Security setup for Cognos BI Reports from TM1 Cube

[tm123]

Hi,

We have a model which is built in prior versions of TM1, now we upgraded to TM1 10.2, and we still use the IntegratedSecurityMode = 2. We have many users and groups in TM1, and each user has limited access ( depending on their role / and location ).
So we have }ELementSecurity and }CellSecurity set in TM1.

We want to start using Cognos BI for Reports

In Cognos BI, we have single sign on.

Can we still keep IntegratedSecurityMode = 2 in TM1, or do we have to go to IntegratedSecurityMode = 5 ??

The problem is that our TM1 Admin user, maintains users and they access in TM1, and we have also created attributes for users / groups and these attributes are being used in Rules / TI processes that populate Security cube

Thanks

[lotsaram]

See this post on a similar topic. http://www.tm1forum.com/viewtopic.php?f=3&t=11294

Yes you can achieve the same seamless authentication result for end users by using mode 5 but it does come with a few catches. The first is that all the user IDs will change so you need to migrate all the group memberships to the new user IDs.

The other major issue is managing groups. This can all be done within Cognos Administration either with AD groups or groups that are created in CAM. But it is VERY manual and tedious to administer group memberships in CAM, really not recommended for a complicated security model. The benefit of maintaining the group memberships in CAM is that on 1st authentication to TM1 all groups memberships will be there and therefore all role privileges. Otherwise as you don't know the user IDs in advance assigning group memberships is problematic and if you elect to continue to maintain groups and group memberships within TM1 then you have the issue of users logging in for the first time having no memberships and not seeing anything. There are 2 potential ways to solve this:-
- Use the Cognos SDK (extra license cost) to import users into TM1 in advance of the 1st user login
- maintain a shadow user dimension and on 1st login search for a match between display name and the shadow clients dim and transfer memberships

Or the already mentioned 2 manual ways to handle it
- users don't see anything on initial login and security is only assigned after first login
- maintain groups in CAM

[tm123]

Thanks for the reply,

So you're telling me that if we want to use Cognos BI to create reports using a TM1 Cube as data source, we have to go to "IntegratedSecurityMode = 5", right?
This is not ideal, since for so many reasons we want to keep at least groups in TM1, and probably we can build something to handle the User/Group membership.

Our securitity Groups in TM1 are aligned with DImension elements, either by Name, or by Attributes, for example, we have a Group called Toronto / Human Resources, with 2 attributes ( Region = TOR and Department = HR ). TOR is an element within our Location dimension and HR is an element in our Department dimension. So in our cubes, we have assigned access ( Cell Vele ACcess, to the cells falling under the intersection TOR / HR ).

If the groups are not created in TM1, how can we leverage the attributes we need for these kind of mappings?

Thanks

[lotsaram]

Thanks for the reply,

So you're telling me that if we want to use Cognos BI to create reports using a TM1 Cube as data source, we have to go to "IntegratedSecurityMode = 5", right?
This is not ideal, since for so many reasons we want to keep at least groups in TM1, and probably we can build something to handle the User/Group membership.

If you want security to data to function the same way in Cognos BI as in TM1 then yes certainly you need mode 5, but not necessarily. In Cognos BI security is defined at the granularity of the report. If you work on traditional basis in BI of securing on the basis of the report and assume everyone with access to the report can see all data in the report then there's another way as the FM package feeding the report can be set up with a fixed user credentials. If you have 2 separate groups of users between BI and TM1 then this could work. Obviously though you still have to maintain the groups for the Cognos BI report access in CAM.

[tm123]

so if we switch to IntegratedSecurityMode = 5, then we will have to rely on Cognos BI Groups, right? So we cannot automate the group creation in TM1. That sucks since we have an automated security maintenance process, our TM1 admin enters users and groups in an external access database and them we have a TI process that pulls that access database into TM1, and assign the access privileges to each cube / dimension / dimension element or cube cell.

I really want to stay on IntegratedSecurityMode = 2 or IntegratedSecurityMode = 3 ( this is what we have actually )

[tomok]

so if we switch to IntegratedSecurityMode = 5, then we will have to rely on Cognos BI Groups, right?

No. I did an implementation last year where the client had to use CAM security per their IT group but we didn't want to maintain the TM1 security there. So, we created one group in CAM (and let that group propagate to TM1) to hold everyone and had everyone automatically be in that group the first time they logged into CAM. Then we created all separate groups in TM1 and assigned the CAM IDs of users to those groups. The drawback is CAM can't manage those groups so every time a new user appears in TM1, through CAM, you have to do your assignments in TM1. You can do those manually, with a TI, or through rules, just like stand-alone TM1 security.

[tm123]

Thanks guys,

I have one more question. In our dimensions we have lots of subsets, some of them static, some of them dynamic ( by dynamic I don't mean MDX subsets, but MDX subsets converted to Static subsets and they get refreshed daily or on demand )

Is there any way to expose these subsets in BI? I created a package in Framework Manager and I opened that package in Report STudio but I don't see any subsets in there

Thanks

[lotsaram]

Is there any way to expose these subsets in BI? I created a package in Framework Manager and I opened that package in Report STudio but I don't see any subsets in there

No. Despite Cognos acquiring TM1 in 2008 Cognos BI remains unaware of the existence of subsets. For all the BI studios subsets simply do not exist.

What Cognos BI does understand is dimension structure so you have to use that.

When I'm designing a TM1 model to be used with report studio or active reports or whatever I get around this by creating a Rollup called "BI Reporting Subsets" which has children named Sub then then the subset name of whatever public subsets have been marked as relevant for BI reporting in that dimension. Each "subset" is then copied to the hierarchy as a flat list. TI runs overnight to keep all these hierarchies up to date and add any new ones.

This is then really helpful for automating reporting and making the report developer more productive as rather than by hand hunt and peck to list elements for a report all that is needed is to pick the "subset" rollup and element.children MDX takes care of generating the rows or columns.