TM1 Forum

Hi guys,

When you use Security Mode=5, is it a good idea to have all groups coming from Cognos BI/Active DIrectory? I need to be able to have some native TM1 Groups and use them for Data Security. I need to have a group for each branch ( I have Branch Dimension) and assign Active Directory Users (which become TM1 Users) to those groups instead of having to create all these Groups in BI.

Any advise?

It's neither good or bad. It depends on your situation and how you're going to be able to assign the users to the groups. If having the groups in TM1 only helps you manage the security better then I would say it's "good".

My requirement is to allow a super user (through a user interface/websheet) to delegate users to do something on some other user behalf(basically replicate the access of another user when a user is absent). We user Security Mode=5, and in TM1 I have more flexibility when it comes to automate the User-Group assignment, but the problem is that Active Directory User does not show until the Users signs in in TM1

tm123 wrote: ↑Thu Jan 11, 2018 3:08 pm but the problem is that Active Directory User does not show until the Users signs in in TM1

That is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.

tomok wrote: ↑Thu Jan 11, 2018 4:30 pm

tm123 wrote: ↑Thu Jan 11, 2018 3:08 pm but the problem is that Active Directory User does not show until the Users signs in in TM1

That is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.

I need to be able to secure data by using BI Groups also, since my reporting cube needs to be published in BI for reporting.

I have never used a Hybrid mode (TM1 Groups and Cognos BI Groups ) in a TM1 model, so I am hoping it won't cause any issues.

Is there a way to add Active Directory users in TM1 with a TI Process, by using AddClient function? I tried to do that, and even if I provide the CAM ID for the user name, it still does not add it as a Ad User

Thanks Again

My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.

pandinus wrote: ↑Fri Jan 12, 2018 2:13 pm My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.

My goal is to automate this so a super user can be able to add users (that exist in Active Directory but have not logged in TM1 yet) through a Websheet. I have automated everything else so the super user does not even have Architect/Perspectives installed.