PasswordSource using both LDAP and TM1

[damientaylorcreata]

Hi Guys,

Just wanting to know if it is possible to use a mix of both LDAP and TM1 as my PasswordSource. The reason I ask is that I have recently got TM1 to authenticate via LDAP, however our administrator would like the ability to be able to login to TM1 as certain users to debug problems. She currently has a listing of each of the TM1 user accounts so that she can easily log in to check things. However obviously she will not have access to their LDAP passwords. Therefore is there a way to setup TM1 to allow both LDAP and TM1 usernames. For instance if LDAP fails, it can fall back to TM1.

Does anybody have any ideas?

Thank,
Damien

[damientaylorcreata]

Let me rephrase the question:

Basically what I am wanting to find out is whether or not it is possible to configure TM1 to use both a LDAP and TM1 authentication? For example if I login with AD credentials it will login me in via LDAP, however if LDAP fails it will fall back to TM1 authentication. I doubt it is possible, but I just need to know for sure. If this is not possible, I will need to abandon LDAP authentication and go back to TM1 authentication.

Thanks guys.
Damien

[LoadzaGrunt]

Basically what I am wanting to find out is whether or not it is possible to configure TM1 to use both a LDAP and TM1 authentication?

What do you mean by 'LDAP authentication' - I am thinking you perhaps mean 'Integrated login' ?

What is your current setup ?

[damientaylorcreata]

No its not integrated login. I have modified the tm1s.cfg file and changed the following properties:

PasswordSource=LDAP
LDAPUseServerAccount=T
LDAPPort=636
LDAPHost="xxxxxxxxxxxxxxx"
LDAPPortSecurityProtocol=none
LDAPWellKnownUserName="xxxxx"
LDAPWellKnownPassword="xxxx"
LDAPSearchBase="xxxx"
LDAPSearchField=sAMAccountName

I have left the integrated login as 1
IntegratedSecurityMode=1

And this works well for ldap authentication. I just need to figure out if it is possible to have both LDAP and TM1 authentication working at the same time, or alternatively specify that some accounts use LDAP authentication and others use TM1 authentication.

[LoadzaGrunt]

As a rule, anything in tm1s.cfg applies to the whole server - so I would say that the answer to your question is 'no' !

I guess this might be a problem for your admin account(s) ?

[damientaylorcreata]

The main reason for this requirement is that we have many users in TM1 that have different permission sets and therefore need to be maintained under different clients/user accounts.

For example: one particular user should be able to see the figures for all countries in relation to one particular gbu or account, but at the same time that user should be able to see all figures across all dimensions in relation to their one country.

e.g. User1 should be able to see all figures for Australia (all accounts, all gbu's, all offices, departments, accounts, etc), however they should also be able to see the figures for gbu 20 across all countries (limited to gbu 20).

I have tried acheiving this one single user with permissions alone, however if I create to groups for the one user and set the appropriate permission for each of these groups and then assign the two groups to the one user, it basically just adds the permission together and provides the user with all figures for all countries, which is not good.

So my only hope was to be able to maintain the two seperate users.

[LoadzaGrunt]

Ah, I see. What you want is cell security, not element security.

Then you should be able to write a rule in your GL cell security cube along the lines of what you just described. This might be preferable to mucking about with LDAP and multiple user accounts.

[damientaylorcreata]

yes, this is a good idea.. It seems like a good solution. I will give it ago.

Thanks for your help.

[damientaylorcreata]

I have tried to implement a simple rule in the cell security cube for the appropriate cube. I can see the READ value appearing in the appropriate place when I look in the cube view itself.. However it the sales sales office does not appear the users drop down menu.

For example group1 needs to see office 111 in the 'gma' cube for example:

If I create the following rule:
['GROUP1','Sales Office':'111'] = S:'READ';

I can see the value appearing the }CellSecurity_GMA.cub when I select group1 and office:111 = READ , but when I log in as a user belonging to this group, Sales Office 111 does not appear in my Sales Office drop down for the user. And If I set other offices to NONE, they remain in the drop menu. It seems that it has no effect what can be accessed or not. Do I have to clear all the other permissions from the cube, dimension and element security cubes for the cell security to take effect? It does seem right that I would have to do this and I am unable to find any documentation of cell level security. Any help on this would be appreciated.

Thanks.

[damientaylorcreata]

Ok.. I have figured out what I need to do.. I need to now enable all companies/countries with the Element level security so that they appearing in the drop down and then set the counties to NONE that I do not wish for them to view figures for.. So cell level security does not hide the element from their menu item.

So I think it should all be sorted now.