TI Security

[MSidat]

TM1 Guru's,

I have been trying to get a series of TI's to be execute only for normal users in my TM1 Model. In the Process Security window everythings greyed out except Read and None. So for the Ti's in question i have set it to Read for the relevant group and this enables them to not only run but also gives them the option to view and edit the process (they can enter edit mode but obviously the security does not allow them to save it). I have then ticked the Security Access option for the TI's, this stops the Edit option becoming available but the View option is still there.

I may be wrong, but am sure view was not avaiable by default for non admin users in 9.0.2 we have upgraded to 9.5.2 now.

Is there a way of making TI purely execution only?

Thanks in advance.

[dan.kelleher]

One option would be to nest a TI within another TI using the ExecuteProcess() function. You could then restrict access to the nested TI process, and allow access to the parent process.

[MSidat]

Dan, thanks for the suggestion.

I think it would be the way to go if the processes did not have varying numbers of input parameters inorder for it to functions, which would ultimately mean having one extra TI for each TI and in my case it would mean an extra 50+ TI's just to lock down the TI Code.

**###Thinking Aloud**###
I suppose I could have a 2d Cube consisting of Clients/Processes where the parameters are stored first through excel using a DBSS before the TI is called and the Master TI would always have one parameter i.e. the name of the TI to be executed, the Master TI could then look up the value in the cube against the client name using the TM1User method and "Split" the string to obtain the parameters. The Master TI could then go through a series of IF Statements to execute the TI where the IF Statement matches the number of parameters required.

This could potentially have an extra benefit of logging what parameters are passed to these TI's as an Audit Tool or even when comes to debugging any TI errors.
**###Thinking Aloud**###

Anyone have any thoughts on this idea, it does seems a little OTT just to lock down the TI Code, surely an execution only security mode for TI's must exist

[lotsaram]

Anyone have any thoughts on this idea, it does seems a little OTT just to lock down the TI Code, surely an execution only security mode for TI's must exist

Well READ access to a TI for any non-admin user would seem to fit the bill for "execution only security mode". Or are you meaning that you want users to be able to execute a process with a set of predefined parameter values with no ability to edit parameters? Setting up a chore for the processes with param values defined would seem to fit the bill and give users read access to the chore but not the process, but you would still need a chore for each process you wanted to implement this for.

Although your idea of a string cube to hold process names and a concatenated string of parameter names and values may seem over the top I think it would be workable and might dovetail nicely with the Bedrock code TI code library. If you are looking for stock code that splits strings based on delimiter characters Bedrock is an excellent place to start.

[MSidat]

Lotsaram,

The READ Access seem to gives users access to not only execute but also to right click the TI and click on view whereby they can see all the tabs in the TI Editor. Granted they cant change or save anything but we still feel it is a security risk for them to see the data source and the logic employed in some of the Ti's.

I dont have access to 9.0.2 at the moment But I am pretty sure READ access did not give the users the ability to right click and VIEW a ti, and it only allowed the "Run" option to be selected and change the parameters if applicable.

Once an opportunity allows, I will try to create the Ti Boiler plate for my idea.

[lotsaram]

I wasn't aware of READ access to a TI giving non-admin users anything other than access to the "Run" option on the right click menu. If they can see the variables and code tabs then that would be a bug IMHO.

[qml]

If they can see the variables and code tabs then that would be a bug IMHO.

It has been like that for a while now, definitely in all 9.5.x versions, and probably way before that (9.4.x?). It's really hard to tell with these guys if it's meant as a new, undocumented functionality, or if it's actually a bug.

Edit: I have a feeling this changed with the introduction of DataAdmin and SecurityAdmin groups. Can anyone confirm that?