TM1 Forum

Posted: **Tue Nov 11, 2008 11:44 pm**

I just got a request from the higher ups.

I notice in TM1 there is no requirement for Password change after a required period ?

Is that possible to set up in TM1.

It is normal practice in the Network systems

Hmmm.

How do I diplomatically respond "Hey, yeah, we've been asking for that for years now but Iboglix can't be stuffed to do it. But hey, they say that we could use LDAP. Err, no, now that you mention it, that WON'T work with our Web implementation on the VPN."?

That was of course a rhetorical question.

Sigh.

Maybe I could become a DBA. Anybody got a copy of SQL Server For Dummies that they can lend me?

Or I could go to truck driving school.

'Cos I'm suuuuure gettin' sick of all this.

Posted: **Wed Nov 12, 2008 9:24 am**

Calm down Capt. You'll be complaining about undo spread next.

As for the issue. We TM1 is checked by internal audit it fails the security element check every year. The security is very poor. We can't do LDAP either. Our IT department don't support LDAP. Joy.

Posted: **Wed Nov 12, 2008 9:33 am**

You'll be complaining about undo spread next.

Oi!

Posted: **Wed Nov 12, 2008 9:34 am**

Posted: **Wed Nov 12, 2008 9:52 am**

John Hobson wrote:
You'll be complaining about undo spread next.
Oi!

I wouldn't worry about me getting in on your act. There are only 144 days until Daylight Savings ends.

I'm marking the calendar and sharpening my scythe even as we speak....

Posted: **Wed Nov 12, 2008 10:38 am**

Am i missing something here? }Client Properties - PasswordExpirationDays - forces the user to change password after x days

I have this enforced by a rule;

Code: Select all

#Ensure admin account never expires
['PasswordExpirationDays', 'Admin'] = S: 'No Expiration.';

#if pwd is left blank, change "last time updated" to be a year in the past and force the account to 
#be invalidated.
['PasswordLastTimeUpdated'] = S:
	IF ( DB('}ClientProperties',!}Clients,'Password') @= ' ' ,
		'20' | SUBST ( Date (NOW-365) ,1, 2 ) | SUBST ( Date (NOW) ,4, 2 ) | SUBST ( Date (NOW) ,7, 2 ) | '000000' ,
		STET);

#if pwd is "<secret default pwd>" set it to expire in 5 days so the user is nagged to alter it.
['PasswordExpirationDays'] = S:
	IF ( DB('}ClientGroups',!}Clients,'ADMIN') @= 'ADMIN' ,
		IF ( DB('}ClientProperties',!}Clients,'Password') @= '<encrypted version of default pwd>' ,
			'5' ,
			'90' ),
		IF ( DB('}ClientProperties',!}Clients,'Password') @= '<encrypted version of default pwd>' ,
			'5' ,
			'90' ));

OK so its still basic and pee's a lot of users off, but at least we pass audits

Most annoying feature is you can't get a reminder longer than 5 days, so if you don't log in very often (like a lot of our users) or happen to be on holiday / off sick when it expires, admin will have to reset it for you. I have submitted an enhancement request to Cognos to allow this to be configurable in the server, not got a possible date for inclusion yet tho.

Posted: **Wed Nov 12, 2008 11:42 am**

I use integrated login (not to be confused with LDAP) in association with Active Directory. This allows password expiry, reset, protocols etc to be set and determined by parameters in AD. Works great, passes Audit etc. Best thing about it is it allows me to palm off such mundane tasks to system admin. Once I go live with 9.4 I will then only have to give them the cut down security admin for user groups in tm1 and not worry if they are going to break anything, not that they have yet!

Incidentally, I don't know of anyone who has successfully implemented LDAP with TM1? Is there anyone?

Posted: **Wed Nov 12, 2008 12:56 pm**

We are just about to, for a very large UK insurance group. In their case they had a project to sort out authentication to sort out around a hundred Finance apps and TM1 was one of the five which could meet their requirements.

We _won't_ be using ETLDAP (since it never seems to work). I googled around and found dsquery and dsget. Think these will do the trick.

As a side issue, I found that it is not possible to delete the Admin user. Is this news to my esteemed colleagues? It was to me.

I'll update when the project has been implemented.

Posted: **Wed Nov 12, 2008 1:40 pm**

I knew that, but thru the cunning use of rules you can still make it completely unusable

Posted: **Thu Nov 13, 2008 3:28 am**

Steve Vincent wrote:Am i missing something here? }Client Properties - PasswordExpirationDays - forces the user to change password after x days

I have this enforced by a rule;

I haven't tested this, but it looks very clever. Still doesn't quite do the job that "real" password expiry methods do, but it's a workaround of sorts....

Posted: **Thu Nov 13, 2008 3:46 am**

David Usherwood wrote: As a side issue, I found that it is not possible to delete the Admin user. Is this news to my esteemed colleagues?

Nope. I think that's documented somewhere, or it was at one point. I seem to recall reading it once many moons (and planetary orbits) ago, but I can't recall where.

It's not unprecedented, though; try deleting the Admin account in a secured Access database and you won't get far either.

I suspect that in TM1's case it's a safeguard against accidentally deleting the last Admin group account, though in practice it'd be pretty easy to put one back in by taking down the server and copying over a new }ClientGroups cube before restaring the server.

David Usherwood wrote: I'll update when the project has been implemented.

I look forward to reading...

TM1 Forum

Enforced Password Changes

Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes

Re: Enforced Password Changes