Tm1 10 - Cognos Everone group.

[spiderwallet]

Hi All,

I currently have my TM1 instances set up with IntegratedSecurityMode=5, BI Security and am finding the Cognos\Everyone group showing up in the Clients/Groups secutity section in each of the instances in Architect.

What does this mean? Anyone with Cognos portal access can login to the TM1 Portal, but cant see anything as they dont have the appropriate cube security.

Not sure why this group is added in the TM1 environment as this group hasnt been added manually, it seems to get added automatically. When deleted it re-appears.

The Cognos \ Everyone group in Cognos has the 'override the access permissions acquired from the parent entry' ticked, which I am hoping relates as to why this happens?

As I am not sure, Im hoping this has occurred with one of you??

Cheers,
SW!

[EvgenyT]

What are you experiencing is a normal behavior of of IntegratedSecurityMode 5, please have a look at this link below:

http://pic.dhe.ibm.com/infocenter/cbi/v ... n0437.html

Under this mode TM1 will use both TM1 and CAM Security Groups (users can belong to both). Deleting them will not help, as they will be reinstated every time upon security refresh ( as well as users assigned to them).

Consider using mode 1, 2 or 3 If you dont want to use CAM security

Thanks

Evgeny

[lotsaram]

Hi All,

I currently have my TM1 instances set up with IntegratedSecurityMode=5, BI Security and am finding the Cognos\Everyone group showing up in the Clients/Groups secutity section in each of the instances in Architect.

What does this mean? Anyone with Cognos portal access can login to the TM1 Portal, but cant see anything as they dont have the appropriate cube security.

Not sure why this group is added in the TM1 environment as this group hasnt been added manually, it seems to get added automatically. When deleted it re-appears.

The Cognos \ Everyone group in Cognos has the 'override the access permissions acquired from the parent entry' ticked, which I am hoping relates as to why this happens?

As I am not sure, Im hoping this has occurred with one of you??

Cheers,
SW!

This will happen not just with Cognos/Everyone but with any group defined in the Cognos Administration portal to which users belong (where the users have logged into TM1). That's the whole concept of CAM security, in that any user from CAM can log onto the TM1 server. Whether they can access anything depends of course on whether they are members of any groups with TM1 access rights. If you wanted to setup a minimum user access profile defining the base level of access for all users then the easiest way to do it is assign these rights to the Cognos/Everyone group.

There's no point deleting CAM groups as they will get recreated whenever users log in. With CAM authentication the user is created as a TM1 client on first login and any CAM groups that the user belongs to are created as well.

You still needs to define TM1 object and element security within TM1 though.

[MathiasBeckers]

Hi,

Just to add a follow-up question this because we're experiencing the same issue. I find it normal and desirable that users are added to the list in TM1 as soon as they try to access it. But on the BI groups we want to be able to add and control them manually. Because in BI I would think all users are linked to the Everyone group by default. But for us, we can't give access rights on this group within TM1 because not all users are allowed to access TM1. So we work with specific Cognos BI groups for TM1 security access.

But if a certain user logs in, and the everyone group comes along (with no access rights), then this more or less overrules all of the security setups we've done using other Cognos BI groups. So to come to my question: how can we avoid or cope with the fact that the everyone group is going to pop up automatically in TM1?

The nice thing about this setup is that you can control the link between users and groups within Active Directory or Cognos BI and that you can define access rights on the objects in TM1.