TM1 Forum

Hi,

I have a requirement to hide payroll information in an opex model from the administrator of TM1. We are now using 9.5.

I have tried using security rules against the }ElementSecurity_Employee cube without success. I set up the following rules:

['XX_DUMMY','ADMIN']=S: 'READ';
['XX_DUMMY','DATAADMIN']=S: 'READ';
['XX_DUMMY','SECURITYADMIN']=S: 'READ';

['ADMIN']=S: 'NONE';
['DATAADMIN']=S: 'NONE';
['SECURITYADMIN']=S: 'NONE';

with the intention that the admin users could have access to the Dummy element and no others. I have refreshed the security and restarted the service.

Also, with the knowledge that the admin users can remove the rules in place, do you have any suggestions on how to monitor that the security is not manipulated?

Thanks,

Bryan

Admin is Admin.

The access levels of the default admin groups cannot be overwritten by manual entry (either direct values or rules). This is one of the things we have to live with in the TM1 security model.

If it is imperative that the admin not be able to see payroll data then the best way to do this is to have payroll residing on a separate TM1 server instance where admin rights are more restricted. Of course this can have implications depending on your licensing model.

Thanks. That's what I thought.

I saw an earlier thread that suggested through the use of rules you could make the Admin user unusable, so I thought I'd have a quick play with some rules.