Pick list and element security

[mmckimson]

I'm a newbie to TM1 and am creating element level security for a list of customers that is rolled up by business unit, and of course this security will only allow a business unit to see it's customers. This customer list is also used as a pick list in another cube upon which a calculation is generated. Will the element level security applied to the customer list carry over to element formatted as a pick list using these customers? If not, is there a workaround?

Thanks in advance!
Mike

[standtrue]

If your picklist type is "dimension" or "subset" then yes, element level security will result in users only seeing the customers they have permissions to in the picklist.

[mmckimson]

If your picklist type is "dimension" or "subset" then yes, element level security will result in users only seeing the customers they have permissions to in the picklist.

This will be really cool if it's true as the customer list I'm working with has over 2500 customers, and the product list has about 4500.

[mmckimson]

If your picklist type is "dimension" or "subset" then yes, element level security will result in users only seeing the customers they have permissions to in the picklist.

Actually, this statement doesn't appear to be true. We have set up element level security on 2 separate dimensions (products and customers) by group. The element security works fine when the dimension is used as a regular dimension in a cube, but shows the entire dimension when it is used as a picklist in a different dimension.

Mike

[mmckimson]

If your picklist type is "dimension" or "subset" then yes, element level security will result in users only seeing the customers they have permissions to in the picklist.

Actually, this statement doesn't appear to be true. We have set up element level security on 2 separate dimensions (products and customers) by group. The element security works fine when the dimension is used as a regular dimension in a cube, but shows the entire dimension when it is used as a picklist in a different dimension.

Mike

I take my statement back. As standtrue stated, the picklist security is working perfectly when I am looking at the picklist in Architect logged in as a user to which the element level security applies. What I see as that user is exactly the combination of products and customers I should see. Where it doesn't work is in the web client (Insight - Connected).

In fact, what it does show in Insight is the secured items appear as they should (using their alias for the element), yet doesn't hide the element for all of the other dimension items that should not be visible and shows them in their normal form, something like this:

1001 Shoes Blue (alias that should be visible)
1002 (element which should be hidden for this group)
1010 Shirt Black (alias that should be visible)
Etc.

Does anyone have any suggestions as to how to get the dimension security to work in Insight - Connected (10.1) for this picklist in Insight? Any help would be appreciated.

Mike

[declanr]

Does anyone have any suggestions as to how to get the dimension security to work in Insight - Connected (10.1) for this picklist in Insight? Any help would be appreciated.

I could be wrong (and hope that I am) but you have to remember that Cognos Insight is a new addition to the TM1 portfolio; this means that it will undoubtedly be FULL of bugs that probably won't get fixed until a few patches down the line... the trick would be keeping a good record of these issues as you come across them and getting someone (possibly on here) to confirm that they experience the same issue/bug and then you can ring up the mighty IBM and beg them to fix it.

[mmckimson]

Does anyone have any suggestions as to how to get the dimension security to work in Insight - Connected (10.1) for this picklist in Insight? Any help would be appreciated.

I could be wrong (and hope that I am) but you have to remember that Cognos Insight is a new addition to the TM1 portfolio; this means that it will undoubtedly be FULL of bugs that probably won't get fixed until a few patches down the line... the trick would be keeping a good record of these issues as you come across them and getting someone (possibly on here) to confirm that they experience the same issue/bug and then you can ring up the mighty IBM and beg them to fix it.

I hope so too. As I've been working on the newest version, we've uncovered a couple of other things that don't work, namely:

The "Analyst" like links in Performance Modeler are quite buggy, particularly when attempting to match items from a pick list to a "real" dimension item in the target. In our case, this was able to be resolved by editing the system-generated link but it shouldn't been necessary.

Performance Modeler not really being able to use TM1 created groups for security correctly whe using the integrated security set to 5. In fact, we discovered that even if we imported groups from Cognos Connection, if we changed the alias in TM1 to make it more friendly for users, rights to the web applications could not be assigned in Cognos Connection. The only way we could do this was to leave the alias in the Cognos\User Group format.

The aforementioned security issue with Insight.

Mike

PS -Tthe element security on the dimensions used as pick lists works perfectly when TM1 Web is selected as the web client. That may have to be the solution for the moment.

[declanr]

The "Analyst" like links in Performance Modeler are quite buggy, particularly when attempting to match items from a pick list to a "real" dimension item in the target. In our case, this was able to be resolved by editing the system-generated link but it shouldn't been necessary.

It has been said once or twice before that I, on occasion, have a slightly pessimistic nature BUT in the case of performance model(l)er and its auto generated TI/Rules code; I honestly doubt that it will ever be "perfect". The power of TM1 is the simple fact that it is so flexible and in order to create an auto code generator that covers all of the aspects that we may want build into our TM1 models, the guys at IBM creating the auto scripts would need the ability to foresee everything that you, I and every other Tom, Dick and Harry may want to do... long rant short... we will always need to adjust any auto generated statements ourselves.

Performance Model(l)er ; although probably a somewhat reasonable introduction to TM1 development will without doubt end up creating a lot of terribly inefficient models - this however will keep anyone who knows their way around TIs and Rules in business for a very long time... see I have some optimism in me

[foogy]

Performance Modeler not really being able to use TM1 created groups for security correctly whe using the integrated security set to 5. In fact, we discovered that even if we imported groups from Cognos Connection, if we changed the alias in TM1 to make it more friendly for users, rights to the web applications could not be assigned in Cognos Connection. The only way we could do this was to leave the alias in the Cognos\User Group format.

Dear Mike,
did you ever find a solution to use TM1 created groups for the approval hierarchy in Performance Modeler when IntegratedSecurity is set to 5? This is exactly my requirement and the documentation on "IntegratedSecurity=5" clearly says that both CAM groups and TM1 groups can be used. However, this works perfectly in TM1 - except for Performance Modeler. Only the CAM objects show up in the application rights editor.

Thanks a lot.
Andreas