TM1 Forum

Hi there,
in my model, special users have ADMIN-rights to cubes, because they need to be able to save public views.
It works wonderful.
the disadvantage: these users are also able to access and change the cube-rule.
is it possible, to disable the right to change the rule?

Thanks in Advange!

Mark

Considering the cost of administrator license, this sounds expensive!

"SecurityAdmin" group is what you need: they can save public views and cannot change rules/processes

Good Idea, Thanks!

I'll have a look at it, as additionally, the users need to change Cube-Data, too, but I think, I con do this bei additional groups with "Write" lincence to the needed cubes.

Could you get them to save the view as private and give them access to a TI to PublishView?

Sorry, does not work,

someone who is Security-Admin can spend himself ADMIN-rights to cubes, so he can change rules again, can't he?

gtonkin wrote: ↑Fri Jan 15, 2021 3:38 pm Could you get them to save the view as private and give them access to a TI to PublishView?

IMO, this is the answer. We do this for a select group of users that we don't want to make admins but they are responsible for creating reports and views for others in their departments. Works fine.

If you are seeing that someone who is security admin is able to elevate themselves to admin then something is wrong.

My understanding of what security admin is for is to allow the administration of users and security groups to a central IT function without them being able to see the data and or make changes to the application.

We don't really use the feature but if security admin allows you to save a view (and therefore see data) or elevate your own rights then it's not behaving itself or at least its function has changed alot.

But as others have said, it's fairly simple to write a TI to do this and then give a standard user the ability to publish their provate views.

Mark2007 wrote: ↑Fri Jan 15, 2021 3:39 pm someone who is Security-Admin can spend himself ADMIN-rights to cubes, so he can change rules again, can't he?

Just for info: no, they cannot. Only Admin can grant ADMIN access.
I agree with gtonkin, a TI with "PublishView" is the best idea

tomok wrote: ↑Fri Jan 15, 2021 6:21 pm

gtonkin wrote: ↑Fri Jan 15, 2021 3:38 pm Could you get them to save the view as private and give them access to a TI to PublishView?

IMO, this is the answer. We do this for a select group of users that we don't want to make admins but they are responsible for creating reports and views for others in their departments. Works fine.

Thanks to all for the discussion! I'll do it via the process. Thanks!

Regards
Mark

Elessar wrote: ↑Fri Jan 15, 2021 2:48 pm Considering the cost of administrator license, this sounds expensive!

IBM and its partners have been quite aggressive to push their "advanced" license model where all users can be admins and no PVU-limits.