Locking out some admins
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Locking out some admins
I think the answer is no, but thought I would ask anyway... Is there a way to prevent some admins having access to one cube in a model?
I know I could put the cube in different model, however I want the sensitive cube to pass data (salaries aggregated to department level) back to the the non-sensitive cube. If they were in seperate models the only way I can see to pass data is via a data export/import which is not secure.
We have two system accountants that develop basic rules, therefore admins, that should not be able to see this information at leaf level.
I know I could put the cube in different model, however I want the sensitive cube to pass data (salaries aggregated to department level) back to the the non-sensitive cube. If they were in seperate models the only way I can see to pass data is via a data export/import which is not secure.
We have two system accountants that develop basic rules, therefore admins, that should not be able to see this information at leaf level.
-
- MVP
- Posts: 1817
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: Locking out some admins
This doesn't necessarily help with your question but...
if the 2 System Accountants are only developing "basic rules" is it not preferable to in fact defer that responsibility to someone else considering that the licence for a Developer is circa £10k as compared to £1500 for a standard read/write user (that is last time I checked anyway.)
if the 2 System Accountants are only developing "basic rules" is it not preferable to in fact defer that responsibility to someone else considering that the licence for a Developer is circa £10k as compared to £1500 for a standard read/write user (that is last time I checked anyway.)
Declan Rodger
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Re: Locking out some admins
Hmm possibly but we got a pretty good deal on the licenses and it's a big system.
I want to restrict sensitive information to some users which is easy, but lock out all but one admin which I cant think how to do.
I want to restrict sensitive information to some users which is easy, but lock out all but one admin which I cant think how to do.
-
- MVP
- Posts: 1817
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: Locking out some admins
How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...
... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)
They would also need Admin access to all dims, process etc.
... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)
They would also need Admin access to all dims, process etc.
Declan Rodger
-
- MVP
- Posts: 3667
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: Locking out some admins
That would work for cubes, even dims but it won't work for processes and chores as the only options for non-admin users are Read or None. If they don't write TI then perfectly acceptable.declanr wrote:How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...
... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)
They would also need Admin access to all dims, process etc.
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: Locking out some admins
is that not a really bad idea from a business continiuity perspective? what happens when said person is on holiday, off sick, run over by a bus....AmbPin wrote: but lock out all but one admin which I cant think how to do.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- MVP
- Posts: 1817
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: Locking out some admins
Lotsaram,
Cheers for the clarification.
AmbPin,
Of course that is just a way to solve the specific question but personally I would point to my earlier post as I tend to recommend that users have the minimum security access possible to do their jobs well. Although this must be combined with a minimum of 2 full Admin users for reasons as pointed out by Steve Vincent.
Does anyone know how the IBM licencing works in regards to giving a user partial Admin access?
I imagine in the case of having Admin access tot he majority of cubes a user would need a full on "developer" licence but at what point does that stop? For example what if a user is standard read/write with admin access to 1 dimension?
Cheers for the clarification.
AmbPin,
Of course that is just a way to solve the specific question but personally I would point to my earlier post as I tend to recommend that users have the minimum security access possible to do their jobs well. Although this must be combined with a minimum of 2 full Admin users for reasons as pointed out by Steve Vincent.
Does anyone know how the IBM licencing works in regards to giving a user partial Admin access?
I imagine in the case of having Admin access tot he majority of cubes a user would need a full on "developer" licence but at what point does that stop? For example what if a user is standard read/write with admin access to 1 dimension?
Declan Rodger
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: Locking out some admins
Simple answer - there isn't. TM1only has 2 types of license, to get access to various menus that are greyed out to a client you must have the admin license. There is no halfway house - you can limit an admin to just securityadmin or dataadmin (detailed in the help guide) but you still require the admin license in order to use them.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Re: Locking out some admins
declanr wrote:How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...
... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)
They would also need Admin access to all dims, process etc.
This almost works, but if they have security admin then they can give themselves access to the cube I want hidden from them.
-
- MVP
- Posts: 1817
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: Locking out some admins
If they are only writing rules for a specific few cubes, just give them Admin access to those cubes and give them write access to everything else.
If you need them to be able to change security for other users in addition to having admin access to data then I doubt you would have any option other than giving them full blown Admin access.
If you need them to be able to change security for other users in addition to having admin access to data then I doubt you would have any option other than giving them full blown Admin access.
Declan Rodger
-
- MVP
- Posts: 3667
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: Locking out some admins
There's always a way (well almost, but in this case there is). You can always manage security in other cubes (or an external database) that these power users have write access to where the confidential data is cube is excluded from security assignments. A chore or process then can pick up the assignments from the other cubes or external source and apply in the TM1 model without the users needing SecurityAdmin rights.declanr wrote:If they are only writing rules for a specific few cubes, just give them Admin access to those cubes and give them write access to everything else.
If you need them to be able to change security for other users in addition to having admin access to data then I doubt you would have any option other than giving them full blown Admin access.
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Re: Locking out some admins
Thnak you, that is the conclusion I had come too also.lotsaram wrote:There's always a way (well almost, but in this case there is). You can always manage security in other cubes (or an external database) that these power users have write access to where the confidential data is cube is excluded from security assignments. A chore or process then can pick up the assignments from the other cubes or external source and apply in the TM1 model without the users needing SecurityAdmin rights.declanr wrote:If you need them to be able to change security for other users in addition to having admin access to data then I doubt you would have any option other than giving them full blown Admin access.
-
- Posts: 55
- Joined: Thu May 15, 2008 9:11 am
- OLAP Product: Planning Analytics
- Version: IBM SaaS - Digital Pack
- Excel Version: Office 365
- Location: Reading / London
- Contact:
Re: Locking out some admins
One option here may be to look at Replication? You could have a separate model that includes the confidential detail, then perhaps have a process which replicates across data from a summary cube?
-
- Community Contributor
- Posts: 139
- Joined: Mon Sep 15, 2008 1:45 pm
Re: Locking out some admins
I don't know whether you have a seperate development environment or not but if you have
the easy option seems to be to only give them admin level access to the dev environment (and not make the sensitive data available in there).
Jeroen
the easy option seems to be to only give them admin level access to the dev environment (and not make the sensitive data available in there).
Jeroen
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Re: Locking out some admins
Thanks but this option would prevent the other admins doing group/user administration on the live database.Jeroen Eynikel wrote:I don't know whether you have a seperate development environment or not but if you have
the easy option seems to be to only give them admin level access to the dev environment (and not make the sensitive data available in there).
Jeroen
-
- Regular Participant
- Posts: 173
- Joined: Sat Mar 20, 2010 3:03 pm
- OLAP Product: TM1
- Version: 9.5.2
- Excel Version: 2007-10
Re: Locking out some admins
Thanks, this is almost the option I have chosen but have used custom TI scripts to replicate the bits of the model that I want moved back and forth.Martin Ingram wrote:One option here may be to look at Replication? You could have a separate model that includes the confidential detail, then perhaps have a process which replicates across data from a summary cube?
-
- Posts: 55
- Joined: Thu May 15, 2008 9:11 am
- OLAP Product: Planning Analytics
- Version: IBM SaaS - Digital Pack
- Excel Version: Office 365
- Location: Reading / London
- Contact:
Re: Locking out some admins
Sounds like a plan ![Wink ;)](./images/smilies/icon_e_wink.gif)
![Wink ;)](./images/smilies/icon_e_wink.gif)