Security issue with TM1 REST API

[Bhavana]

Hi All,

We noticed that users are able to cancel threads using tm1 REST API without having permission to OperationsAdmin or Admin group.

Based on the below IBM note only operationsadmin should able to access.

https://www.ibm.com/support/knowledgece ... group.html


How can we restrict access to tm1 REST API? Need your quick help on this

Planning analytics version : 2.0.9

Regards
Bhavana

[Steve Rowe]

Couldn't you amend your rest api code to test if the user was in the appropriate group?

[Bhavana]

Hi Steve,

Thanks for prompt reply!

We are in starting phase of using this rest API...before using it we wanted to set the security on architect so that in future we can extract the data based on operations group.. one of our developer reported this that he can cancel the threads without proper permission. even we extracted the admin and operations admin access from clientgroups and noticed none of the user is having access to operationadmin. but few of the users have other group access for accessing data in tm1 cubes

How can we test via rest api whether user is having access to appropriate group any support link would me more help to us to check on this.

[David Usherwood]

Working with TM1PY I have found the Rest API to honour security pretty well. Can you check your scripts to see whether you are using admin access? If you are not, please raise a ticket with IBM.

[Bhavana]

Thanks David!

No we are not using admin access in our scripts...sure will raise a ticket with IBM

[David Usherwood]

Suggest you recheck your script.
I have just reproduced the situation with TM1PY and a non admin user can only see their own threads. There is a quirk in that the Github release of tm1py has a function 'cancel_all_running_threads' which is not in the release (py -m pip install) version - but looking at the code it iterates round the threads returned from the Rest API, so no difference really.

[David Usherwood]

I've tested further at Steve Rowe's suggestion and my non-admin user can see and cancel their threads. (Updated - I was cancelling an Architect session - no change to the open view but the user had been logged out.)
(Further update)
If the (non-Admin) user is in the OperationsAdmin group they can cancel other users' threads as well.
Script:

Code: Select all

import configparser
from TM1py.Services import TM1Service
config = configparser.ConfigParser()
config.read(r'..\config.ini')
with TM1Service(**config['XXX']) as tm1:
    # Get all running threads
    threads = tm1.monitoring.get_threads()
    # Prints all running threads with their properties:
    for thread in threads:
        print(thread,'\n')
    # Find threads running in Architect and cancel them
    for thread in threads:
        if thread['Context'] == 'Architect':
            tm1.monitoring.cancel_thread(thread['ID'])

[Bhavana]

Thanks David for providing the script.

We have also tested the same with non admin user after granting operations group he can now able to cancel other users threads. The issue has been fixed