Hi!
I have a user who has permissions to processes Y, but not to a cube named X.
The Y process has a cellputs('text','X cube','dim1','dim2') command that it can run, so it can essentially write a cube that it doesn't have rights to.
Is that OK? How could this be avoided?
Thanks in advance!
CubeSecurity and ProcessSecurity
-
tomok
- MVP
- Posts: 2832
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: CubeSecurity and ProcessSecurity
Process security only controls whether you can either see, execute and/or change the process. The processes themselves always execute with admin privileges so cube, dimension and element security are not factored in by default. The only thing you can do is roll your own security check into the process by checking the appropriate security cubes to make sure the user that executed the process has rights. If not you exit the process or skips the record, all depending on exactly what you are doing with the process.monkey97 wrote: ↑Tue Feb 20, 2024 2:31 pm Hi!
I have a user who has permissions to processes Y, but not to a cube named X.
The Y process has a cellputs('text','X cube','dim1','dim2') command that it can run, so it can essentially write a cube that it doesn't have rights to.
Is that OK? How could this be avoided?
Thanks in advance!
-
VRGultom
- Posts: 8
- Joined: Tue Jan 12, 2010 4:44 am
- OLAP Product: SqlServer 2005
- Version: SqlServer 2005
- Excel Version: 2005
Re: CubeSecurity and ProcessSecurity
to give permission to a group to access a process:I have a user who has permissions to processes Y, but not to a cube named X.
Cellputs('READ','}processsecurity',[TIprocessname],[usergroup]);
to avoid access to the cube x:I have a user who has permissions to processes Y, but not to a cube named X.
cellputs('NONE','}cubesecurity','cube x',[usergroup]);
with those two commands, users in the group can run the TI process but cannot do editing to the cube. If I am not mistaken, the TI process will generate error if there is command to update the cube.
Regards
Veronika
-
Wim Gielis
- MVP
- Posts: 3120
- Joined: Mon Dec 29, 2008 6:26 pm
- OLAP Product: TM1, Jedox
- Version: PAL 2.0.9.18
- Excel Version: Microsoft 365
- Location: Brussels, Belgium
- Contact:
Re: CubeSecurity and ProcessSecurity
No it will not give an error.
Best regards,
Wim Gielis
IBM Champion 2024
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
Wim Gielis
IBM Champion 2024
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
-
lotsaram
- MVP
- Posts: 3654
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: CubeSecurity and ProcessSecurity
You are mistaken. TI processes always run with DataAdmin rights (full Admin if the "Security Access" option is also selected). Therefore users can update dimension and cubes they don't have the rights to edit directly by running a TI process. That's kinda the whole point of assigning non-admin users read access to TI processes!
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.