TM1 /Cognos Access Manager Authentication Questions

Post Reply
image2x
Posts: 125
Joined: Tue Jun 02, 2009 7:05 pm
OLAP Product: TM1, PAX, PAW, SPSS
Version: 2.0.916.10 on RHEL
Excel Version: 2016
Location: Minneapolis, MN

TM1 /Cognos Access Manager Authentication Questions

Post by image2x »

I've basically gotten TM1/CAM AD authentication (IntegratedSeecurityMode=4) working but I'd like to optimize and have the following questions:

1) Can the client name alias (as stored in }TM1_DefaultDisplayValue) be autopopulated with the user's full name (or some other cn)? When selecting users during the create user process, Cognos even shows "loginname (Full Name)" but it populates the alias with the non-descriptive login name. This means I have to manually enter the user's full name after each setup.

[edit: I think I figured the first one out. The AD objects that Cognos utilizes appear to be "name" and "userPrincipalName". Name can be a person's full name and the userPrincipalName should be the network name. The problem in my case the web-based AD mgmt software we're using was assigning the network name to name instead of assigning full name which is how AD handles it if you create a user manually on a domain controller.]

2) Can a user's AD group assignments be used to autoset assignment in tm1 security groups? For example, if user "tm1" is in two AD groups, "model1" and "model2", when the tm1 user is added to tm1, he'd be assigned to the two existing model1 and model2 groups. It seemed like this was possible ETLDAP (which we had to forgo inorder to permit single login with BI).

[edit: After much tinkering, it looks to me that you cannot in fact use AD Groups with mode 4 integration. They import just fine and you can click an assignment, but when the user logs in, they receive a "You do not belong to any group" message AND your security assignment checkbox disappears. I had to utilize groups created (and populated with AD users) in Cognos BI. Anyone know better???]

3) If I have all regular users in an AD group called "TM1 Prod Users", can I somehow point the create new user interface to that group and have it create accounts for all new users? When browsing groups/users in the user setup window, I can see groups but I can't "drill" to see just their user members. Also, I can't see to specify a user group query when using a "type" search.

Any other general tips on how to minimize the amount of TM1 setup work as new TM1 users are added to AD?

Thanks,
-- John
Top
Post Reply

Return to “IBM TM1, Planning Analytics, PAx and PAW”