Application Security with rules TM1 9.5.1

[Tati]

Hi guys,

the idea was to use Rules in }ApplicationSecurity-Cube to control visibility of Applications for users. The rules seem to work - the cube is filled with correct access priviliges for groups. But after "Security Refresh" users still can't see their applications (in any Clients - Perspectives and TM1 Web), also not after server has been restarted. If I go to Applications-> Security Assignments for all non-admin groups security is set to 'none'.

Rules in }CubeSecurity and }DimensionSecurity, which have very similar logic, work fine - the users can access only cubes/dimensions defined there.

Does anyone had this problem before?

Thanks a lot.

TM1 9.5.1 HF13, 64-bit Admin-Server

[Steve Vincent]

are they fed correctly?

[csjean]

Hi,

For TM1 Web, we've had some issues (IIS) with what seem like caching.

After restarting TM1 *and* IIS all rights were OK.

Good luck.

[Tati]

There are no feeders at all (as well es no skipcheck) -> this works fine for Cubes and Dimensions, but not for Applications.

[Tati]

I would also not really know what to feed, because rules are like:
[Group1, Application1] = s: read;
[Group2, Application2] = s: read;

[Steve Vincent]

i assume you typed those rather than copy / paste and they really read;

['Group1', 'Application1'] = s: 'read';

Application security is the inverse of Cube / Dimension / Element security. Everyone gets access to everything unless you state otherwise. Might be an idea to paste a real version of the rules along with an example of what the application hierarchy looks like. The examples are fine but i'm guessing your real rule are not so simple and that might be where the problem lays. The order of the rules is especially critical...

[Tati]

Yes, i typed it;)

I already noticed the fact, that new groups automaticaly see all applications, that's why the idea was to use rules to avoid this.
Original rules were more complicated, but now i have this ones:
['Group1', 'Central Cost Planning'] = S: 'read';
['Group2', 'Market Cost Planning'] =s:'read';
[] = s: 'none';

What i expect is, that after security refresh, my Group1 user will see node Applications and under it node Central Cost Planning (with no children). But this is not the case.

Application structure:

• Central Cost Planning
  • Data Entry
    • Data Entry -View 1
    • Data Entry-View 2
  • Assumptions
    • Data Entry -View
  • Reporting
    • Report - View 1
    • Report - View 2
    • Report - Excel 1
• Market Planning
  • Data Entry
    • Data Entry -View 1
    • Data Entry-View 2
  • Assumptions
    • Data Entry -View
  • Reporting
    • Report - View 1
    • Report - View 2
    • Report - Excel 1

Thanks

[tomok]

I might also add that it depends on what is actually in the folder(s) as well. For example, if you have a view in one of the folders, it is not enough to just give rights to the applicaton, the user has to have rights to the cube and dimensions that the view uses too. Also, assigning rights to a folder does not assigng rights to all the objects under the folder, just the folder itself. You have to assign rights to each object as well. It should also be noted that if you have rights to a folder, but not to any of the objects underneath the folder, you won't be able to see the folder. You have to have rights to the folder and at least one of the objects unbderneath it.

[Tati]

Thanks for the remark, but this all has already been arranged - cubes/dimension security rules work fine. When user see the applications, they can also open all views and excels.
It is also clear to me, that i have to set rights for ALL application objects. I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.

[tomok]

I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.

You can't just look at part of the tree to see if it's going to work because as I explained, you have to have rights to the actual objects themselves, not just the folders they are in, or it's not going to work.

This rule statement: [] = s: 'none'; sets all rights to NONE, meaning no one can see any object in the application tree, either application or folder. Now you have to add rights.

This rule statement: ['Group1', 'Central Cost Planning'] = S: 'read'; gives rights to the folder Central Cost Planning to Group1. It does not give rights to the folder Data Entry, and more importantly, it doesn't give Group1 the rights to the application object Data Entry - View 1. Since Group1 doesn't have rights to any application objects underneath Central Cost Planning they can't see Central Cost Planning. You need to add these rule statements:

['Group1', Central Cost Planning\'Data Entry']=s:'read';
['Group1', 'Central Cost Planning\'Data Entry\Data Entry - View 1']=s:'read';

After this, members of Group1 will be ablelto see the Applications folder, expand it and see Central Cost Planning, expand it and see Data Entry, expand it and see Data Entry - View 1.

[Tati]

Thanks for your replay.

Do I put
[]=s: 'none';
in the very beginning of the rule???? And then set the rights?

And once again - i realize that i have to assign rights to each level. I also know, that user can't see views, if user don't have at least read rights to the corresponding cubes and to open this views user have to have right for all dimension.

And once again - even if i assin rights to EVERY application-element manually in the rules and the rights are shown correctly in the cube, after Security Refresh the user from the Group1 still doesn't see ANY applications.

[tomok]

Do I put
[]=s: 'none';
in the very beginning of the rule???? And then set the rights?

Do you realize that the rule above effectively sets all rights to NONE in the entire Application folder? By using this approach you have to assign all rights through rules, not by manually assigning right through the security interface. That's because the rule that makes everything NONE will trump everything else, EXCEPT another rule. And, the order is important because when rules collide with each other, like yours do, then the first one listed takes priority over those listed later. In your case it is appropriate to list the above rule last because that sets all rights to NONE by default. Now, you go in with rules that set the specific rights to the folders/objects and make sure to list them BEFORE the rule above.

[Tati]

Then this is exactly what i do!

