Page 1 of 1
Assigning Read access to particular combination in cube
Posted: Thu Apr 12, 2012 3:45 pm
by guru1988fortm1
Hi All,
I am learning TM1 and exploring the security of it
I am using TM1 9.5.2 with Cognos 10.1.1 BI for its security
I have an 15 Cubes in my system in which scenario and year dimensions are present in all the cubes
Here my user wants me to provide read access for 2012(year) Plan(Scenario) for a particular group of users
i am able to provide read access for an element of an dimension
But i dont know how to provide read access for an combination of elements from two different elements
So if anyone who has come across this kind of requirement can help me please
Thanks
Regards
Guru
Re: Assigning Read access to particular combination in cube
Posted: Thu Apr 12, 2012 4:00 pm
by qml
Right click on the cube -> Security -> Create Cell Security Cube. This will create a new control cube in which you can assign rights on a per cell basis, so for any combination of dimension elements. It is even possible to manage security via rules attached to this cube. You can read more on the subject in the product documentation and by searching this forum for "cell security".
That being said, I would try to avoid this solution like the plague. It has a significant negative impact on performance. Also, be aware that cell security overrides any element security, so your existing element security settings will stop working for this cube and you will have to recreate them via cell security.
PS: Interesting nick (and humble, too).
Re: Assigning Read access to particular combination in cube
Posted: Thu Apr 12, 2012 8:57 pm
by Martin Ryan
qml wrote: It has a significant negative impact on performance.
I keep hearing people say that, but have never experienced it myself. I tend to use the security cubes with rules though and I think this actually helps. I set up a master "sysSecurity" cube containing the dimensions that I actually want to apply security on, e.g. Year and Scenario in this example, and control the values in this cube. I then pull the values through to the cell security cube without feeders, but with skipcheck on. The security is still applied and there is no noticeable lag in performance.
Example rule in the cell security cube
Code: Select all
[] = S:
if(DB('sysSecurity',!Scenario,!FinYear,!Product,!Period,'Value')<>0,
'READ', 'NONE');
Re: Assigning Read access to particular combination in cube
Posted: Thu Apr 12, 2012 10:10 pm
by lotsaram
Martin Ryan wrote:qml wrote: It has a significant negative impact on performance.
I keep hearing people say that, but have never experienced it myself. I tend to use the security cubes with rules though and I think this actually helps. I set up a master "sysSecurity" cube containing the dimensions that I actually want to apply security on, e.g. Year and Scenario in this example, and control the values in this cube. I then pull the values through to the cell security cube without feeders, but with skipcheck on. The security is still applied and there is no noticeable lag in performance.
I have to say I agree. Object security and element security are set on startup and security refresh and there can definitely be some overhead for a large or complex model. But I am pretty sure that cell level security is "on demand" that is it is only evaluated when the user makes a read or write request. Sure there must be an additional overhead for the server to compute access rights to cells as it returns a view but in my experience this doesn't seem to be really noticeable. (I take this an an inference from the fact that when a cell security rule is changed no security refresh is needed for it to take effect, unlike element security.)
I have never, and can't imagine ever, implementing cell security with anything other than rules BTW. As the security applies to individual cells it is a direct lookup and there is no concept of consolidation. So even though cell security cubes may be multi-dimensional there is no need or use for feeders (or skipcheck) in these cubes.
I used to be in the avoid cell security camp and I still certainly believe that
most of the time where cell security is implemented it isn't really necessary and good design with element security alone would normally be sufficient. But at least since 9.4 I don't see any evidence of performance impairment using it (and probably before that too.)
Re: Assigning Read access to particular combination in cube
Posted: Thu Apr 12, 2012 11:22 pm
by Martin Ryan
lotsaram wrote:I used to be in the avoid cell security camp and I still certainly believe that most of the time where cell security is implemented it isn't really necessary and good design with element security alone would normally be sufficient.
