Dimension Element Security - Most restrictive

Post Reply
User avatar
Steve Rowe
Site Admin
Posts: 2137
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: 10.2.2., PAW
Excel Version: Nearly all of them

Dimension Element Security - Most restrictive

Post by Steve Rowe » Fri Dec 18, 2020 11:58 am

Hi,

As per documentation the most restrictive security that applies to a cell is that which is applied.

For the same dimension element if a user is a member of two groups, one that gives read access and one that gives write access then the user ends up with write access. This is wrong as per the documentation.

I just want to double check the cfg, I seem to remember there is one that reverses the most restrictive rule. I can not find any trace of it though. Does it still exist? Can anyone remind me of it incase it is being applied by default?

TM1 Version is 2.0.7
Technical Director
www.infocat.co.uk

tomok
MVP
Posts: 2782
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Dimension Element Security - Most restrictive

Post by tomok » Fri Dec 18, 2020 12:02 pm

Steve Rowe wrote:
Fri Dec 18, 2020 11:58 am
For the same dimension element if a user is a member of two groups, one that gives read access and one that gives write access then the user ends up with write access.
This is the way it has always been for as long as I have been using TM1. I actually had no idea the documentation said otherwise. Not surprising since I haven't looked at the manuals in probably ten years or so. :)

Maybe the documentation is referring to the rule that says if you have WRITE to the cube, WRITE to the dimension, but READ to the element then you have READ. You have to have WRITE all the way down to have WRITE.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/

User avatar
Steve Rowe
Site Admin
Posts: 2137
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: 10.2.2., PAW
Excel Version: Nearly all of them

Re: Dimension Element Security - Most restrictive

Post by Steve Rowe » Fri Dec 18, 2020 12:21 pm

Thanks Tom, I had the feeling that I was off somewhere, the documentation doesn't really cover when the security model applies differently to the same object.

Not sure of the logic of implementing the security priority in different directions depending on the context.

Anyway this was quicker than reaising a support request, thanks!

Cheers,
Technical Director
www.infocat.co.uk

Wim Gielis
MVP
Posts: 2601
Joined: Mon Dec 29, 2008 6:26 pm
OLAP Product: TM1, Jedox
Version: PAL 2.0.8
Excel Version: Microsoft 365
Location: Brussels, Belgium
Contact:

Re: Dimension Element Security - Most restrictive

Post by Wim Gielis » Sat Dec 19, 2020 1:41 am

tomok wrote:
Fri Dec 18, 2020 12:02 pm
Maybe the documentation is referring to the rule that says if you have WRITE to the cube, WRITE to the dimension, but READ to the element then you have READ. You have to have WRITE all the way down to have WRITE.
That would be new to me. READ access to a dimension is sufficient for WRITE access to the cell, when WRITE is given at CUBE and ELEMENT level.
Best regards,

Wim Gielis

Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 117 TM1 articles and a lot of custom code
Newest blog article: Using TI to change elemant names, like Biden to Trump

User avatar
macsir
Community Contributor
Posts: 747
Joined: Wed May 30, 2012 6:50 am
OLAP Product: TM1
Version: PAL 2.0.9
Excel Version: Office 365
Contact:

Re: Dimension Element Security - Most restrictive

Post by macsir » Sun Dec 20, 2020 8:51 pm

There is a flag CELLSECURITYMOSTRESTRICTIVE in }CubeSecurityProperties.
When CELLSECURITYMOSTRESTRICTIVE is yes, Element and Cell Security behave such that the most restrictive applies. For instance, if Element Security for a specific element is set to READ for a given Group and Cell Security for a cell referencing that dimension element is set to WRITE, then security will resolve to READ. If the CELLSECURITYMOSTRESTRICTIVE parameter is set to any value other than YES, then the server behaves as it did in the prior releases.
https://www.ibm.com/support/knowledgece ... ights.html

Is it what you are after? It is still there an works fine as expected.
In TM1,the answer is always yes though sometimes with a but....
http://tm1sir.blogspot.com.au/

User avatar
Steve Rowe
Site Admin
Posts: 2137
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: 10.2.2., PAW
Excel Version: Nearly all of them

Re: Dimension Element Security - Most restrictive

Post by Steve Rowe » Thu Dec 31, 2020 5:09 pm

Thanks macsir, no wonder I couldn't find the switch, looking in the wrong place!

Cheers
Technical Director
www.infocat.co.uk

Post Reply