Removing user when using CAM security

Post Reply
tomok
MVP
Posts: 2831
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Removing user when using CAM security

Post by tomok »

I've never really spent time with CAM other than to work with a TM1 system where it has already been set up. I understand that users automatically get created in TM1 when a CAM user logs in the first time. My question is about removing users when they leave the company. Are users automatically removed from TM1 once they are removed from CAM? It seems to me like there need to be TI process or something like that triggered in order to connect to CAM and check for deleted users. Or do we have to go in to TM1 and manually removed the user just like with mode 1?
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/
User avatar
Elessar
Community Contributor
Posts: 331
Joined: Mon Nov 21, 2011 12:33 pm
OLAP Product: PA 2
Version: 2.0.9
Excel Version: 2016
Contact:

Re: Removing user when using CAM security

Post by Elessar »

Hi,

The user-groups information is stored in Cognos Content Store database. This article says that your table name is CMOBJPROPS1 or CMOBJPROPS33
You can connect to this table via ODBC and check in TM1.

BUT, if you use active directory: I'm almost sure that when the user is deleted from AD, he will not be deleted from CAM
Best regards, Alexander Dvoynev

TM1 and Data Science blog: 6th article - PAfE + VBA: Commit each cell without pressing “Commit” button.
User avatar
paulsimon
MVP
Posts: 808
Joined: Sat Sep 03, 2011 11:10 pm
OLAP Product: TM1
Version: PA 2.0.5
Excel Version: 2016
Contact:

Re: Removing user when using CAM security

Post by paulsimon »

Hi

You will need to remove the user from both TM1 and from Active Directory. If you think about it, if you remove a user from AD, how will AD know that that user exists in TM1 to delete them - it is not really in Microsoft's interests to provide support for an IBM product. Similarly if you remove a user in TM1 but not AD, then the user signs in with CAM, then it will just assume that this is the first time that the user has signed in to TM1 via CAM, and it will re-create the TM1 user. To a certain extent, if the user is removed from AD, then they will not be able to sign in to TM1 anyway. However, it is tidier to remove the user from TM1 as well.

It is possible to write a TI process that accesses AD as an ODBC connection and then you can check that each CAMID in TM1 has a matching AD record and if not, then you can remove them from TM1. I can't remember off hand whether it is the SID or the ID in AD that is used for CAM but it is easy enough to check if you just look at an existing CAM record. If you search the internet, you will find details of how to create a connection to AD.


Regards

Paul Simon
tomok
MVP
Posts: 2831
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Removing user when using CAM security

Post by tomok »

paulsimon wrote: Wed Oct 17, 2018 9:23 pmTo a certain extent, if the user is removed from AD, then they will not be able to sign in to TM1 anyway. However, it is tidier to remove the user from TM1 as well.
Thanks for the info Paul. I agree with you and to me it isn't an issue for a disabled ID to stay in TM1 but the auditors see it differently. They want us to come up with a solution so that users get removed from TM1 within a reasonable timeframe once removed from AD so that's why I was asking. I didn't really think that the removal was going to be able to happen from the CAM side but was holding out some hope. I guess we'll need to look into the query into AD route and see if we can come up with a process that cycles through the }Clients dimension and removes any that don't exist in AD.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/
User avatar
macsir
MVP
Posts: 782
Joined: Wed May 30, 2012 6:50 am
OLAP Product: TM1
Version: PAL 2.0.9
Excel Version: Office 365
Contact:

Re: Removing user when using CAM security

Post by macsir »

There are 3 layers here.
1. Active Directory
2. Cognos CAM security
3. TM1 Native client group

From what I have experienced, if any user is deleted or disabled in AD,then it will be shown "unavailable" in CAM if the user is previously setup. If a user is added into AD, I have to manually add it into CAM with security group consideration (decide which group it needs to go to). To this extent, AD and CAM are always synced.
I use Cognos SDK to query CAM space to get list of all valid CAM users ("unavailable" will be shown as blank). And then load into User control cube to see who are current licensed users. I think you can use same way to delete clear TM1 client dimension based on a day-to-day comparison.
The SDK is in Java. If you are interested, check this out. https://www.ibm.com/developerworks/data ... ge565.html

PS, SDK is the only official and reliable way to query CAM rather than directly from those metadata tables in the content store . 8-)
In TM1,the answer is always yes though sometimes with a but....
http://tm1sir.blogspot.com.au/
Post Reply