Hi guys,
When you use Security Mode=5, is it a good idea to have all groups coming from Cognos BI/Active DIrectory? I need to be able to have some native TM1 Groups and use them for Data Security. I need to have a group for each branch ( I have Branch Dimension) and assign Active Directory Users (which become TM1 Users) to those groups instead of having to create all these Groups in BI.
Any advise?
Security Mode 5 with TM1 Native Groups
-
- MVP
- Posts: 2832
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: Security Mode 5 with TM1 Native Groups
It's neither good or bad. It depends on your situation and how you're going to be able to assign the users to the groups. If having the groups in TM1 only helps you manage the security better then I would say it's "good".
-
- Posts: 132
- Joined: Thu Oct 23, 2014 10:15 pm
- OLAP Product: tm1, cognos bi
- Version: 10.2
- Excel Version: 2010
Re: Security Mode 5 with TM1 Native Groups
My requirement is to allow a super user (through a user interface/websheet) to delegate users to do something on some other user behalf(basically replicate the access of another user when a user is absent). We user Security Mode=5, and in TM1 I have more flexibility when it comes to automate the User-Group assignment, but the problem is that Active Directory User does not show until the Users signs in in TM1
-
- MVP
- Posts: 2832
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: Security Mode 5 with TM1 Native Groups
That is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.
-
- Posts: 132
- Joined: Thu Oct 23, 2014 10:15 pm
- OLAP Product: tm1, cognos bi
- Version: 10.2
- Excel Version: 2010
Re: Security Mode 5 with TM1 Native Groups
I need to be able to secure data by using BI Groups also, since my reporting cube needs to be published in BI for reporting.tomok wrote: ↑Thu Jan 11, 2018 4:30 pmThat is correct and it is one of the limitations of what you are proposing. That (and a ton of other reasons) is why I HATE using CAM. Just add the users manually and use IntegratedSecurityMode = 3. Only AD users will be able to log in and it allows you to take care of all the security setup in TM1.
I have never used a Hybrid mode (TM1 Groups and Cognos BI Groups ) in a TM1 model, so I am hoping it won't cause any issues.
Is there a way to add Active Directory users in TM1 with a TI Process, by using AddClient function? I tried to do that, and even if I provide the CAM ID for the user name, it still does not add it as a Ad User
Thanks Again
-
- Posts: 78
- Joined: Tue Mar 18, 2014 8:02 am
- OLAP Product: TM1, Cognos Express
- Version: 10.2.2
- Excel Version: 2013
Re: Security Mode 5 with TM1 Native Groups
My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.
-
- Posts: 132
- Joined: Thu Oct 23, 2014 10:15 pm
- OLAP Product: tm1, cognos bi
- Version: 10.2
- Excel Version: 2010
Re: Security Mode 5 with TM1 Native Groups
My goal is to automate this so a super user can be able to add users (that exist in Active Directory but have not logged in TM1 yet) through a Websheet. I have automated everything else so the super user does not even have Architect/Perspectives installed.pandinus wrote: ↑Fri Jan 12, 2018 2:13 pm My memory may be a little rusty here, but aren't you able to add clients from the Cients/Groups screen when you're connected via CAM?
The BI user selection window pops up, search for the users in the desired AD and add them to the TM1 Clients.
Now all that's left is to set any group assignments (linking CAM users to TM1 groups works) and you're done. No big deal.