Action Button Security

[jim wood]

Guys,

I think I know the answer to this one but there you go.....

If a user wants to execute a process via an action button do they have to be within the data admin group? Is there any way to execute the process as a defined admin user?

Thanks,

Jim.

[Lukas Meyer]

Hello,

1: no, the user needs to be in a group that has read rights to the process associated with the action button.
2: I'm almost sure that in 9.1 and below the process started by a user still executed as administrator and only recently (when Data/Security Admin was used) certain process-functions (like SECURITYREFRESH) fail for non-admin users.

If you need to use p.ex SECURITYREFRESH in a process normally executed by a non-admin user, you can use TM1RunTi (packed in Tm1 9.5.2 HF1) by calling a bat executeable via EXECUTECOMMAND(path-to-script,0)
(bear in mind that the process calling might hold some locks you need in the process called by tm1runti and mode 1 (=wait) can easily provoke a deadlock)
TM1RunTi acceppts encrypted credentials, so you can execute processes as anyone.

This holds true for TM1 9.5.X, so if TM1 10.1 changes everything this might be completely wrong

[jim wood]

Lukas,

Thanks for your help. Granting read access to the process did indeed do the job,

Jim.

[lotsaram]

Hello,

1: no, the user needs to be in a group that has read rights to the process associated with the action button.
2: I'm almost sure that in 9.1 and below the process started by a user still executed as administrator and only recently (when Data/Security Admin was used) certain process-functions (like SECURITYREFRESH) fail for non-admin users.

If you need to use p.ex SECURITYREFRESH in a process normally executed by a non-admin user, you can use TM1RunTi (packed in Tm1 9.5.2 HF1) by calling a bat executeable via EXECUTECOMMAND(path-to-script,0)
(bear in mind that the process calling might hold some locks you need in the process called by tm1runti and mode 1 (=wait) can easily provoke a deadlock)
TM1RunTi acceppts encrypted credentials, so you can execute processes as anyone.

This holds true for TM1 9.5.X, so if TM1 10.1 changes everything this might be completely wrong

I'm not sure why you would go to the trouble of shelling out with RunTI and logging on in a new thread as a full admin user when all that needs to be done for a process to run as full Admin rather than Data Admin is to right-click the process and select "security access" which then allows the process to execute security functions.

[Lukas Meyer]

I'm not sure why you would go to the trouble of shelling out with RunTI and logging on in a new thread as a full admin user when all that needs to be done for a process to run as full Admin rather than Data Admin is to right-click the process and select "security access" which then allows the process to execute security functions.

Honestly - because I didn't know. There are two processes refreshing security, I only ran into the problem of having non-admin users running one of them two weeks ago.

However, the official answer would be, that I like to explore the capabilities of TM1 and that I needed to get familiar with runti.exe, plus that it had advantages if this part of the process was executed by the administrator user.