I have to set all Applications to none, because the requirement is, that the users see only applications relevant to them. So i have 4 groups, which are supposed to set visibility of applications, all other groups (especially new ones) have rights set to 'none'. When i do it manually in cube - everything is fine. When i empty cube and then assign all the same rights with rules - then it doesn't work!
I try to understand, if this is my mistake. As very similar procedure works for Cubes and Dimension Security - i am confused!

[paulsimon]

Tati

I have the same requirement and I am having the same problems, and yes, I do know which order to put the rules in.

I haven't looked closely, but your first attempt seemed right. You set the two Reads first then the None. You certainly don't want the None at the top. Obviously you need to give READ on the lower level sub-folders, but I believe that you know that. I can show you how to cascade the access rights down to all lower levels if you want.

However, having done all of that, it still does not work, even after a server restart.

Whatever I do with the rules, I either end up with no one having access, or everyone having access to all folders, or a seemingly random lack of access to some sub-folders but access to others, which does not match the pattern of the results of the rules in the }ApplicationSecurity cube at all. I have also found that it is not even consistent. Different users will have different sub-folders missing

If I look at the dialog box for setting Application Security, I always find that it says READ in every combination regardless of the Rules. By comparison if I use a Rule to set security in another Control Cube like }ClientGroups, then I find that this is reflected in the Dialog after a security refresh.

I therefore believe that there are bugs in application security. I am using version 9.5.1. When I get the time I will report this to IBM.

For the moment it is a minor annoyance. We just have to tell people to ignore the folders that are not relevant to them. The underlying security on the TM1 objects prevents them from doing anything that they shouldn't do.

Regards

Paul Simon

[Michel Zijlema]

Just a longshot here... What are the contents of the security cube if there are no rules applied. Is the cube empty or does this hold values? I have seen a similar issue on TM1 9.1.4 where I found someone populated all cells of the security cube with 'WRITE', which is a non-valid entry for application security.
Another thing is applying 'NONE' as a setting - shouldn't you use '' instead, as 'NONE' is a default when security has been applied?

Michel

[mattgoff]

Do I put
[]=s: 'none';
in the very beginning of the rule???? And then set the rights?

No, rules are applied to cells in the order they appear in the rule file and subsequent rules do not over-ride already defined rules. If you put this rule first, all cells will be set to NONE regardless of subsequent rules.

Is there a reason you can't just post the complete rule file you have? I think we're introducing complexity by dealing in hypotheticals.

Matt

[MSidat]

Hi Guys,

We had a similar issues with having rule fired dimension/elements security. Had to tweak the config setting for "PrivilegeGenerationOptimization" for it to work.

Basically setting this to "F" will ensure it treats the relevant security cube as if the sparse consolidation routine is switched off for that cube i.e. will try and read every datapoint (Which is what we had to do), setting it True is like putting skipcheck on.

Setting it to True will increase server load time and security refresh times.

[paulsimon]

Hi

I have a Group which has NONE access at }Applications and all Application Folders below that in the }ApplicationSecurity Cube. Despite that, when I logon with a user who is a member of that Group and no other Groups, the user can see all Application Folders.

Whether I use NONE or blank it makes no difference. Whether I leave the setting alongside }Applications blank and have NONE on all folders below, also makes no difference.

There are no Rules in the }ApplicationSecurity Cube.

I have run a Security Refresh and even restarted the Server but it makes no difference.

If I right click on Applications and select Security Assignments, the setting shows as None which mirrors the value in the }ApplicationSecurity cube.

We are using 9.5.1. Am I missing something obvious or is this a bug?

Regards

Paul

[lotsaram]

Hi Guys,

We had a similar issues with having rule fired dimension/elements security. Had to tweak the config setting for "PrivilegeGenerationOptimization" for it to work.

Basically setting this to "F" will ensure it treats the relevant security cube as if the sparse consolidation routine is switched off for that cube i.e. will try and read every datapoint (Which is what we had to do), setting it True is like putting skipcheck on.

Setting it to True will increase server load time and security refresh times.

No. Setting PrivilegeGenerationOptimization=T will decrease server load time and security refresh time (assuming the security rules are correctly fed.) .. Your description was correct up until the last line.

Note that the default setting of PrivilegeGenerationOptimization is False. Therefore to set this setting to false you can just comment out the paramater or delete it entirely from the configuration file. You would only usually include this parameter unless you explicitly wanted to turn this feature on.

[mattgoff]

I have a Group which has NONE access at }Applications and all Application Folders below that in the }ApplicationSecurity Cube. Despite that, when I logon with a user who is a member of that Group and no other Groups, the user can see all Application Folders.

Whether I use NONE or blank it makes no difference. Whether I leave the setting alongside }Applications blank and have NONE on all folders below, also makes no difference.

There are no Rules in the }ApplicationSecurity Cube.

I have run a Security Refresh and even restarted the Server but it makes no difference.

If I right click on Applications and select Security Assignments, the setting shows as None which mirrors the value in the }ApplicationSecurity cube.

We are using 9.5.1. Am I missing something obvious or is this a bug?

Everything you've said sounds right. We are running 9.5.1 x64 and have no problems limiting access to applications folders. I have only set permissions (for Applications) by the Right-Click->Security Assignments, so it's possible this is a bug related to directly manipulating the }ApplicationSecurity cube-- it's been known to happen. When you say there are no rules, do you mean that your RUX file is empty or that there isn't one? I have 9.5.2 running on my dev box, so unfortunately I can't experiment for you.

Matt