensing:
- TM1 Modelers can use Framework Manager, Report Studio, Workspace Advanced and Workspace to set up connections and and develop BI reports from a TM1 Server only
- TM1 Performance Management and Explorer users can use Workspace to view those reports.
As David mentioned further up the page, this doesn't cover active reports.
How useful this is I am not sure; most of our clients in this situation are perfectly happy with "standard" TM1 report types, (Excel and TM1 Web) since these are quick to develop, within their normal working skill set and they don't need addition training on Cognos BI. We have some clients using BI on top of TM1 but they are mainly those who have migrated from Cognos Planning, who already have BI licenses and are not familiar with TM1 reporting.
You can also get user licenses that combine TM1 and full BI functionality to report on non-TM1 sources.
nb Cognos Express licensing is different!
Under Enterprise TM1 licensing:
- TM1 Modelers can use Framework Manager, Report Studio, Workspace Advanced and Workspace to set up connections and and develop BI reports from a TM1 Server only
- TM1 Performance Management and Explorer users can use Workspace to view those reports.
As David mentioned further up the page, this doesn't cover active reports.
How useful this is I am not sure; most of our clients in this situation are perfectly happy with "standard" TM1 report types, (Excel and TM1 Web) since these are quick to develop, within their normal working skill set and they don't need addition training on Cognos BI. We have some clients using BI on top of TM1 but they are mainly those who have migrated from Cognos Planning, who already have BI licenses and are not familiar with TM1 reporting.
You can also get user licenses that combine TM1 and full BI functionality to report on non-TM1 sources.
nb Cognos Express licensing is different!
- paulsimon
- MVP
- Posts: 808
- Joined: Sat Sep 03, 2011 11:10 pm
- OLAP Product: TM1
- Version: PA 2.0.5
- Excel Version: 2016
- Contact:
Re: Authentication/security Tm1 applications W/O BI
Hi David
I only mentioned BI to illustrate the fact that Single Sign On for CAM doesn't mean full Windows Authentication, just that you only sign on to Cognos products once so a signon in BI can be passed to TM1. Sorry if that confused the issue.
However, the original question was about TM1 Applications, which effectively means TM1 Web, and in 10.2 that means Java based TM1 Web. From what have read in the IBM documentation that means that you cannot do full WIndows Authentication since that can only happen if you are using IIS as the Web Server, but 10.2 TM1 Web has to use a Java based Web Server such as Tomcat, Websphere, etc.
If you do manage to get real Windows Authentication working in BI using IIS, then I would be interested.
The major bad point of CAM Security is that you cannot set up a user in advance. As you know the user is only created when they first sign in. Whoever set up the security at my site used a rule in }ClientGroups to make all users members of the Everyone group (a non-CAM group). Some Cube access comes from that. The problem is that when a new user signs in the rule makes them a member of the Everyone group but this does nothing until Security is Refreshed, so if the user immediately tries to access certain cubes, they get a security access error. It would just be a lot cleaner if users could be set up in advance as they can be in standard TM1 security. We could create an AD version of the Everyone group but that is a fair amount of work now.
The other issue is the frequent timeouts in CAM which seem to be based on a fixed time period, rather than an idle time period. These mean that users frequently have to re-enter their User Id and Password.
If we could use Windows Authentication, there would be no need for this.
Regards
Paul Simon
I only mentioned BI to illustrate the fact that Single Sign On for CAM doesn't mean full Windows Authentication, just that you only sign on to Cognos products once so a signon in BI can be passed to TM1. Sorry if that confused the issue.
However, the original question was about TM1 Applications, which effectively means TM1 Web, and in 10.2 that means Java based TM1 Web. From what have read in the IBM documentation that means that you cannot do full WIndows Authentication since that can only happen if you are using IIS as the Web Server, but 10.2 TM1 Web has to use a Java based Web Server such as Tomcat, Websphere, etc.
If you do manage to get real Windows Authentication working in BI using IIS, then I would be interested.
The major bad point of CAM Security is that you cannot set up a user in advance. As you know the user is only created when they first sign in. Whoever set up the security at my site used a rule in }ClientGroups to make all users members of the Everyone group (a non-CAM group). Some Cube access comes from that. The problem is that when a new user signs in the rule makes them a member of the Everyone group but this does nothing until Security is Refreshed, so if the user immediately tries to access certain cubes, they get a security access error. It would just be a lot cleaner if users could be set up in advance as they can be in standard TM1 security. We could create an AD version of the Everyone group but that is a fair amount of work now.
The other issue is the frequent timeouts in CAM which seem to be based on a fixed time period, rather than an idle time period. These mean that users frequently have to re-enter their User Id and Password.
If we could use Windows Authentication, there would be no need for this.
Regards
Paul Simon
-
- Posts: 5
- Joined: Fri Dec 18, 2015 4:47 pm
- OLAP Product: TM1
- Version: 10.3
- Excel Version: 2013
Re: Authentication/security Tm1 applications W/O BI
Hi Everyone,
Does anyone know what tool can be used in place in Cognos Business Intelligence so that I can use CAM security (IntegratedSecurityMode = 5) with TM1 10.2.2? The client does not have Cognos Business Intelligence and does not have intentions to do so.
So far I have gotten mixed information such as BI Runtime and BI Server. I don't see any documentation regarding BI Runtime with TM1 10.2.2, and I see no documentation at all regarding BI Server.
Thanks!
Does anyone know what tool can be used in place in Cognos Business Intelligence so that I can use CAM security (IntegratedSecurityMode = 5) with TM1 10.2.2? The client does not have Cognos Business Intelligence and does not have intentions to do so.
So far I have gotten mixed information such as BI Runtime and BI Server. I don't see any documentation regarding BI Runtime with TM1 10.2.2, and I see no documentation at all regarding BI Server.
Thanks!
-
- MVP
- Posts: 3653
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: Authentication/security Tm1 applications W/O BI
You do realize that this is a complete oxymoron?japwah wrote:Does anyone know what tool can be used in place in Cognos Business Intelligence so that I can use CAM security (IntegratedSecurityMode = 5) with TM1 10.2.2? The client does not have Cognos Business Intelligence and does not have intentions to do so.
Cognos Access Manager (CAM) is a component of Cognos Administration is a component of Cognos BI server.
Needless to say you can't have CAM authentication without having Cognos.
Cognos BI runtime went the way of the Dodo with 10.1 as far as I know. For later releases the solution is to install the full Cognos BI server but only use the Cognos Administration part to set up users and groups and not use any of the studios. The TM1 licensing allows for this usage with no additional license charges. If you search this forum you will find this discussed (including in this very thread!)
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
-
- Posts: 28
- Joined: Thu Dec 29, 2011 4:39 pm
- OLAP Product: Cognos
- Version: 9.5.2
- Excel Version: 2003
Re: Authentication/security Tm1 applications W/O BI
Hi, I do have my TM1 connecting to CAM/Cognos BI using Level 5.
I don't want to use a Cognos BI license though, like Consumer. How can I achieve this?
Thanks
Jason
I don't want to use a Cognos BI license though, like Consumer. How can I achieve this?
Thanks
Jason
-
- MVP
- Posts: 3653
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: Authentication/security Tm1 applications W/O BI
How about reading the previous post? TM1 license is sufficient to use CAM.mcguija wrote:Hi, I do have my TM1 connecting to CAM/Cognos BI using Level 5.
I don't want to use a Cognos BI license though, like Consumer. How can I achieve this?
Thanks
Jason
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
-
- Community Contributor
- Posts: 349
- Joined: Tue Aug 17, 2010 6:31 am
- OLAP Product: Planning Analytics
- Version: 2.0.5
- Excel Version: 2016
Re: Authentication/security Tm1 applications W/O BI
paulsimon wrote:Hi David
The major bad point of CAM Security is that you cannot set up a user in advance. As you know the user is only created when they first sign in.
Paul Simon
Ahh but you can! Now that TM1 has Java Functions you can call the BI SDK to get the CAMID of any user you wish to add to TM1. This allows you to pre-populate users and setup access.
The only thing is I think you have to be licensed for the SDK in order to do this.
- paulsimon
- MVP
- Posts: 808
- Joined: Sat Sep 03, 2011 11:10 pm
- OLAP Product: TM1
- Version: PA 2.0.5
- Excel Version: 2016
- Contact:
Re: Authentication/security Tm1 applications W/O BI
Hi
Thanks for the information. It still seems a lot more hassle than the non-CAM method. Do you have some sample code that you could share?
Regards
Paul Simon
Thanks for the information. It still seems a lot more hassle than the non-CAM method. Do you have some sample code that you could share?
Regards
Paul Simon