Page 1 of 1
Chores run under what credentials?
Posted: Fri May 30, 2014 5:22 pm
by PavoGa
I was under the impression that Chores and the credentials they ran under were determined this way:
1) User with access to the chore runs the chore, the chore and its processes execute under the user's credentials.
2) If the chore is scheduled, it runs under the admin credentials when it executes.
Here is the situation: a chore was executed by a user. The user did not have access to some dimension elements in a cube used by the chore/processes. The processes in the chore ignored the user's lack of access and read data from elements the user did not have access granted. This was unexpected. I believe we have tested this before just running a process and it did not pick elements for which access was not granted, but seems to have worked if run from a chore.
Does this mean all chores will execute their processes under admin rights?
Appreciate any clarification that tells me where I went wrong in my understanding. Could not find the answer in the guides/manuals.
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 5:52 pm
by tomok
First of all chores are nothing more than a scheduling system so the concept of security privileges for them is quite meaningless. TI processes are where everything happens, as far as TM1 models are concerned, and they always have complete and total access to all of TM1. Security around chores and processes only control who is allowed to run them and who is allowed to change them.
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 6:16 pm
by PavoGa
Thanks, Tomok. I posted here because I was not able to readily find any documentation and then lo and behold! I found it...
http://www-01.ibm.com/support/docview.w ... wg21459638
This was a surprise. In fact, I would have sworn I had actually tested the scenario of the interaction between processes and the underlying model security, but obviously something was not quite right.
Anyway, for all intents and purposes, a TI process executes with admin rights as long as the user has read access to the process. If the process is called by a chore, they do not even need access to the process and that is the behavior we have seen today.
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 6:29 pm
by declanr
Actually... a process runs with DATA admin access, meaning it can't make changes to security unless its run by an administrator OR you right click on the TI and select security access, its been this way since about 9.4
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 6:32 pm
by jim wood
Another point to consider is that when handling outside objects (for example files found on network shares) it uses the acount that starts the TM1 service, so if you are using the local system account you may run in to share access issues,
Jim.
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 6:42 pm
by PavoGa
Declan, thanks for the additional clarification.
Jim, have already run into that and it is a constant struggle to get the network folks to understand what we mean when we tell them what we need.
Re: Chores run under what credentials?
Posted: Fri May 30, 2014 7:19 pm
by jim wood
PavoGa wrote:Jim, have already run into that and it is a constant struggle to get the network folks to understand what we mean when we tell them what we need.
I hear that. In my last role before I left the UK the only way they could work around it was to create a network admin ID with a password that never expired. Once they created it I had sign all kinds of agrements that I wouldn't pass the details on. It felt like I was joining MI5 or something like that. Passing it on would result in imeadiate termination!!!
Re: Chores run under what credentials?
Posted: Sun Jun 01, 2014 5:09 pm
by Wim Gielis
Good evening,
I also always thought that processes run with (Data) Admin rights. Until last year, where (in Cognos Express) we had difficulties with a non-trivial spreading process. The process (with several subprocesses) would not run correctly for non-admin users. There was a CellPutProportionalSpread to a sales cube. The process was to be executed by a number of RSM's (Regional Sales Manager). There was a Customer dimension:
Total Customer (consolidated) > Customer (level 0)
Security was organized by RSM, security was mainly set up with rules (at least on that dimension). Something along the lines of: Write rights on your "own" customers (for which RSM is responsible), Read rights on other customers. All cells for the CellPutProportionalSpread were open and no rules were involved in the slice of the cube where the process writes the spreaded data. CellPutProportionalSpread was done on the element Total Customer for the customer dimension.
Logging in with the Administrator, the process (and subprocesses) worked fine. With other users, the process would break.
Unfortunately, I don't have access anymore to the model and database. Nor do I recall all details, sorry. But it was definitely solved by checking the TM1USER(), its associated security group (the RSM name) and then determining the customers at level 0 linked to that RSM. And only do the CellPutProportionalSpread over those customers.
You can debate over the architecture of the cube, dimensions and elements, but whatever architecture was in place, we encountered issues with security.
Does it ring a bell for someone?
Re: Chores run under what credentials?
Posted: Sun Jun 01, 2014 8:31 pm
by declanr
Interesting one there Wim, I just did a quick test (in 10.2) and the process did fail on a CellPutProportionalSpread. But users can definitely get elevated access as can be tested by doing a cellputn in a cube the user can't see and that works fine.
I'm guessing that perhaps it is something in the background as to how proportional spreading works (e.g. first setting up a hold on the relevant cells) when run by a data admin this works fine but a standard user it doesn't try to acquire the hold; its as if a TI process runs with a partial data admin access where it has data admin access to the cells explicitly specified but an act such as data spreading where in essence an implicit push to undefined cells is executed; the access isn't there.
Did you flag that one up with IBM? Would be interesting to hear what they said/would say considering this is still the documented TI security:
The admin who creates a TurboIntegrator process assigns the security privileges to the TurboIntegrator process.
A TurboIntegrator process can be created only by an administrator, who has the Admin privileges required to create a process. The administrator can assign rights to the process. The TurboIntegrator process has those rights regardless of the rights assigned to any user running the process.
Non-admin users need to have Read access to a TurboIntegrator processes in order to see the process in the interface and to execute the process. But the TurboIntegrator process itself retains the rights assigned by the administrator.
For example, consider a user and an administrator where:•User U1 has only Read access to cube_1.
•The administrator creates a TurboIntegrator process that does a CellPutN into cube_1, which requires Write access to the cube.
•The administrator gives U1 Read access to the TurboIntegrator process.
•U1 can run this TurboIntegrator process and it will do the CellPutN even though the user only has Read access to cube_1. The same result is obtained if U1 has None access to cube_1.
•A user with only Read access to a TurboIntegrator process can only view and execute the process. The user can't edit the process to change the value being sent or the location where data is being put.
•The conditions described above are also true when a user executes a TurboIntegrator process from within a chore.
To prevent U1 from being able to access this TurboIntegrator process, the IBM® Cognos® TM1® administrator should not give U1 Read access to the TurboIntegrator process.
Incredibly unusual for the documentation to be wrong.....
Re: Chores run under what credentials?
Posted: Mon Jun 02, 2014 3:17 pm
by Wim Gielis
Thank you for testing Declan. And confirming
In fact, I did not report it to IBM as a bug. I just dropped my belief that processes run with Data Admin rights...
Given that you can reproduce the behavior in a simple TM1 model, maybe it's a better idea to use that reference material when submitting a bug. And sending along the URL of this topic?
Re: Chores run under what credentials?
Posted: Mon Jul 07, 2014 1:45 pm
by PavoGa
An update to this post.
I was pretty sure I'd tested the scenario for a user running the chore or process and it had hiccupped on access to particular cost center elements. So here is the scoop:
We are using TM1 Applications (or Contributor if you prefer). It was TM1 Applications that was causing the problem. If the user tried to execute a chore/process, an access error was received on locked elements or for ones they did not have access. Fortunately, the process was configured through a parameter and control cube to allow the user to set a flag and the chore ran it under Admin credentials. It executed just fine and wrote data into the locked nodes as expected.