IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication

[kj4]

I'm interested in knowing if there is a way to create a test / admin user when the login method for TM1 is LDAP authentication. It would be nice to have a test user when testing the security of other profile user groups.

When I originally read the following from the tm1s.cfg file:

# If IntegratedSecurityMode is set to 2. The clients will have the choice
# to connect provide a database username and password or use the single-login
# mechanism for authentication.

I assumed the client would have the choice to "switch" between LDAP and TM1 depending on the userID. Is it possible to switch other than changing PasswordSource=LDAP or PasswordSource=TM1 (which requires restarting TM1 services)? If not, is there another way to create a test user when IntegratedSecurityMode is set to 2?

Thanks!

[TrevorGoss]

I assumed the client would have the choice to "switch" between LDAP and TM1 depending on the userID. Is it possible to switch other than changing PasswordSource=LDAP or PasswordSource=TM1 (which requires restarting TM1 services)? If not, is there another way to create a test user when IntegratedSecurityMode is set to 2?

All the cfg parameters you have mentioned are static parameters, so a restarting of the service would nee to occur for the parameters to update. I do not think you can create a test user that has an individual IntegratedSecutiyMode, as that setting is in the cfg file.

Can you set up a new TM1 server, and create your testing scenario in that?

[David Usherwood]

FYI, in 10.3 (aka Planning Analytics - cloud only at present), IntegratedSecurityMode is now dynamic - http://www-01.ibm.com/support/docview.w ... wg27047055

[lotsaram]

"Mixed mode" between TM1 authentication and windows integrated login does NOT mean that the server supports a mix of users some of which exclusively use integrated authentication and some of which exclusively use native. RATHER is means that for a given user ("user" = element in }Clients dimension) it is possible to log in with either native TM1 security or integrated login provided that the client being used ("client" = user interface) has been built to support this switch in authentication method. The UniqueID property in the }ClientProperties cube determines whether the integrated login will succeed.

windowsintegratedsecurity.jpg (11.22 KiB) Viewed 4559 times

I am pretty sure that this is covered in the Operations Manual.

[kj4]

Thanks everyone for the responses. It appears that my interpretation of how IntegratedSecurityMode 2 works was misguided.