TM1 Forum

Hi all, I am new here and new to TM1, our company is implementing TM1, I am a financial guy not a developer, so please excuse me if my question is stupid.

My question is related to security assignment. In the cube we have a dimension called "Entity", let's say we have 10 departments and 10 managers and 1 director, I want to assign each manager have access to one department and the director have access to all departments. From what I can see, TM1 manage entity security by user groups, is that mean I have to create 10 user groups, each group will include 1 mgr and the director?

Can I create user groups by roles in this case would be Mgr group and Director group, but how do I assign each department to specific user?

Thank you for your help

Welcome to the forum. Security in TM1 is indeed done via groups. What this means in your case is that you cannot assign rights to the Entity dimension to individual users, only groups. The easiest way to accomplish what you want is to create a group for each department then assign the individual user IDs to the groups (departments) they should have access to. Keep in mind though that if you have a breakout between READ and WRITE, meaning some people should have the ability to change numbers and others should only be able to see them then you may have to create even more groups to make that split.

Security is not that difficult in TM1, It's just not that user friendly. Most of the time you end up having to create way more user groups than you initially envision.

thanks for the prompt answer, it helps me understanding TM1 more.

But wow, we have about 100 departments...

A further question: if we have 20 employees in the department, of cause the dept mgr should have access to all employees, what can I do to achieve this without have to assigning each single employee to this mgr?

hereim wrote:But wow, we have about 100 departments...

I'm going to have to LOL at that one. I've had models with thousands of security groups before. Not that big of a deal but you have to spend time creating an infrastructure in TM1 to help manage it when the number of groups get that large.

hereim wrote:A further question: if we have 20 employees in the department, of cause the dept mgr should have access to all employees, what can I do to achieve this without have to assigning each single employee to this mgr?

Well, you didn't say anything about an Employee dimension, you specifically mentioned an Entity dimension. Are you saying the Entity dimension is really a rollup of all the employees? Not that it's wrong to do that, but why would you do that? What is the purpose of the cube that uses this dimension?

tomok wrote:

hereim wrote:But wow, we have about 100 departments...

I'm going to have to LOL at that one. I've had models with thousands of security groups before. Not that big of a deal but you have to spend time creating an infrastructure in TM1 to help manage it when the number of groups get that large.

hereim wrote:A further question: if we have 20 employees in the department, of cause the dept mgr should have access to all employees, what can I do to achieve this without have to assigning each single employee to this mgr?

Well, you didn't say anything about an Employee dimension, you specifically mentioned an Entity dimension. Are you saying the Entity dimension is really a rollup of all the employees? Not that it's wrong to do that, but why would you do that? What is the purpose of the cube that uses this dimension?

Please don't take this the wrong way but TM1 is not a tool for beginning developers. You really should get some professional help. Any fee they charge will way more than pay for itself in speedier implementation times, better models, etc. Trying to do this all yourself is going to prove quite difficult.

well we actually have 1 department cube and 1 employee cube, for budgeting, we have some inputs are at department level, some inputs are at employee level, we thought this way is more flexible and easier to manage.

in the employee cube, the dimension have the same entity structure but just added employee layer at the bottom. now I realized I have to set up/maintain security assignments in both cube/dimension.

so for employee cube, I do have to assign each employee to different department manager groups?

do you mind talk more about your infrastructure to manage a big numbers of groups? Thanks a lot.

So in your employee cube, you have merged the Department Dimension with Employee DImension into one singe dimension ( where Departments are Consolidated Nodes and EMployees are Leaf Nodes? ), or you have 2 separate dimensions in the cube?

If you have one single dimension, then in your Rules or TI processes that populate the }ElementSecurity_Employee cube, you can use ELISANC function to grant access to all EMployees that fall under a specific department.

For example, if you have one Group for each Department, and in }Groups dimension you have an attribute with Department Code, then the Rule Statement below will give WRITE access to all elements that fall under that specific Department in the Dimension Hierarchy


[] = S:
IF(ELISANC('Employee',ATTRS('}Groups', !}Groups, 'Department'),!Employee)=1,
'WRITE',
'NONE'
);

If you have 2 separate dimension, then you may not need to secure only Department dimension. I usually do not secure the EMployee dimension , because EMployees tend to move from one department to another, so I only secure Department

Thank you both tomok and ardi.