TM1 Forum

Discussing all things TM1, Planning Analytics, PAx and PAW
https://www.tm1forum.com/

Domain-Administrator for TM1?

https://www.tm1forum.com/viewtopic.php?t=16523

Page 1 of 1

Domain-Administrator for TM1?

Posted: Fri Aug 11, 2023 8:05 am
by ceddie
Hello,

could there be any reason for the TM1 AD-user to have Domain-Administrator rights? The documentation says that to use the Integrated Login you need a AD-user with sufficient rights like specific file system permission on the sever and directory listing permissions for checking the users.[0] Is there any other use case where you would need an AD-user with more privileges?

Thanks in advance,
Cedric

[0] https://www.ibm.com/docs/en/planning-an ... __title__5

Re: Domain-Administrator for TM1?

Posted: Fri Aug 11, 2023 12:19 pm
by lotsaram
The main issue is access to network resources. The account running the TM1 service doesn't need to be domain admin, but the account needs to have sufficient rights to do what it needs to do, e.g. read from and write to network shared folders which are located on another machine on the network, use the command line to create/delete diretories and files, use the command line to launch another executable, connect to an ODBC database on the network with WIA to run a query to load data.

(The above is just some examples of common tasks the TM1 service account would need to perform, it isn't an exhaustive list.)

Re: Domain-Administrator for TM1?

Posted: Mon May 13, 2024 7:36 am
by konstantin-spb
TM1 service account rigths and privileges:
* Local Administrator Group
* Act as part of the operating system
* Adjust memory quotas for a process
* Bypass traverse checking
* Log on as a service
* Replace a process level token
* Have read and write privileges on the Windows Registry item (read level access at a minimum)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited