TM1 Applications don't show up for non-admin users

Post Reply
lpahnke
Posts: 18
Joined: Thu Jun 14, 2012 9:55 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2013

TM1 Applications don't show up for non-admin users

Post by lpahnke »

I'm wondering if anyone else has encountered this issue - according to IBM they don't have reports of it from other customers, but it is a continuous problem for us and we're still trying to work with them on a solution. We're on 10.2.2, FP3.
We use app_maintenance to reimport application rights each night for three deployed applications. Last summer we started having problems where after app_maintenance ran, non-admin users wouldn't see the applications they're authorized for, but admins could see them fine (the applications were deployed and activated). We discovered that running the Security Refresh process for all three services (each application is in a different TM1 service) resolves the problem so we've now scheduled the security refresh to run each night after app_maintenance is done. For the most part this fixes the issue, however every once in awhile the applications disappear for no reason that we can determine - no security processes are running since we never do anything to update security during the day, all our security-related processes run overnight when users aren't in the system.
The only thing that is consistent is we can reproduce the problem by importing application rights (even just running it for one of the applications causes all the applications, across all three services, to disappear), and we can always fix it by running security refresh in all three services that have a deployed application. We've done a lot of double checking that we're not inadvertently updating security cubes that we shouldn't be, and we validated that even when the user can't see the applications, they can log into Architect and see the element for the application in }tp_applications, and they can see and update the data they would otherwise see in the application. So their security seems to be overall in place the way it should be, but they can't get to the application itself.
As far as I know we're not doing anything too non-standard in our use of app_maintenance. The only extra processing we do is we run it under a service account that doesn't normally have admin rights to the TM1 services, so we first run a TI process to give the service account admin rights, before we actually execute app_maintenance. And we also execute a batch script to turn off WebSSO, since that won't work with app_maintenance. But otherwise our execution is pretty straightforward. And for the rest of our security setup, we use a mix of TI processes and rules to handle element security, in addition to typical cube security and cell security. But again, we're not doing anything extra that would interfere with TM1's security processes related to applications or the dimension used for the approval hierarchy - we've left that all alone.
Has anyone ever had a problem like this before, or do you have any ideas on other things we can look at that could be contributing to this problem?
Post Reply