Element security and groups

[mmckimson]

We have an application that uses a list of customers and cost centers throughout. Groups have been set up that parallel the cost center structure so that we can make sure that an end user logging into the application will only see the customers associated with that cost center. We have of course imported element level security for customers assigning them to the appropriate groups.

It works fine when there is a one-to-one relationship between the user and group, but not so well when the user is assigned to more than one group. Regardless of which cost center the end user may be logging into via TM1 Web, that user sees all customers associated with all the groups to which they have been assigned, as opposed to only seeing the customers belonging to the cost center to which they have logged into in TM1 Web.

Is there a way to do what I need, and make sure that only the appropriate group / customer combination is shown when looking at a single cost center regardless of how many groups a user may be assigned to? If anyone can point me in the direction I need, it would be much appreciated.

Mike

[tomok]

It works fine when there is a one-to-one relationship between the user and group, but not so well when the user is assigned to more than one group. Regardless of which cost center the end user may be logging into via TM1 Web, that user sees all customers associated with all the groups to which they have been assigned, as opposed to only seeing the customers belonging to the cost center to which they have logged into in TM1 Web.

This is the way security works in TM1. A user receives security rights based on the additive combination of all the groups he/she is in. There is no way to do what you are asking for via security except have multiple users IDs for each person, which no one in their right mind would do. It sounds like you just need to apply filters to the form(s) you are using to show only customers related to the cost center chosen. If you can assign a cost center attribute for each customer then you can use an MDX query to filter the appropriate customer list in the form(s) based on user selection. I've done this type of setup numerous times and it works fine.

[mmckimson]

It works fine when there is a one-to-one relationship between the user and group, but not so well when the user is assigned to more than one group. Regardless of which cost center the end user may be logging into via TM1 Web, that user sees all customers associated with all the groups to which they have been assigned, as opposed to only seeing the customers belonging to the cost center to which they have logged into in TM1 Web.

This is the way security works in TM1. A user receives security rights based on the additive combination of all the groups he/she is in. There is no way to do what you are asking for via security except have multiple users IDs for each person, which no one in their right mind would do. It sounds like you just need to apply filters to the form(s) you are using to show only customers related to the cost center chosen. If you can assign a cost center attribute for each customer then you can use an MDX query to filter the appropriate customer list in the form(s) based on user selection. I've done this type of setup numerous times and it works fine.

OK, I see how I can create an MDX filter for one dimension based upon an attribute in a dimension as in the following example:

Code: Select all

{
FILTER(
    {TM1SUBSETALL( [Product] )},
    ([Customer].[CostCenter]="ABC" OR [Customer].[Caption]="Total Customers"))
 }

However, what I'm not quite understanding is how I make this dynamic relative to the Cost Center dimension while in a cube. Is it something like the following (where CostCenterDimension is the cost center that the user is opening):

([Customer].[CostCenter]="[CostCenterDimension].CurrentMember" OR [Customer].[Caption]="Total Customers"))

Thanks in advance!
Mike