Cell Security Rule Not Being Applied

[ViRa]

Hi,

I have rules written in Cell Security Control Cube to restrict access to cells based on TM1 security groups. However these changes are not being reflected in the cube for the user belonging to that particular group unless he is made part of the admin group. Is this how the cell security is supposed to work?

Please let me know.

Thanks in advance.

[declanr]

Hi,

I have rules written in Cell Security Control Cube to restrict access to cells based on TM1 security groups. However these changes are not being reflected in the cube for the user belonging to that particular group unless he is made part of the admin group. Is this how the cell security is supposed to work?

Please let me know.

Thanks in advance.

Can you provide more detail on what rules you have applied to the cell security cube?

Are you aware that blanks are handled differently in cell security cubes vs element security cubes?

Have you done a security refresh since applying the rule?

[ViRa]

I have written rules to restrict an element (test comment) for an approval hierarchy dimension's element (hierarchy A) for the group to which the user from 'hierarchy A' belongs to (group A). All this is for the 'Submit' version. For users belonging to other groups (groupB and C) should have 'READ' access to the 'test comment' element.

The rule written to achieve the above scenario is as shown below -

['test comment','hierarchy A','}group B','Submit' ] = S: 'READ';
['test comment','hierarchy A','}group C','Submit' ] = S: 'READ';
['test comment','hierarchy A','}group A','Submit' ] = stet;

I'm not aware of the blanks being handled differently. Could you please brief me about that?

I assume a security refresh is required if rules are written for 'Element Security' cube and not 'Cell Security'. Please correct me if I'm wrong. Nevertheless, I did refresh security after writing rules in Cell Security control cube.

So the above rule works only if the Group A, B and C users are made part of the 'Admin' group as well along with their default groups. Is this working fine?

[lotsaram]

Rules in cell security cubes, unlike rules in element security cubes, do not require a security refresh to take effect.

I find your statement below baffling.

I have rules written in Cell Security Control Cube to restrict access to cells based on TM1 security groups. However these changes are not being reflected in the cube for the user belonging to that particular group unless he is made part of the admin group. Is this how the cell security is supposed to work?

Someone in the Admin group by definition has admin access to everything, that is no security is applied anywhere and all input in security cubes is ignored. The only part of the security model that applies to admin users is Locks placed on cubes, dimensions and elements. Therefore your statement cannot be correct! If a user is Admin they will have full write access to the cells regardless of what the cell security rule says.

I think Declan's guess may be correct that you have not understood the difference in interpretation of a blank in a cell security cube versus cube security and element security. the purpose of cell security is in general to override element security by setting WRITE to READ or vice versa. In cell security a blank is interpreted as "default back to the underlying cube and element security" whereas for cube and element security Blank=NONE. If the group has NONE element access then even if you set the intersection to read or write in cell security then the group will still not see the element in question and be able to read or write. I think this might be your problem, you need to make sure that users can first see the element and then worry about cell security.

[ViRa]

Thanks Lotsaram and Declan for your replies and explanation. I made necessary modifications as suggested and it works now.