TM1 Forum

Hi there,

I have managed to lock myself out of the exceptionally annoying Operations Console.

Attempting to get it to function with CAM, I put in a group named "Admin" into the "Groups" section of security. I deleted it right away since the syntax was incorrect for this field, however it seems to have stored it *somewhere*. Now when I attempt to access the admin screen using "http://localhost:9510/pmhub/pm/admin" I get:

"Performance Management Hub Error

The Performance Management Hub responded with error: 403
The original resource request is: /pmhub/pm/admin

The Performance Management Hub are still running and may be able accept new resource requests. Consult your system administrator for more information on this error."

Well, I consulted myself and found that I still couldn't access the performance management hub.

Does anyone know if the setting configured via /pmhub/pm/admin are accessible and editable manually on the server? If they aren't, I will have to reinstall the whole thing which I really don't want to do.

I have downloaded TM1 Top as a backup anyway from developer works if I can't get this thing up and running with CAM.

Like that ?


http://www-01.ibm.com/support/docview.w ... wg21655430
Securing 10.2 Operation Console configuration page

Technote (troubleshooting)

Problem(Abstract)
By default the config page is not secured. This is as designed so that after the initial you can edit the security. Once it is secured, you cannot.

Cause
By Design

Resolving the problem
To secure this page enter the name of a TM1 User or group in the "AdminGroups" field of the com.ibm.ba.pm.resource.security.dictionary service configuration onpmhub Adminpage (http://<your server>:9510/pmhub/pm/admin).

For IntegratedSecurityMode=1, you can set AdminGroups to ADMIN, to have users from the ADMIN group accessing /pmhub/pm/admin.

For IntegratedSecurityMode=5, Users and Groups known to the Cognos BI System can be added. The following syntax applies:

Cognos Groups: <empty>:<Cognos Group>
Example: :Everyone

Groups within additional namespaces: <Namespace ID>:<Group>
Example: AD:PMHUB

Users within additional namespaces: <Namespace ID>:<Username>
Example: AD:pm user
(Please note, that the user needs to be entered with his username, not the user ID.)

The next time you try and load the admin page you will see a http 403 exception unless you have previously authenticated via the PM HUB login page as these users.

Yes, exactly like that. Thanks for finding the relevant tech note.

So by design we have a safe that only opens when the original named bank manager is still employed by the company. Once he leaves the bank and is replaced, the safe can never be opened again. Slick.

Looks like I will have to override this pointlessly over engineered and under thought security setup by...er...reinstalling Ops console. What a waste of time.

Derezed wrote:So by design we have a safe that only opens when the original named bank manager is still employed by the company. Once he leaves the bank and is replaced, the safe can never be opened again. Slick.

In all fairness to IBM you can secure it using either a USER or a GROUP. Anyone daft enough to secure something to a specific user deserves what they get. Now why IBM decided to allow it to be secured by anything other than a group is beyond me.

Indeed Tomok, but when it is secured by "blank" after deleting the incorrect input, some common sanity checks would be appropriate...

Group would be approrpiate, but I think you're a little hard. If someone has access to the server the web server sits on, surely some basic method of overriding this should be available?

Derezed wrote:Indeed Tomok, but when it is secured by "blank" after deleting the incorrect input, some common sanity checks would be appropriate...

Group would be approrpiate, but I think you're a little hard. If someone has access to the server the web server sits on, surely some basic method of overriding this should be available?

Derezed, i facing this problem yesterday and only useful information i can find in web is this post. So, i want to ask you - did you solved this problem without reinstalling OC?

Dear all,

I also hit the same error. After I entered a value at AdminGroups, I not able to access the pmhub admin page anymore.

Also had tried to reinstall Ops Console, but not working too.

Is there any xml file where I can revert back the settings?