TM1+CAM Security: see what any user would see

[foogy]

Dear TM1 experts,

let me first explain the situation: running TM1 10.2.2 with CAM Security (please no comments on outdated version, this is not the topic here), with a lots of CAM users mainly in CAM groups (and some TM1 internal groups, we are running SecurityMode=5).

Now whenever there is a support request that could be related to any security or missing group membership, it is an unacceptable amount of work to apply for a testing user exactly the same group memberships that the complaining user has. So first compare }ClientsGroups for complaining user and testing user, than add/remove testing user to/from all the CAM groups to come with equal group assignments. As you know CAM, this is tons of clicks for every single group.

This procedure is acceptable for a few tests here and there, but being under fire during operation phase, or in the need to do a mass test for many users in a short time (before users enter the system on their own and run into potential error), I wonder if there could be a better and more efficient approach to that.

My considerations so far:

- Having a recent copy of production server running in a testing environment - could be even automated nightly
- Switch off CAM security and change to SecurityMode=1 for this copy
- Having a TI that copies CAM-Clients and CAM-Groups elements into certain "shadow" groups, which is internal TM1 client or group, following a certain naming convention (e.g. replacing "Cognos\groupname" by "_local_groupname".
- Having rules for all security cubes that replicates the original values in "Cognos\groupname" * "Cognos\clientname" cells into the corresponding shadow elements
- Login as the local user (set a local password before), which should then result in the same security conditions as the original user in production

We could automate certain things more, e.g. import CAM-group memberships from CAM repository (SQL database) to set the group memberships even without the user ever logged in. This way, we could check from his perspective before granting system access.

We could have a TI process that copies group memberships from a reference user to a testing user, so setting the permissions for a testing user ad-hoc could be a matter of a few clicks.

All in all, that could work and I did a small prototype, but I want to understand if any of you had similar considerations and may be ended up in a different approach.

Thanks for sharing your thoughts!

[tomok]

- Having a TI that copies CAM-Clients and CAM-Groups elements into certain "shadow" groups, which is internal TM1 client or group, following a certain naming convention (e.g. replacing "Cognos\groupname" by "_local_groupname".
- Having rules for all security cubes that replicates the original values in "Cognos\groupname" * "Cognos\clientname" cells into the corresponding shadow elements

Why go to all this trouble with the "shadow" groups? If you set the security to "1" then you can log in as any user with their local password. You just have to use the real CAMID and not the alias and you need to assign a local password (I assign a common local password to all users via a rule). All the existing group memberships and group privileges will remain intact. We are IBM Cloud customers, using CAM, and this is how I do it. I simply copy the entire data directory to a test server, which has security at "1" and then I log in as the user(s) in question to diagnose the problem.

[foogy]

You just have to use the real CAMID and not the alias and you need to assign a local password (I assign a common local password to all users via a rule).

I think this is the part where I failed in my experiment, because I did not use the real CAMID (so the cryptic thing "CAMID(Cognos\...)") for login in Security mode 1, but instead tried the username according to ActiveDirectory. And here I thought that CAM objects cannot be used once you switch off CAM security.

I will give it a try as this will make things quite simple, thanks a lot for this hint.

Of course it would be cool to have a security mode that allows for CAM clients and internal clients at the same time, as IBM implemented it for the groups. In such a scenario, we would not even need a copy of the TM1 server and change security mode. However, I will give it a try!

Cheers!

[ykud]

let me first explain the situation: running TM1 10.2.2 with CAM Security (please no comments on outdated version, this is not the topic here)

Sorry I just couldn't pass this by without saying that on PA you'd be able to use 'impersonate user' param in REST API and see exactly what that use would see
https://www.ibm.com/support/knowledgece ... _auth.html

IntegratedSecurity mode 1 is the way to go otherwise.

Cheers.

[David Usherwood]

I recall building a routine which would place a user into the Admin group but did not require admin access to run. To test security I would mimic the group membership I was testing then take myself out of admin (manually) - then run the TI to restore admin. Very useful when working with CAM, especially on IBM cloud when there wasn't a readily available test user.

[foogy]

Sorry I just couldn't pass this by without saying that on PA you'd be able to use 'impersonate user' param in REST API and see exactly what that use would see
https://www.ibm.com/support/knowledgece ... _auth.html

IntegratedSecurity mode 1 is the way to go otherwise.

Cheers.

Thanks Yuri, that hint made my day and I have another argument to force an upgrade project in our company. It's really a hard fight to get time and money for such things, unless the TM1 application crashes all the time.

Until then, I will give the SecurityMode=1 option and login with CAM cryptical ID a chance.

Cheers.

[Wim Gielis]

Sorry I just couldn't pass this by without saying that on PA you'd be able to use 'impersonate user' param in REST API and see exactly what that use would see
https://www.ibm.com/support/knowledgece ... _auth.html

IntegratedSecurity mode 1 is the way to go otherwise.

Cheers.

What client(s) would/could you then use, if you use the REST API, when it comes to testing security ? Just trying to visualize it.

