Isn't TM1 Vulnerable due to file structure?

[TM1KS]

Hi Everyone,

I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.
However, this also brings to my mind that it is very vulnerable as anybody can edit/see/ extract information from those files.
I tried searching a thread on this topic using keywords, however could not find one.
Please direct me to one in case there's one.

[Alan Kirk]

I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.

As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?

However, this also brings to my mind that it is very vulnerable as anybody can edit/see/ extract information from those files.

Have you tried reading the numbers out of a binary .cub file, then? Good luck with that. I'm sure it's possible to do if you throw enough hacking time at it (or just load the cubes into a local server), but there's a more fundamental reason why you (as an end user or hacker) shouldn't be able to do that.

And that reason is this; just as with database files you are supposed to secure the folders that contain the TM1 server's data files using the operating system's security so that "anybody" doesn't have access to them. Only the administrators should. There is no need at all for end users to have access to the data files (or even the folders containing them), nor should they.

There is no system on earth, none, that is impervious to hacking if someone can access the source data files and is prepared to spend the time on doing it. TM1 is no different to any other system in that respect, nor is it any different to any other system in that the way to prevent that is to limit / prevent access to those files in the first place.

[cgaunt]

There are many large corporations that use TM1 for storing data, some of which is considered as sensitive. In partnership with a good IT department, in every case I have seen it fulfils all the audit requirements for security compliance. I think you can take some significant comfort from this that TM1 will meet safety standards.

Given Alan's comments (and caveat that no system is 100% secure) on securing the underlying file structure and a sensibly built application security model, TM1 data can be considered as safe.

[TM1KS]

I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.

As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?

Well, did not come to my mind. Alan, do you mean to say that it is just as vulnerable as the files from Oracle/ SQL Server, DB2, MySQL and so forth had there been this database level ?

[Alan Kirk]

I've worked on Cognos Planning for a year and recently have started working on TM1.
One major difference I found in TM1 is that it doesn't use a database at all and everything stored in a folder on drive.

As opposed to the way that files for Oracle, SQL Server, DB2, MySQL and so forth are stored in folders on a drive?

Well, did not come to my mind. Alan, do you mean to say that it is just as vulnerable as the files from Oracle/ SQL Server, DB2, MySQL and so forth had there been this database level ?

It's well into the evening here and I've had a long and generally pretty bleeding awful day so it's possible that my powers of comprehension aren't what they should be... but I'm afraid that I don't understand that question.

What I was saying was that all client / server data management systems, whether it be TM1 or any other system, write to files on a disk to do permanent storage of their data. And with all of those systems, the client is never supposed to interact directly with the files. Only the server application is supposed to read from or write to the files. The client software is supposed to send commands to the server software to manipulate the data, never the files. The data files are supposed to be locked away in secured folders where no normal end user can see them, access them or even be aware of their existence. It's the same for pretty much any client / server management system you'd care to name.

[hbell]

Alan .............. I don't disagree with the general point that TM1 is as secure as any other system. However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account. On a related topic (and at the risk of thread hi-jacking), our initial reviews of 10.1.1 seem to show that the (otherwise useful) feature of being able to create new server instance through the Admin Console, appears flawed in that it creates the instance under the account of the user rather than a Service Account.

hugh

[tomok]

However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored?

No, they do not.

On a related topic (and at the risk of thread hi-jacking), our initial reviews of 10.1.1 seem to show that the (otherwise useful) feature of being able to create new server instance through the Admin Console, appears flawed in that it creates the instance under the account of the user rather than a Service Account.

It just requires a second step where you go into Windows Control Panel and modify the account. Pretty simple.

[lotsaram]

However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account.

Hi Hugh - No! All the writing to <user>}vues and <user>}subs directories are done by the service account. Users don't need and should never have access to the data directory.

[Alan Kirk]

Alan .............. I don't disagree with the general point that TM1 is as secure as any other system. However, is it not the case that all users need write access to the TM1 data directory so that their views can be stored? I'm not sure that these are done in the name of the Service Account.

No! Emphatically, absolutely, NO! It is the server application that saves the view definitions, not the individual clients. The individual clients simply tell the server application what the definition of the views that they need to save is, and the server application handles writing those definitions to disk. When the user logs on it is the server application, not the client, which reads the client's view definitions. The view definitions are passed back from the server application to the client via the client software that they are using, be it Client, Architect, Perspectives, Web, EV or some custom thing whipped up with the API.

It is the account that the server application is running under which needs permission to read and write to the data directory, not the accounts of the end users. The server application always stands between the clients and the data directories.

I'm not sure whether it's clear enough on the subject (I don't explicitly cover the issue of data files) but this:
http://www.youtube.com/watch?v=yYHHbk8qITA
tries to explain how client/server applications work. The client does not work with the system data files.

[cgaunt]

Hello Hugh,

With "No!" resounding in your ears, I think it would be churlish of me to do the same, even though we know each other well. If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.

Regards to you and the team.

[Alan Kirk]

If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.

For clarity, there may also be situations where there are folders into which end users can place input data files for upload by TI. Similarly there may be situations where there are folders which receive exports that have been created by TI. In both cases both the end user and the TM1 server application (or, more technically, the account that it's running under) will have read/write access to those folders. However, those folders should again be separate and distinct from the system data folders, even if they exist on the same server box.

[George Regateiro]

Hello Hugh,

With "No!" resounding in your ears, I think it would be churlish of me to do the same, even though we know each other well. If you permit me to be assumptive, we did once tackle a similar issue together where users needed some permission to the underlying files, but it was a TM1WEB folder issue, not data directory.

Regards to you and the team.

Even the TM1Web issue you speak of was not really a risk since if you configured the web application correctly to not allow browsing and the other standard web permissions you were not really opening yourself to much risk. Since it did not require you to make it a share drive there are only a couple methods of access

1) The TM1Web Application which is controlled by what the aspx pages are programmed to do
2) Have physical access to the server. Which is easily mitigated by a decent it admin

[hbell]

Thanks everyone for the correction on views - feeling suitably sheepish

hugh