Yes, I completely agree. I avoid it where possible too, simply because it's a little more complex to maintain and a bit more difficult to trouble shoot. However there is always the case of Current Year/Actual = write but Current Year/Budget = read and Next Year/Budget = write (etc) which comes up very frequently in financial models, so avoiding it entirely is rarely possible.
lotsaram wrote:I have never, and can't imagine ever, implementing cell security with anything other than rules BTW
Good point. I kept thinking I was an exception due to the comments about performance degradation, but other than using TI I suppose there isn't any other (practical) way of using a cell level security cube.
Re: Assigning Read access to particular combination in cube
Posted: Mon Apr 16, 2012 3:02 am
by Martin Ryan
Martin Ryan wrote:qml wrote: It has a significant negative impact on performance.
I keep hearing people say that, but have never experienced it myself.
I take it all back. I was rather foolishly forgetting that an admin's life is much easier than end users'. I've just discovered the rule I am using is adding about 50% overhead time to a large send my system does (30,000 cells, I've tried to change user's habits, but they just won't have it). Sending as an admin takes about 20 seconds when sending locally. As a normal user it takes about 30 seconds. Across Citrix it's substantially more.
Martin
Re: Assigning Read access to particular combination in cube
Posted: Mon Apr 16, 2012 6:59 pm
by guru1988fortm1
Martin Ryan wrote:Martin Ryan wrote:qml wrote: It has a significant negative impact on performance.
I keep hearing people say that, but have never experienced it myself.
I take it all back. I was rather foolishly forgetting that an admin's life is much easier than end users'. I've just discovered the rule I am using is adding about 50% overhead time to a large send my system does (30,000 cells, I've tried to change user's habits, but they just won't have it). Sending as an admin takes about 20 seconds when sending locally. As a normal user it takes about 30 seconds. Across Citrix it's substantially more.
Martin
Thanks all for the replies
i created an cell security cube for all the 8 cubes for which some of my users should have read access only for 2012 budget
and i assigned read access to that combination
it is working fine
, but i cant conclude myself that whether it will have negative impacts
some said that it will take over the element security, if that is the case will it take the element security of year dimension(only for 2012) and scenario dimension(only for budget) for that cube alone
Or does it affect the element security of all dimensions in that cube
And what other negative impacts would be there?
Or is there any other possible ways for this, Please let me know your comments
Thanks all
Guru
Re: Assigning Read access to particular combination in cube
Posted: Mon Apr 16, 2012 7:51 pm
by lotsaram
guru1988fortm1 wrote:... some said that it will take over the element security, if that is the case will it take the element security of year dimension(only for 2012) and scenario dimension(only for budget) for that cube alone
Or does it affect the element security of all dimensions in that cube
And what other negative impacts would be there?
Actually cell security is a funny beast as unlike element or cube security a blank does not mean "NONE". Rather if no cell security is set then the group's access reverts back to what is defined by the cube and element security. Where cell security is defined then yes it will take precedence over element security but if left blank then the lower levels of security take over.
Apart from the performance overhead already mentioned (which I think if you don't intend to DBS tens of thousands of cells is pretty minor) I don't think there are any other negative impacts except for additional maintenance - but if the cells security is rule based then the maintenance should not be an issue.
Re: Assigning Read access to particular combination in cube
Posted: Tue Apr 17, 2012 12:06 am
by Martin Ryan
lotsaram wrote:Apart from the performance overhead already mentioned (which I think if you don't intend to DBS tens of thousands of cells is pretty minor)
Nah, even opening the cube takes 10 seconds vs instantaneous. My security rules might not be ideal, but my concept is as I outlined earlier and no-one's pulled me up on it, so I think there really is just a big bad hit when you implement cell security.
Re: Assigning Read access to particular combination in cube
Posted: Tue Apr 17, 2012 7:28 am
by qml
Martin Ryan wrote:I think there really is just a big bad hit when you implement cell security.
This.
I'm not saying cell security shouldn't be used, but like with anything you need to realise the pros and cons and make an educated decision. From my experience having a cell security cube, especially one with rules, slows down all operations on the main cube by between one and two orders of magnitude. In many cases this is still acceptable, in some it simply isn't.