Cognos Express Element Security limitations?
Posted: Fri Jun 15, 2012 11:44 am
Hi there,
Apologies if this is a know limitation or problem, I've been trying to search for a similar problem now for quite some time without any luck.
We've set up (well we've had someone set up for us), a number of cubes and dimensions within Cognos Express 9.5, for the most part they're working fine. One issue we identified after implementation was the security around the "staff" cube was insufficient. Given the sensitive nature of this cube (it contains salaries, bonuses and other information), we decided it needs to be locked down pretty tight.
After a little investigation we came to the conclusion the only way (we could see) to achieve our required level of lock-down was to set permissions at the element level. In the test environment this worked well, providing the granular level of security we need for this kind of detail.
However when moving to the production environment, along with the "real world" security model, we've found it doesn't work. Not the security itself, but the Web interface for accessing these views on this cube.
The problems is as follows, I've set element level security for a number of different groups. Essentially each element will only have 1 or 2 groups that have (write) access to it, everyone else is "none". As you can imagine, we then put users into the appropriate groups depending on who's details they need to see. However, when the users go to view these details the web interface doesn't bring up anything. It just sits there with it's spinning "working" indicator forever. If I log in to Architect using the same user account, I CAN browse this view fine. It shows the elements we are expecting just fine.
I've had a look through the tm1web.log, even increased the logging level to DEBUG. this is the only message that is given for this issue (I guess it's good we're getting something).
At this point I started getting suspicious it was something to do with security (getting a null value from the GetElementsNameArray method). So as a test I set all the elements in this dimension to give "READ" access to another group my test user was a member of. Upon doing this, it worked. The web interface opened just fine, now displaying the data I had write access to correctly, and, as expected, also showing all the other staff with read access. I un-did my changes and it reverted back to before. Still not loading in the web interface.
Now for the strange part. I then re-set all the security to "READ" for my second group. Again, working fine in the web interface. However I then went through one by one hiding each element this user shouldn't have access to. I got to 51 out of 368 elements before the problem appeared again. As soon as I set the 52nd element to "NONE", the web interface doesn't work. I've tired numerous different elements, all unremarkable, all with the same result.
Has anyone seen this happen before? And if so, how do I fix/work around it?
Thanks a lot,
Cameron
Apologies if this is a know limitation or problem, I've been trying to search for a similar problem now for quite some time without any luck.
We've set up (well we've had someone set up for us), a number of cubes and dimensions within Cognos Express 9.5, for the most part they're working fine. One issue we identified after implementation was the security around the "staff" cube was insufficient. Given the sensitive nature of this cube (it contains salaries, bonuses and other information), we decided it needs to be locked down pretty tight.
After a little investigation we came to the conclusion the only way (we could see) to achieve our required level of lock-down was to set permissions at the element level. In the test environment this worked well, providing the granular level of security we need for this kind of detail.
However when moving to the production environment, along with the "real world" security model, we've found it doesn't work. Not the security itself, but the Web interface for accessing these views on this cube.
The problems is as follows, I've set element level security for a number of different groups. Essentially each element will only have 1 or 2 groups that have (write) access to it, everyone else is "none". As you can imagine, we then put users into the appropriate groups depending on who's details they need to see. However, when the users go to view these details the web interface doesn't bring up anything. It just sits there with it's spinning "working" indicator forever. If I log in to Architect using the same user account, I CAN browse this view fine. It shows the elements we are expecting just fine.
I've had a look through the tm1web.log, even increased the logging level to DEBUG. this is the only message that is given for this issue (I guess it's good we're getting something).
Code: Select all
2012-06-15 15:56:01,796 [9] ERROR Applix.TM1.Web.Page.TM1WebError - Error in: http://servername/TM1Web/TM1WebMain.aspx?action=OpenObject&type=Cubeviewer&value=Staff$$p Staff Planning$$PUBLIC&aid={7ed86632-2672-4814-8dbd-db64d2e0eaa4}&nodeID=[Division].[79]&index=0
2012-06-15 15:56:01,796 [9] ERROR Applix.TM1.Web.Page.TM1WebError - Request Info - Browser: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E; CognosRCP), User Host Name: 192.168.100.36, Method: GET, Encoding: System.Text.UTF8Encoding, Content Length: 0, Content Type:
2012-06-15 15:56:01,812 [9] ERROR Applix.TM1.Web.Page.TM1WebError - Action Type:
2012-06-15 15:56:01,812 [9] ERROR Applix.TM1.Web.Page.TM1WebError - Value:
2012-06-15 15:56:01,812 [9] ERROR Applix.TM1.Web.Page.TM1WebError - Error Details:
System.NullReferenceException: Object reference not set to an instance of an object.
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeView.GetElementsNameArray(TM1ViewPageData pageData, Int32 row, Int32 col)
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeView.CollectCellDrillList(TM1ViewPageData pageData, String[][]& cellDrillStrs)
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeView.GetViewArrayData()
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeView.LoadView()
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeView..ctor(TM1CubeViewerControl parent, String viewName, _TM1Server servObj)
at Applix.TM1.Web.WebControls.CubeViewer.TM1CubeViewerControl..ctor(String viewStr, _TM1Server serverObj, TM1WebApplication app, String appID, String nodeID, Int32 index)
at Applix.TM1.Web.WebControls.TM1WebApplication.OpenPlanningView(String viewStr, String appID, String nodeID, Int32 index)
at Applix.TM1.Web.Page.TM1WebMain.ExecuteActionFromUrl(TM1WebApplication app, ITM1WebDisplayObject obj)
at Applix.TM1.Web.Page.TM1WebMain.Page_Init(Object sender, EventArgs e)
at System.Web.UI.Control.OnInit(EventArgs e)
at System.Web.UI.Page.OnInit(EventArgs e)
at Applix.TM1.Web.Page.TM1WebMain.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Now for the strange part. I then re-set all the security to "READ" for my second group. Again, working fine in the web interface. However I then went through one by one hiding each element this user shouldn't have access to. I got to 51 out of 368 elements before the problem appeared again. As soon as I set the 52nd element to "NONE", the web interface doesn't work. I've tired numerous different elements, all unremarkable, all with the same result.
Has anyone seen this happen before? And if so, how do I fix/work around it?
Thanks a lot,
Cameron