TM1 Forum

I wondered what might be the best practice to deal with the admin user in place from first creation of a TM1 server.
I'd like to disable it (or at least take it out from ADMIN group) as I defined named users being admin now. But switch off the checkbox for the ADMIN group isn't allowed, as I observed...
But if I don't use it on the one hand, and don't want to waste the admin-license on the other hand, how would you all dealing with the ADMIN when going to production?

What IntegratedSecurityMode are you using? If you are using non-TM1, you can probably map Admin to a particular user. I do this with client where we have intergrated login to Windows AD. A rule in the client propoerties cube derives the uniqueID for admin as the relevant windows account. In most instances, there is only one modeller license too which makes this a necessity.

The Admin user is hard-coded into TM1. You cannot delete it nor disable it. AFAIK, it does not count as a user license since it is not a "person" in your installation unless, of course, you use it to log in to TM1 and do things. If you are using integrated login you can do some workarounds, like gtonkin posted, but if you are using Architect or Perspectives there is nothing to stop the user from unchecking integrated login and logging in as Admin. Best practice would be to set a VERY STRONG password for this ID and just let it be.

tomok wrote:Best practice would be to set a VERY STRONG password for this ID and just let it be.

Very strong, like apple.

Wim Gielis wrote:

tomok wrote:Best practice would be to set a VERY STRONG password for this ID and just let it be.

Very strong, like apple.

Yeah, that's why I always change it to "Banana" as soon as I do a new install. I mean, have you smelt one of those things after they've been sitting in the kitchen for 3 days of an Australian summer?

Strong? Freow, nobody can get near the thing without two metre-long barbecue tongs.

(In case any newbies take this seriously, no, I actually use a randomly generated 25+ character long alphanumeric string. But trust me, nobody would get past an over-ripe Australian summer-cooked banana either. They're more likely to die in the attempt.)

tomok wrote:...AFAIK, it does not count as a user license since it is not a "person" in your installation unless, of course, you use it to log in to TM1 and do things. ...

That's the main point for us, as I don't want somebody do something with admin, but instead only with one's named admin user. But in that scenario I don't want to have a 5-digit-EUR priced licence to become over-ripe just laying in the virtual cupboard, like the banana

Thanks a lot to all for your quick replies.

Admin licenses are not counted from the inside out, it's the opposite. IBM doesn't care how many entries you have in the }Clients dimension that have been designated as "Admin", it's how many humans you have in your organization that use an Admin designated ID to log in and perform Admin-like functions.