BedrockTM1 Processes for Create Security Group

[jimicron]

Hi all,

I was wondering if anyone is famliar with or has used any of the processes that you can download from BedrockTM1. Specifically speaking, the process called "Bedrock.Security.Group.Create" - It will create one of more security groups and add it to the server.

I was really excited to use this because I have 870 groups that I need to add. And, it added them just fine. However, it's not validating the groups I have added against our LDAP. So, for example, I can add a group named "JIM" and it will create it/add it without error. But, it's not a valid group. It doesn't have a CAM ID associated with it.

So, while I have added all these groups sucessfully, because they aren't validated (or official) groups, when I go into the rights editor for an Application (formerly called Contributor), those groups do not show up in that list. The idea of adding all of these manually is painful so thought I would post and see if anyone else was familiar with this process or this scenario.

Also, we are using Mode 5 security.

I'll post the code as well as an FYI. Again, this was created by BedrockTm1 and was downloaded from their site. Thanks a lot for your help!!

Advanced tab: (three parameters: pGroups, pDelimeter, and pDebug)

Prolog tab:

Code: Select all

#****Begin: Generated Statements***
#****End: Generated Statements****

#####################################################################################
##~~Copyright bedrocktm1.org 2011 www.bedrocktm1.org/how-to-licence.php Ver 2.0.2~~##
#####################################################################################

# This process will create client groups

# Notes:
# - Multiple groups can be specified seperated by a delimiter
# - If group already exists then the process will not attempt to re-create it


### Constants ###

cProcess = 'Bedrock.Security.Group.Create';
cTimeStamp = TimSt( Now, '\Y\m\d\h\i\s' );
sRandomInt = NumberToString( INT( RAND( ) * 100000 ));
cDebugFile = GetProcessErrorFileDirectory | cProcess | '.' | cTimeStamp | '.' | sRandomInt ;


### Initialise Debug ###

If( pDebug >= 1 );

  # Set debug file name
  sDebugFile = cDebugFile | 'Prolog.debug';

  # Log start time
  AsciiOutput( sDebugFile, 'Process Started: ' | TimSt( Now, '\d-\m-\Y \h:\i:\s' ) );

  # Log parameters
  AsciiOutput( sDebugFile, 'Parameters: pGroups: ' | pGroups );
  AsciiOutput( sDebugFile, '            pDelimiter: ' | pDelimiter );

EndIf;


### Validate Parameters ###

nErrors = 0;

# If blank delimiter specified then convert to default
If( pDelimiter @= '' );
  pDelimiter = '&';
EndIf;

# If no groups have been specified then terminate process
If( Trim( pGroups ) @= '' );
  nErrors = 1;
  sMessage = 'No groups specified';
  If( pDebug >= 1 );
    AsciiOutput( sDebugFile, sMessage );
  EndIf;
  ItemReject( sMessage );
EndIf;


### Split pGroups into individual groups and add ###

sGroups = pGroups;
nDelimiterIndex = 1;

While( nDelimiterIndex <> 0 );
  nDelimiterIndex = Scan( pDelimiter, sGroups );
  If( nDelimiterIndex = 0 );
    sGroup = sGroups;
  Else;
    sGroup = Trim( SubSt( sGroups, 1, nDelimiterIndex - 1 ) );
    sGroups = Trim( Subst( sGroups, nDelimiterIndex + Long(pDelimiter), Long( sGroups ) ) );
  EndIf;
  # Don't attempt to add a blank group
  If( sGroup @<> '' );
    If( DimIx( '}Groups', sGroup ) = 0 );
      If( pDebug >= 1 );
        AsciiOutput( sDebugFile, 'Group: ' | sGroup | ' OK' );
      EndIf;
      If( pDebug <= 1 );
        AddGroup( sGroup );
      EndIf;
    Else;
      If( pDebug >= 1 );
        AsciiOutput( sDebugFile, 'Group: ' | sGroup | ' already exists' );
      EndIf;
    EndIf;
  EndIf;
End;

