TM1 Forum

Hi Guys,

I have a problem.

I have a TM1 server that is IntegratedSecurityLogin=5. I have two admin accounts for the moment. These two user accounts (A and B) are Active Directory accounts.
My problem is when I assign the account B to any (one or all) of non-admin groups, when I try to login using this account B, an error prompts saying 'Client Does Not exist on the server'.

So I logged in using the admin account A. And there I see that the assignment I made for the account B is already gone. Like no marks at all, no traces.

Why does this happen guys?

Prior to this, I wasn't able to see the manually-added groups I created in the Select Group in Performance Modeler when I tried to manage the Rights for my application. (See image)

I noticed that the principal element name convention in TM1 }Groups dimension is CAMID(":<Group Name>"), and a attibute value format for }TM1_DefaultDisplayValue of Cognos\<Group Name>.

I followed the existing formats and was able to see the groups in the selection pane. I did the formatting in TI.

Are these two issues connected?

Please help.


I really appreciate it.


BUnch

Hi mate,

Just wondering if you have fixed this issue already, I am going through the same issue now with CX10.2, I have made sure I add users and tag them to respective groups in Cognos BI before adding and assigning a user to a group in TM1, still no luck.

Cheers,
Venu.

You can't assign users to groups in TM1 if you're using IntegratedSecurityLogin = 5.
The User to Group mapping should be done in Cognos BI or whatever namespace you use (i.e. third party LDAP )
After user connects to TM1, the TM1 }ClientGroups cube will be updated automatically for that specific user.

ardi wrote:You can't assign users to groups in TM1 if you're using IntegratedSecurityLogin = 5.

That is not a correct statement. In security mode 5 it is possible to mix CAM and native TM1 groups. You might not be able to make assignments via the Server Explorer security grid GUI (which is rather useless anyway), but all the other options like TI security functions or writing directly to }ClientGroups are still available and work fine.

I agree with QML (of course).
I do recall, and would welcome input, that with CX 9.5 at least, if you entered membership of Cognos groups via Architect (either via the proper dialogue, or into the cube) that it would be overwritten from the half a$$ed version of CAM which came with that product. I haven't revisited this with 10.2.2 but will try to find the time to do that.
With PA (=10.3), since the shared partner instance at least does not allow access to CAM, I did establish that I could add a 'normal' group via TI and put users into that group, and the membership persisted - PA would have been royally stuffed if that hadn't been possible.

qml wrote:

ardi wrote:You can't assign users to groups in TM1 if you're using IntegratedSecurityLogin = 5.

That is not a correct statement. In security mode 5 it is possible to mix CAM and native TM1 groups. You might not be able to make assignments via the Server Explorer security grid GUI (which is rather useless anyway), but all the other options like TI security functions or writing directly to }ClientGroups are still available and work fine.

Well, what I meant is, you cannot Assign LDAP Users to LDAP Groups in TM1. Actually TM1 will not stop you from doing that, and you assign a non-TM1 user to a LDAP group, the }ClientGroups cube gets populated properly, and that gives you the perception that everything is fine. But next time the user logs in, that kind of membership will be gone