Remember when we used to have these so that even the lurkers could have a little interactivity? I just realised that it has been years rather than months since we've had one, so let's see whether there is still an appetite for them. Let's start with an easy one. This far down the track, are people still holding on to the original security model? Or does integrated login rock your world? Or have you needed to go the CAM route?
As always in the polls, feel free to argue your case for one mode over another in the comments below if you choose to.
The poll closes at the end of May. You can have a change of heart if you become converted to another cause in the meantime.
Monthly Poll 202105 - What's your security mode poison?
- gtonkin
- MVP
- Posts: 1199
- Joined: Thu May 06, 2010 3:03 pm
- OLAP Product: TM1
- Version: Latest and greatest
- Excel Version: Office 365 64-bit
- Location: JHB, South Africa
- Contact:
Re: Monthly Poll 202105 - What's your security mode poison?
More options than you can shake a stick at!
For me as a consultant, the answer is "It depends..."
For offsite development, we use mode 1 or 2.
Mostly in production we use mode 3 as clients integrate with AD.
Due to the price point of PA, only larger clients purchase PA and they are the clients who have an IT department that have policies to be followed.
I cannot actually think of any clients who use TM1 security unless we are in early stages of POC/Dev or need to switch to test security.
And strangely enough, never needed to deploy CAM either - clients have never had or wanted CA.
The exception is obviously now Cloud instances where security is CAM/federated.
For me as a consultant, the answer is "It depends..."
For offsite development, we use mode 1 or 2.
Mostly in production we use mode 3 as clients integrate with AD.
Due to the price point of PA, only larger clients purchase PA and they are the clients who have an IT department that have policies to be followed.
I cannot actually think of any clients who use TM1 security unless we are in early stages of POC/Dev or need to switch to test security.
And strangely enough, never needed to deploy CAM either - clients have never had or wanted CA.
The exception is obviously now Cloud instances where security is CAM/federated.
- scrumthing
- Posts: 81
- Joined: Tue Jan 26, 2016 4:18 pm
- OLAP Product: TM1
- Version: 11.x
- Excel Version: MS365
Re: Monthly Poll 202105 - What's your security mode poison?
You triggered me here Alan. Authentication is such a painful experience...
We have to rely on native authentication because neither integrated login nor CAM provide the needed functionality.
We have to have a single CAM server for multiple internal clients where one user has access to databases from different clients and user management is decentralized. That will never work with CAM.
So we thought let us try Kerberos and integrated login. But here IBM needs unconstrained delegation rights (in TM1Web/PASSL) and that is something every decent it department will never allow. Therefore no Kerberos for us.
So we are stuck with either NTLM, which will not properly work if you plan to separate application layer and database layer and which is more unsecure compared to Kerberos.
In the end we stayed with native authentication for now. At the moment we are looking into OpenID and TM1 v12...
We have to rely on native authentication because neither integrated login nor CAM provide the needed functionality.
We have to have a single CAM server for multiple internal clients where one user has access to databases from different clients and user management is decentralized. That will never work with CAM.
So we thought let us try Kerberos and integrated login. But here IBM needs unconstrained delegation rights (in TM1Web/PASSL) and that is something every decent it department will never allow. Therefore no Kerberos for us.
So we are stuck with either NTLM, which will not properly work if you plan to separate application layer and database layer and which is more unsecure compared to Kerberos.
In the end we stayed with native authentication for now. At the moment we are looking into OpenID and TM1 v12...
There is no OLAP database besides TM1!
-
- MVP
- Posts: 1815
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: Monthly Poll 202105 - What's your security mode poison?
My recommendation is usually CAM authentication for full SSO compatibility with all interfaces and it gets hooked up to AD.
But just 1 or 2 CAM groups per TM1 instance that give basic access.
Then once the users are authenticated in TM1 we have internal mode 1 groups that assign the actual user access to TM1 objects.
It means that you can break out the responsibilities:
- IT department control who can use TM1
- Super Users/Business Owners control what they can do with it
I've also often ended up with security requirements where for example a new Country that a company operates in may crop up out of the blue and I don't want to have to wait to get a new AD group added to handle it.
Prior to PAW/PAX though I always went mode 2 or 3... can't actually remember which 1 is which any more.
The first company I worked at used mode 1 and looking at the control cubes the passwords were obviously encrypted but I could still tell 90% of users had the same password...
But just 1 or 2 CAM groups per TM1 instance that give basic access.
Then once the users are authenticated in TM1 we have internal mode 1 groups that assign the actual user access to TM1 objects.
It means that you can break out the responsibilities:
- IT department control who can use TM1
- Super Users/Business Owners control what they can do with it
I've also often ended up with security requirements where for example a new Country that a company operates in may crop up out of the blue and I don't want to have to wait to get a new AD group added to handle it.
Prior to PAW/PAX though I always went mode 2 or 3... can't actually remember which 1 is which any more.
The first company I worked at used mode 1 and looking at the control cubes the passwords were obviously encrypted but I could still tell 90% of users had the same password...
Declan Rodger
- Steve Rowe
- Site Admin
- Posts: 2417
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: Monthly Poll 202105 - What's your security mode poison?
Also triggered! I could rant but I've spent all afternoon wrestling with a total bizarre feeder / persistant feeder issue that I'm going to go have a beer instead.
Deleted the rant I was drifting nto anyway! Have a good w/e everyone, stay safe.
Deleted the rant I was drifting nto anyway! Have a good w/e everyone, stay safe.
Technical Director
www.infocat.co.uk
www.infocat.co.uk
-
- Posts: 74
- Joined: Mon May 12, 2008 12:25 pm
- OLAP Product: TM1
- Version: PA 2.0.6 Local
- Excel Version: Excel 2016
Re: Monthly Poll 202105 - What's your security mode poison?
Would love to make some form of SSO to work but our IT folks guard the knowledge about how to integrate with it like the secret of life. Currently trying again with using PAW to let us move to PafE -- that's proving to be a whole other set of fun. Had SSO working within Perspectives but only in one location and of course that approach doesn't work for TM1 Web.
- Alan Kirk
- Site Admin
- Posts: 6606
- Joined: Sun May 11, 2008 2:30 am
- OLAP Product: TM1
- Version: PA2.0.9.18 Classic NO PAW!
- Excel Version: 2013 and Office 365
- Location: Sydney, Australia
- Contact:
Re: Monthly Poll 202105 - What's your security mode poison?
That's a pity; I love me a good rant when the rant is justified. Scrumthing's was epic. There's still another month though, so if the trigger is pulled again...Steve Rowe wrote: ↑Fri Apr 23, 2021 5:28 pm Also triggered! I could rant but I've spent all afternoon wrestling with a total bizarre feeder / persistant feeder issue that I'm going to go have a beer instead.
Deleted the rant I was drifting nto anyway! Have a good w/e everyone, stay safe.
"To them, equipment failure is terrifying. To me, it’s 'Tuesday.' "
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.