If( pDebug <= 1 );
  DimensionSortOrder( '}Groups', 'ByName', 'Ascending', 'ByName' , 'Ascending' );
EndIf;


### End Prolog ###

Epilog tab:

Code: Select all

#****Begin: Generated Statements***
#****End: Generated Statements****

#####################################################################################
##~~Copyright bedrocktm1.org 2011 www.bedrocktm1.org/how-to-licence.php Ver 2.0.2~~##
#####################################################################################


### Initialise Debug ###

If( pDebug >= 1 );

  # Set debug file name
  sDebugFile = cDebugFile | 'Epilog.debug';

  # Log errors
  If( nErrors <> 0 );
    AsciiOutput( sDebugFile, 'Errors Occurred' );
  EndIf;

  # Log finish time
  AsciiOutput( sDebugFile, 'Process Finished: ' | TimSt( Now, '\d-\m-\Y \h:\i:\s' ) );

EndIf;


### If errors occurred terminate process with a major error status ###

If( nErrors <> 0 );
  ProcessQuit;
EndIf;


### End Epilog ###

[lotsaram]

The AddGroup command in TI simply adds a group within the TM1 server. This is not validated against any external security provider the group is just for TM1. Any groups created in this way will not be visible in Cognos Security Administration as they are not CAM groups. However that said such groups can be utilised by TM1 Contributor applications, this is the whole reason there is a security mode 5 as well as mode 4.

If you have exceeded the session GroupsCreationLimit parameter (which is only 20 by default) then using AddGroup will fail with the effect that groups are added to the groups dimension but not to the security model. A server restart will correctly add new groups to the security model.

Otherwise if you were expecting this method to automate the addition of CAM groups then no luck, it doesn't.

[kugors]

The AddGroup command in TI simply adds a group within the TM1 server. This is not validated against any external security provider the group is just for TM1. Any groups created in this way will not be visible in Cognos Security Administration as they are not CAM groups.

Actually, when you provide CAM ID as group code and ad\user_name as alias, it's working just the same as if you import it to TM1 in proper way. Thing that I don't know is how to obtain list of CAM ID for multiply groups, or how it is created from AD.

[jimicron]

Thanks lotsaram, appreciate the info.

What I ended up doing is obtaining the CAMID's for all 870 security groups we have. This was a painful process as they aren't necessarily easy to obtain in a report (at least with the tools available to me). There is something called Cognos SDK or something like that, but no one here has worked with it. Also had a systems manager try various things but came up empty handed. So, with all that said, what I did is go to Cognos Connection and then click on Administer IBM Cognos Content, click on Security, my namespace name, and then drill down to the top security group. I then did a search on the group and when it found it, I went into Properties and then clicked on the link called 'View the search path, ID and URL' and that is where I found the CAMID.

I then created a spreadsheet that had the CAMID and then the associated security group name actually in two columns. Because then I created a process that would update the "Groups" dimension with the CAMID and then update the two alias' (Display Value and En).

This got all 870 into the security for my Tm1 server instance. From there, I was able to assign the various rights. Going forward, we don't add many security groups so I can just add via the server for the one off ones.

After the process runs, I then run the "refresh security" process.

By adding them this way, they did show up in my rights editor in PM for my Tm1 Application so it appears to be picking them up as a valid security group now that I've added as the appropriate CAMID. When I was adding them the other way with just the security group name, it was not picking them up in the rights editor in PM as they weren't valid.

But again, it appears to have worked. I am having to figure this out as I go and hope this is an okay way to do this. I'll attach some screenshots below so you can see the txt file (the screenshot is an excel file, but I saved it as txt) and then a couple of the tabs of the process and then the control object cube for Groups.

[jimicron]

Adding another screenshot with the Alias turned off in the Control cube, Groups. The other screenshot had it turned on.