[ykud]

Sorry I just couldn't pass this by without saying that on PA you'd be able to use 'impersonate user' param in REST API and see exactly what that use would see
https://www.ibm.com/support/knowledgece ... _auth.html

IntegratedSecurity mode 1 is the way to go otherwise.

Cheers.

What client(s) would/could you then use, if you use the REST API, when it comes to testing security ? Just trying to visualize it.

I'd use RestAPI calls directly with PostMan, but that just me
If there's anything I'd be running more than once, I'd do a few tm1py scripts to do 'export me what cubes/dimensions/elements will this user see or run an MDX query as that user to check cell security' kind of things. Can do a sample tool for this if anyone is interested

I'm not aware of any client supporting this directly (maybe Arc does, I don't know), which is a shame, but it's not that hard to 'write-around' given that capability.

Cheers,
Y

[ykud]

Until then, I will give the SecurityMode=1 option and login with CAM cryptical ID a chance.

Just FYI, IntegratedSecurityMode became a dynamic parameter in PA, so you can flip between 1 and 5 without restarting the service, a little known fact that I really like.

[lotsaram]

Just FYI, IntegratedSecurityMode became a dynamic parameter in PA, so you can flip between 1 and 5 without restarting the service, a little known fact that I really like.

Yep. You are not the only one. It's very useful for enforcing "lockout" periods for batch loads or server maintenance windows. https://cubewise.com/blog/easier-way-ma ... atch-runs/

[Wim Gielis]

Just FYI, IntegratedSecurityMode became a dynamic parameter in PA, so you can flip between 1 and 5 without restarting the service, a little known fact that I really like.

Yep. You are not the only one. It's very useful for enforcing "lockout" periods for batch loads or server maintenance windows. https://cubewise.com/blog/easier-way-ma ... atch-runs/

I would tend to look at the IsDisabled property of the }ClientProperties cube.

[Wim Gielis]

Sorry I just couldn't pass this by without saying that on PA you'd be able to use 'impersonate user' param in REST API and see exactly what that use would see
https://www.ibm.com/support/knowledgece ... _auth.html

IntegratedSecurity mode 1 is the way to go otherwise.

Cheers.

What client(s) would/could you then use, if you use the REST API, when it comes to testing security ? Just trying to visualize it.

I'd use RestAPI calls directly with PostMan, but that just me
If there's anything I'd be running more than once, I'd do a few tm1py scripts to do 'export me what cubes/dimensions/elements will this user see or run an MDX query as that user to check cell security' kind of things. Can do a sample tool for this if anyone is interested

I'm not aware of any client supporting this directly (maybe Arc does, I don't know), which is a shame, but it's not that hard to 'write-around' given that capability.

Cheers,
Y

Then I prefer a real client like Architect or PAW, rather than reinventing the wheel - however interesting and challenging that can be

[lotsaram]

I would tend to look at the IsDisabled property of the }ClientProperties cube.

Yes that too. Although this trick is even newer. I don't know when the IsDisabled property was actually introduced to v11 but it is as yet undocumented. Unless you have access to some super top secret stash of IBM documentation?

[Wim Gielis]

Yes that too. Although this trick is even newer. I don't know when the IsDisabled property was actually introduced to v11 but it is as yet undocumented. Unless you have access to some super top secret stash of IBM documentation?

I noticed the property but like you I don't recall the exact version it was introduced.

[David Usherwood]

I would tend to look at the IsDisabled property of the }ClientProperties cube.

Yes that too. Although this trick is even newer. I don't know when the IsDisabled property was actually introduced to v11 but it is as yet undocumented. Unless you have access to some super top secret stash of IBM documentation?

That'll be with the detailed writeup of the log4j commands, next to the Ark of the Covenant in Area 51.

[ykud]

Then I prefer a real client like Architect or PAW, rather than reinventing the wheel - however interesting and challenging that can be

Sure, I'd prefer it as well, but there's none
I'm not sure PAW will support it anytime soon (they haven't done this in 3 years the capability was there, so it's obviously not a priority). And there are cases when 'copy server & switch security mode' is not a viable option (a large model, long startup times, pressing issue, etc), so a rest api check can be a good workaround.

Y

[Wim Gielis]

Sure, I'd prefer it as well, but there's none
I'm not sure PAW will support it anytime soon (they haven't done this in 3 years the capability was there, so it's obviously not a priority). And there are cases when 'copy server & switch security mode' is not a viable option (a large model, long startup times, pressing issue, etc), so a rest api check can be a good workaround.

Y

That's indeed a workaround, then, and necessary for the time being.

[Drg]

We ahve test domain account.
arhitect, browser etc "run as different user" mode.
for excel we create litle batch file to run diff user
Creat *.lnk file

Code: Select all

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "&{start-process \"$env:windir\system32\RunDll32.exe\" -ArgumentList 'shell32.dll,ShellExec_RunDLL \"EXCEL.EXE\" /X' -Credential (Get-Credential)}"

!!!You security may thik this is malware !!!