Security Requirement in TM1 !!!

[pmathur]

Hello All,

We have a small security requirement in our project. The scenario is like : we have one Manager Dimension which have Asset Manager(55 elements) at the most granular level and a cost center dimension. Now what we want is that for each asset manager we should have security in cube. Means that if Asset Manager "A" governs 10 cost center then data corresponding to those 10 cost center should be visible to him only not to the other members of the dimension. Similarly Asset Manager "B" should be able to see data for those cost centers owned by him.

We are using SSO security with TM1 and have integrated TM1 with cognos 10 BI. So with that said, one way which we look as a workaround is creation of 55 groups corresponding to each Asset Manager and assign them individual to those groups. Is there any other possible way to accomplish this requirement?

Any suggestions are highly appreciated !!!!


Thanks in advance.
Priyank.

[David Usherwood]

You say you have Asset Manager and Cost Centre as different dimensions. Are they both included in the cube in question? If they are, is the data against the 'right' asset manager? This is a common way of holding staff data as it deals neatly with staff changing departments - you can secure the Asset Manager dimension and the data won't be visible to other asset managers1.
If only Cost Centre is on the cube, you'll need to assign cost centres to security groups and move them as management changes.
I don't know why you denote creation of groups as a 'workround' - it's the basis of all TM1 security. If you populate structures with TI from a flat file or relational source then it's not really a big deal. Make sure the GroupsCreationLimit setting in TM1S.CFG is set high enough when you create the groups - see the docs. It's a memory hog (weirdly) so take it back down after the groups are built.
Although I sympathise that you are using Cognos SSO, it's not really relevant to what you need to do here.

[pmathur]

Hi David,

Thanks for the reply. I am sorry for not properly depicting my requirement, I was in little rush last night. Actually the sample scenario is as metioned :

untitled.JPG (104.85 KiB) Viewed 6828 times

So the Manager 1 is the guy who owned the two cost centers named C_000001 and C_000002 and similarly others as well. Now what we want is that Manager 2 should not be able to see the data of Mnager 1, in spite of the fact that they belong to same user group. Suppose they are tagged with user group "Group 1_ Canada".

Is it possible that we can assign different security capabilities to the clients of same group in TM1?

No doubt Groups is the basis of TM1 and all client inherits the security rights for their groups only. But still is there any possibilites to assign different security rights to different user of same group?

Thanks in advance for your precious time and response.

Best Regards,
Priyank.

[Catherine]

Is it possible that we can assign different security capabilities to the clients of same group in TM1?

No, all users belonging to one group have exactly the same rights. You need to create as many groups as you have Asset Managers in your case.

[lotsaram]

Is it possible that we can assign different security capabilities to the clients of same group in TM1?

Yes of course, provided that the clients are also members of OTHER GROUPS where membership does not overlap. Take your example above: all clients would be members of the "Sample Cube" group which would give write access to Sample Cube but only Manager 1 would be a member of the "M1" group which would have write access to "Manager 1" in the Manager dim and no access to any other elements therefore they would only see Manager 1 and data for cost centers 1 & 2. In the design of the cube you have you could probably only secure the manager dim but I would argue that is would be better to secure cost center as well.

This is not elaborate security, this is standard for any planning model. If you haven't done this before I suggest you get some mentoring from someone who has.

[pmathur]

Yes of course, provided that the clients are also members of OTHER GROUPS where membership does not overlap. Take your example above: all clients would be members of the "Sample Cube" group which would give write access to Sample Cube but only Manager 1 would be a member of the "M1" group which would have write access to "Manager 1" in the Manager dim and no access to any other elements therefore they would only see Manager 1 and data for cost centers 1 & 2.

This means, in our case for each and every Manager we will be going to have a separate group. Because there will be a case where membership of one or two group will overlap based on the Regions owned by them.

Ok.... Thanks everyone for their time. I really apprecaite that.

[lotsaram]

This means, in our case for each and every Manager we will be going to have a separate group. Because there will be a case where membership of one or two group will overlap based on the Regions owned by them.

Ok.... Thanks everyone for their time. I really apprecaite that.

But you do understand that TM1 security is ADDITIVE and therefore that each manager doesn't have to be a member of only one group with all security exhaustively added in and maintained separately for everyone? (this would be very bad security model design in TM1.) All managers can be members of the SAME single group that grants them access to everything EXCEPT for element security in the manager and cost center dimensions. Plus each manager is a member of one unique group on top of the common group that grants element security rights for the manager and cost center dimensions. It isn't clear you understand this concept.

[pmathur]

It isn't clear you understand this concept.

Yes I get your point. And similar kind of security has been implemented in our model as well. But what i was looking for is distinct security assignments to users of same group. Although I know this is not feasible. But some how our requirement has been fulfilled .

Thanks

[lotsaram]

But what i was looking for is distinct security assignments to users of same group.

To take a leaf from the David Usherwood playbook, repeat after me: "TM1 security is defined via groups, TM1 security is defined via groups, TM1 security is defined via groups, ... "

[tomok]

In this scenario most flexible answer is to forget the Manager dimension, secure the Cost Center dimension, and create a separate group for every cost center. You can then add the appropriate people to the cost center groups based on which cost centers they own, or should have access to. I find it's easiest to keep these assignments in an Excel file or relational table and have a TI process to populate the }ElementSecurity_Cost|Center cube. Due to the additive nature of security in TM1 it works fine to have this level of granularity in the groups.

[pmathur]

To take a leaf from the David Usherwood playbook, repeat after me: "TM1 security is defined via groups, TM1 security is defined via groups, TM1 security is defined via groups, ... "

Thank you very much SIR for making me AWARE of this hidden fact.