TM1 Forum

I've tried loading the security of the Application Security by using TI and getting the security setting from the types of attributes I've created for }ApplicationEntries base on the condition I've created in the TI process.

However, I've noticed that the security that I loaded doesn't seem to apply correctly. When I click on any folder in the Application...the list doesn't match the content of the {ApplicaitonSecurity.

I've double checked my TI and I've restricted certain folders from certain user groups but when I run the TI...it doesn't comply to the element attribute I've set in the dimension {ApplicationEntries. I need my security to be on a per person basis so this is the fastest way to make sure that everything in TM1 is maintained accurately when a new user is added base on the attributes of the element in the }Clients dimension.

Hope you can clarify it with me cause I've been runing the process over and over and can't figure out why it wont work. Even when I empty out the }ApplicationSecurity cube the folders are still visible by the users. Only when I click none on all the main folders in the Application Security Assignment does Application doesn't have that icon to drill down any folder to the user.

appleglaze28 wrote:I need my security to be on a per person basis so this is the fastest way to make sure that everything in TM1 is maintained accurately when a new user is added base on the attributes of the element in the }Clients dimension.

Security in TM1 is by group, not by user. The only way to have it by user is to create a separate group for each user, make that the user the only member of the group, and do your security assignments to the group.

appleglaze28 wrote:Even when I empty out the }ApplicationSecurity cube the folders are still visible by the users. Only when I click none on all the main folders in the Application Security Assignment does Application doesn't have that icon to drill down any folder to the user.

The only way to keep users from seeing the application objects is to put a NONE in the cell for that object. Unlike the other security, the Application Security does not default to NONE if the cell is blank. I don't know if this is by design but this is the behavior I have seen so I always fully populate the cube with either WRITE, READ, or NONE, depending on the desired security to make sure it works. Don't leave any blank.

@appleglaze28: Just to make sure -> after all changes you do in }ApplicationSecurity Cube did you do SecurityRefresh?

@tomok - i have also a question to Application Security - i use 9.5.2 HF8, after i added ExcelWebPublishedEnabled to the .cfg Application Security doesn't seem to work at all-> it doesn't matter what i enter into the }ApplicationSecurity cube, it doesn't matter what i choose in TM1 Interface for Application Security -> all rights are set to read in TM1 Interface when i open it after saving changes, in }ApplicationSecurity cube some other values are shown, and after Security Refresh users still don't have access to Applications. Do you have an idea, what can be goining on?
Another tm1 model running on the same server without ExcelWebPublishedEnalbed parameter seems to work fine.

Thanks

tomok wrote:so I always fully populate the cube with either WRITE, READ, or NONE

Please note that Application Security only accepts NONE, READ or ADMIN as security setting. I've been working at a site where someone populated the }ApplicationSecurity cube with WRITE security rights, which corrupted the security cube - after this it was impossible to edit the security through the Application Security interface and in the end we had to delete/recreate the }ApplicationSecurity cube to get everything working again.

Michel

Michel Zijlema wrote:Please note that Application Security only accepts NONE, READ or ADMIN as security setting.

Also worth noting that the }ApplicationSecurity cube is fundamentally different from other security cubes in 2 ways.
- Application security has the concept of "inheritance". If a group is given access to a folder then they will have the same level of access to all files and sub-folders. This default can be overwritten by applying different security to sub-folders and objects but this is different from element security in all other dimensions which is "point specific" (this different behaviour makes perfect sense in the context of folder security though)
- NONE security access is given by a string value of "NONE". In all other security cubes NONE access is a blank string in the security cube

Thanks a bunch fellas for the help....I guess when your too stressed out you kinda forget the logic of it all. Thanks again alot

Bingo - we set security to "write" and now the }ApplicationSecurity cube does not appear to work (everyone is blocked out of the Applications). How do I delete the }ApplicationSecurity cube?

ErinL wrote:Bingo - we set security to "write" and now the }ApplicationSecurity cube does not appear to work (everyone is blocked out of the Applications). How do I delete the }ApplicationSecurity cube?

Take down the TM1 server service, delete the file }ApplicationSecurity.cub from the data directory, and then restart.

Just delete the }ApplicationSecurity.cub file from the Data directory and restart the service. Then when you go to set up application security via the GUI it will create the cube afresh.

I hoped it was that easy, but wanted to be sure - thanks! Also, is the }ApplicationSecurity.Default.blb the Default view of that cube? Should I delete both at the same time?

qml wrote:Just delete the }ApplicationSecurity.cub file from the Data directory and restart the service. Then when you go to set up application security via the GUI it will create the cube afresh.

This will not always work. You need to take down the service first. This is because if you have any pending data changes in memory, when you take the service down TM1 will save those changes to a .cu$ file and then rename it to .cub and you will still be left with the cube, even though you deleted it earlier. Taking the service down first will flush those changes to disk and then you can delete it.