Securing dilemma

Post Reply
RSK
Posts: 49
Joined: Mon Oct 08, 2012 12:02 pm
OLAP Product: TM1 10.1.1
Version: TM1 10.1.1
Excel Version: 2010

Securing dilemma

Post by RSK »

Morning All,

I have a projects dimension in a forecasting cube where a single Project manager is assigned to each project (the n level element). We have around 80 PM's in the business and data needs to to be secured on a project level, i.e a single PM can only see their own projects.

As we can't set security at a user level at the moment there doesn't seem a away go get away from having to create a single group for each PM, then assigning that group to the elements in project dimension.

Does anyone have any further ideas on more inventive ways to tackle this?

Thanks
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: Securing dilemma

Post by David Usherwood »

It's not that hard to write a TI which creates a group for each project manager, then assigns rights on (eg) name or attribute. Generally TM1's use of groups for security is efficient and flexible and (with the above) can cope with the use case you have.
RSK
Posts: 49
Joined: Mon Oct 08, 2012 12:02 pm
OLAP Product: TM1 10.1.1
Version: TM1 10.1.1
Excel Version: 2010

Re: Securing dilemma

Post by RSK »

Thanks David,

Do you believe this would work in a IBM cloud environment when the security mode is set to 5. I presume I would still be able to add TM1 groups to the model via that process as normal and assign those users.
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: Securing dilemma

Post by David Usherwood »

I've done it on the shared partner cloud so I would suggest yes.
User avatar
tiagoblauth79
Posts: 25
Joined: Fri Aug 26, 2016 1:42 pm
OLAP Product: Cognos BI and TM1
Version: 10.2.2
Excel Version: 10
Contact:

Re: Securing dilemma

Post by tiagoblauth79 »

I suggest using Data Reservation in this case as it can be applied to a specific user.
Configuration made in }CubeProperties does enable it. The available Data Reservation modes you can use are listed here:
  • Required (REQUIRED): disables write access for all users for the entire cube and requires you to explicitly assign Data Reservations for any user that needs to write to this cube.
  • Allowed (ALLOWED): allows you to selectively restrict write access to an area of the cube by assigning Data Reservations to individual users as needed.
You should manage it via TI commands, so I suggest you create a security control cube and based on that you apply the commands:
  • CubeDataReservationReleaseAll - clear all reservations
  • CubeDataReservationAcquire - apply the reservations you want
It is hard at the beginning, but at the end, you can have a control cube to relate the users with the projects.
Post Reply