Security Mode 5 with TM1 Native Groups

Post Reply
tm123
Posts: 113
Joined: Thu Oct 23, 2014 10:15 pm
OLAP Product: tm1, cognos bi
Version: 10.2
Excel Version: 2010

Security Mode 5 with TM1 Native Groups

Post by tm123 » Thu Jan 11, 2018 2:17 pm

Hi guys,

When you use Security Mode=5, is it a good idea to have all groups coming from Cognos BI/Active DIrectory? I need to be able to have some native TM1 Groups and use them for Data Security. I need to have a group for each branch ( I have Branch Dimension) and assign Active Directory Users (which become TM1 Users) to those groups instead of having to create all these Groups in BI.

Any advise?

tomok
MVP
Posts: 2508
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Security Mode 5 with TM1 Native Groups

Post by tomok » Thu Jan 11, 2018 2:59 pm

It's neither good or bad. It depends on your situation and how you're going to be able to assign the users to the groups. If having the groups in TM1 only helps you manage the security better then I would say it's "good".
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/

tm123
Posts: 113
Joined: Thu Oct 23, 2014 10:15 pm
OLAP Product: tm1, cognos bi
Version: 10.2
Excel Version: 2010

Re: Security Mode 5 with TM1 Native Groups

Post by tm123 » Thu Jan 11, 2018 3:08 pm

My requirement is to allow a super user (through a user interface/websheet) to delegate users to do something on some other user behalf(basically replicate the access of another user when a user is absent). We user Security Mode=5, and in TM1 I have more flexibility when it comes to automate the User-Group assignment, but the problem is that Active Directory User does not show until the Users signs in in TM1

tomok
MVP
Posts: 2508
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Security Mode 5 with TM1 Native Groups

Post by tomok » Thu Jan 11, 2018 4:30 pm

tm123 wrote:
Thu Jan 11, 2018 3:08 pm
but the problem is that Active Directory User does not show until the Users signs in in TM1
That is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/

tm123
Posts: 113
Joined: Thu Oct 23, 2014 10:15 pm
OLAP Product: tm1, cognos bi
Version: 10.2
Excel Version: 2010

Re: Security Mode 5 with TM1 Native Groups

Post by tm123 » Thu Jan 11, 2018 6:21 pm

tomok wrote:
Thu Jan 11, 2018 4:30 pm
tm123 wrote:
Thu Jan 11, 2018 3:08 pm
but the problem is that Active Directory User does not show until the Users signs in in TM1
That is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.
I need to be able to secure data by using BI Groups also, since my reporting cube needs to be published in BI for reporting.

I have never used a Hybrid mode (TM1 Groups and Cognos BI Groups ) in a TM1 model, so I am hoping it won't cause any issues.

Is there a way to add Active Directory users in TM1 with a TI Process, by using AddClient function? I tried to do that, and even if I provide the CAM ID for the user name, it still does not add it as a Ad User

Thanks Again

pandinus
Posts: 78
Joined: Tue Mar 18, 2014 8:02 am
OLAP Product: TM1, Cognos Express
Version: 10.2.2
Excel Version: 2013

Re: Security Mode 5 with TM1 Native Groups

Post by pandinus » Fri Jan 12, 2018 2:13 pm

My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.

tm123
Posts: 113
Joined: Thu Oct 23, 2014 10:15 pm
OLAP Product: tm1, cognos bi
Version: 10.2
Excel Version: 2010

Re: Security Mode 5 with TM1 Native Groups

Post by tm123 » Fri Jan 12, 2018 2:54 pm

pandinus wrote:
Fri Jan 12, 2018 2:13 pm
My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.
My goal is to automate this so a super user can be able to add users (that exist in Active Directory but have not logged in TM1 yet) through a Websheet. I have automated everything else so the super user does not even have Architect/Perspectives installed.

Post Reply