TM1 Forum

Hi all

I want write code TI get username and password of user login. I am using function sUser = AttrS('}Clients', TM1User(), '}TM1_DefaultDisplayValue');

I get username success but i don't get password of user login. How i do ???

Thank you

Hi ChauBSD,Why do you need user's passwords? Anyway }ClientProperties cube contains the user passwords. Thanks

ChauBSD wrote:I want write code TI get username and password of user login. I am using function sUser = AttrS('}Clients', TM1User(), '}TM1_DefaultDisplayValue');
I get username success but i don't get password of user login. How i do ???

BariAbdul wrote:Hi ChauBSD,Why do you need user's passwords?

I'd guess it's to pass through to something else that the TI is calling, but it'll be necessary to find another way to do that.

BariAbdul wrote: Anyway }ClientProperties cube contains the user passwords.

It doesn't contain the actual passwords; it contains an encryption of them. The encryption is effectively unusable except for the purpose of validating a password input. The NSA may be able to decrypt them, but we can't do it in TM1. It'd be a painfully insecure system if we could.

I'd guess it's to pass through to something else that the TI is calling, but it'll be necessary to find another way to do that.

Alan could you be kind enough to please elaborate on the alternative method.Thanks

BariAbdul wrote:

I'd guess it's to pass through to something else that the TI is calling, but it'll be necessary to find another way to do that.

Alan could you be kind enough to please elaborate on the alternative method.Thanks

It would depend on what they want to do with it. I'm disinclined to speculate because I really don't think that bouncing plain text passwords around between systems is a good idea to begin with. If you had absolutely no choice, one way would be to make the password a parameter to the process, though that would be inconvenient for the user.

But when I say "another way" it really does come back to what someone is working with. Maybe the intention was, say, to connect to a SQL Server database using a user name and password which correspond to their TM1 ones so that they could get only the data that they have access to. In such a case one preferred approach would be to use Windows authentication for the SQL server connection using the account that the server is running on and filter out the data by only using the user's name; an example could be to use views which are specific to the user (or better still the user's group). In this way there is no dependency on having the actual password.

We could sit around speculating for days about what the usage might be and therefore what alternatives might be available; if the original poster is not inclined to share the specifics there's probably not a lot of point. The only certainty is that for practical purposes the only way to suck the client's password out of TM1 is revert to the old version 6 build that allowed the admin to store the passwords in the relevant cube as plain text.

Thanks Alan.As usual you been very generous.Totally agree with you.

ChauBSD wrote:I want write code TI get username and password of user login. I am using function sUser = AttrS('}Clients', TM1User(), '}TM1_DefaultDisplayValue');

I get username success but i don't get password of user login. How i do ???

You don't need to access the user's password, you can just temporarily swap it for one of your own and then swap back the original when you're done. Frankly I can't think of any reason you'd want to do this and in the case that Alan proposed, his suggestion is much better.

First, you need to create a temporary password measure in }ClientProperties: Then you need to store the existing password in the new measure: Now you can set the password to anything you like: When you're done, reset the password from the temporary measure: Note you don't use AssignClientPassword in the last step because the password is already encrypted.

2 things: firstly this code has the liability that the replacement password is stored in the clear in the .pro file where people can read it if you haven't secured the data directory. Secondly, you should apply extreme caution using any code that stuffs around with peoples passwords. If any sensitive data gets out you may well be toast. Do so at your own risk.

rmackenzie wrote:

Code: Select all

sUser = 'UNSUSPECTING_PERSON';
sCurrentPassword = CellGetS ( '}ClientProperties', sUser, 'PASSWORD' );
CellPutS ( sCurrentPassword, '}ClientProperties', sUser, 'PASSWORD_TEMP' );

Won't this corrupt the password, because you are not encrypting it into the cube?

upali wrote:Won't this corrupt the password, because you are not encrypting it into the cube?

It's already encrypted - i.e. those lines of codes simply move an encrypted value from one intersection to another. I understand that the encrypted password is using ASCII including codes 128 and above, but nothing more fancy. If you set two users passwords to 'apple' then the encrypted text looks the same in }ClientProperties. After that, it's a value that can be read and written, as far as I know.
PS I should note that I did a quick test on 9.5.2 but on other versions you may experience different results.

Thanks Robin for sharing the knowlege and for your valuable time.

BariAbdul wrote:Thanks Robin for sharing the knowlege and for your valuable time.

No problem. I'm still keen to hear from the original poster regarding the reason for which he wants to obtain a users password.