Assigning Read access to particular combination in cube

[guru1988fortm1]

Hi All,

I am learning TM1 and exploring the security of it

I am using TM1 9.5.2 with Cognos 10.1.1 BI for its security

I have an 15 Cubes in my system in which scenario and year dimensions are present in all the cubes

Here my user wants me to provide read access for 2012(year) Plan(Scenario) for a particular group of users

i am able to provide read access for an element of an dimension

But i dont know how to provide read access for an combination of elements from two different elements

So if anyone who has come across this kind of requirement can help me please

Thanks
Regards
Guru

[qml]

Right click on the cube -> Security -> Create Cell Security Cube. This will create a new control cube in which you can assign rights on a per cell basis, so for any combination of dimension elements. It is even possible to manage security via rules attached to this cube. You can read more on the subject in the product documentation and by searching this forum for "cell security".

That being said, I would try to avoid this solution like the plague. It has a significant negative impact on performance. Also, be aware that cell security overrides any element security, so your existing element security settings will stop working for this cube and you will have to recreate them via cell security.

PS: Interesting nick (and humble, too).

[Martin Ryan]

It has a significant negative impact on performance.

I keep hearing people say that, but have never experienced it myself. I tend to use the security cubes with rules though and I think this actually helps. I set up a master "sysSecurity" cube containing the dimensions that I actually want to apply security on, e.g. Year and Scenario in this example, and control the values in this cube. I then pull the values through to the cell security cube without feeders, but with skipcheck on. The security is still applied and there is no noticeable lag in performance.

Example rule in the cell security cube

Code: Select all

[] = S: 		
if(DB('sysSecurity',!Scenario,!FinYear,!Product,!Period,'Value')<>0,
'READ', 'NONE');

[lotsaram]

It has a significant negative impact on performance.

I keep hearing people say that, but have never experienced it myself. I tend to use the security cubes with rules though and I think this actually helps. I set up a master "sysSecurity" cube containing the dimensions that I actually want to apply security on, e.g. Year and Scenario in this example, and control the values in this cube. I then pull the values through to the cell security cube without feeders, but with skipcheck on. The security is still applied and there is no noticeable lag in performance.

I have to say I agree. Object security and element security are set on startup and security refresh and there can definitely be some overhead for a large or complex model. But I am pretty sure that cell level security is "on demand" that is it is only evaluated when the user makes a read or write request. Sure there must be an additional overhead for the server to compute access rights to cells as it returns a view but in my experience this doesn't seem to be really noticeable. (I take this an an inference from the fact that when a cell security rule is changed no security refresh is needed for it to take effect, unlike element security.)

I have never, and can't imagine ever, implementing cell security with anything other than rules BTW. As the security applies to individual cells it is a direct lookup and there is no concept of consolidation. So even though cell security cubes may be multi-dimensional there is no need or use for feeders (or skipcheck) in these cubes.

I used to be in the avoid cell security camp and I still certainly believe that most of the time where cell security is implemented it isn't really necessary and good design with element security alone would normally be sufficient. But at least since 9.4 I don't see any evidence of performance impairment using it (and probably before that too.)

[Martin Ryan]

I used to be in the avoid cell security camp and I still certainly believe that most of the time where cell security is implemented it isn't really necessary and good design with element security alone would normally be sufficient.

Yes, I completely agree. I avoid it where possible too, simply because it's a little more complex to maintain and a bit more difficult to trouble shoot. However there is always the case of Current Year/Actual = write but Current Year/Budget = read and Next Year/Budget = write (etc) which comes up very frequently in financial models, so avoiding it entirely is rarely possible.

I have never, and can't imagine ever, implementing cell security with anything other than rules BTW

Good point. I kept thinking I was an exception due to the comments about performance degradation, but other than using TI I suppose there isn't any other (practical) way of using a cell level security cube.

[Martin Ryan]

It has a significant negative impact on performance.

I keep hearing people say that, but have never experienced it myself.

I take it all back. I was rather foolishly forgetting that an admin's life is much easier than end users'. I've just discovered the rule I am using is adding about 50% overhead time to a large send my system does (30,000 cells, I've tried to change user's habits, but they just won't have it). Sending as an admin takes about 20 seconds when sending locally. As a normal user it takes about 30 seconds. Across Citrix it's substantially more.

Martin

[guru1988fortm1]

It has a significant negative impact on performance.

I keep hearing people say that, but have never experienced it myself.

I take it all back. I was rather foolishly forgetting that an admin's life is much easier than end users'. I've just discovered the rule I am using is adding about 50% overhead time to a large send my system does (30,000 cells, I've tried to change user's habits, but they just won't have it). Sending as an admin takes about 20 seconds when sending locally. As a normal user it takes about 30 seconds. Across Citrix it's substantially more.

Martin

Thanks all for the replies

i created an cell security cube for all the 8 cubes for which some of my users should have read access only for 2012 budget

and i assigned read access to that combination

it is working fine , but i cant conclude myself that whether it will have negative impacts

some said that it will take over the element security, if that is the case will it take the element security of year dimension(only for 2012) and scenario dimension(only for budget) for that cube alone

Or does it affect the element security of all dimensions in that cube

And what other negative impacts would be there?

Or is there any other possible ways for this, Please let me know your comments

Thanks all
Guru

[lotsaram]

... some said that it will take over the element security, if that is the case will it take the element security of year dimension(only for 2012) and scenario dimension(only for budget) for that cube alone

Or does it affect the element security of all dimensions in that cube

And what other negative impacts would be there?

Actually cell security is a funny beast as unlike element or cube security a blank does not mean "NONE". Rather if no cell security is set then the group's access reverts back to what is defined by the cube and element security. Where cell security is defined then yes it will take precedence over element security but if left blank then the lower levels of security take over.

Apart from the performance overhead already mentioned (which I think if you don't intend to DBS tens of thousands of cells is pretty minor) I don't think there are any other negative impacts except for additional maintenance - but if the cells security is rule based then the maintenance should not be an issue.

[Martin Ryan]

Apart from the performance overhead already mentioned (which I think if you don't intend to DBS tens of thousands of cells is pretty minor)

Nah, even opening the cube takes 10 seconds vs instantaneous. My security rules might not be ideal, but my concept is as I outlined earlier and no-one's pulled me up on it, so I think there really is just a big bad hit when you implement cell security.

[qml]

I think there really is just a big bad hit when you implement cell security.

This.

I'm not saying cell security shouldn't be used, but like with anything you need to realise the pros and cons and make an educated decision. From my experience having a cell security cube, especially one with rules, slows down all operations on the main cube by between one and two orders of magnitude. In many cases this is still acceptable, in some it simply isn't.