TM1 Forum

Hi all, I noticed TM1 has a C++ api and was thinking of using visual studio to build a user administration application to manage accounts and access.

TM1 doesn't offer any user friendly tools out of the box so i'm curious how others handle user accounts. Does anyone use one and if not how do you manage accounts?

I currently administer a couple of servers and we use a VB powered spreadsheet to add/remove users and manage group access. Users either complete an excel form or go through a website (which i convert to txt file) and the admin spreadsheet reads and allocates access.

I know that the old built in security isn't that great but calling it un-user friendly is a bit harsh. It's not the most difficult thing to use. You could set something up using spreadsheets as you have for other things. I don't think that many people find the built in security panel that bad. I know most of the clients I've worked with haven't really complained about it.

jim wood wrote:I know that the old built in security isn't that great but calling it un-user friendly is a bit harsh. It's not the most difficult thing to use. You could set something up using spreadsheets as you have for other things. I don't think that many people find the built in security panel that bad.

{Raises hand} I do.

OK, maybe not bad, bad, horrendously bad in a TI Editorsaurus kind of way, and not "an abomination in the eyes of the gods and man" in a Performance Muddler kind of way, but it's not even on the same continent as "good".

Weaknesses:
- No option to store metadata about your metadata. Who requested the login? Why? What access do they require? What are their contact details? When did they last log in?
- Handling access on multiple servers is a beach. Go to each server. Individually. Assign the security groups. Individually. (Granted you can use spreadsheets and tools like Bulk Copy to help with this, but that hardly makes it a one stop shop.)
- No way to filter out the user list or sort it so that you can work on only a subset of clients. To do that you need to go out to the cubes again, and of course that means turning on system objects or alternatively having views to such cubes in your Applications, and...
- No option to "clone" an existing user (new name, new password, same group assignments, same private view/subset folders), much less clone them across multiple servers.
- No option to archive out their views and subsets folders when the account is deleted to "de-clutter" your data directory.

Fiddly, fiddly, fiddly.

What I did was to create an Access database (obviously this is quite a while back, as I turn up my nose in distaste at Access these days) into which I could enter the new user details, select another user if they're to be based on that, and bang, clone the suckers across any and all servers or a subset thereof courtesy of API code. When they're deleted, same thing. Reset the password, same thing.It also pumped the contact details out to Outlook mailing lists. That last part has been screwed by the fact that the powers that be have swapped us over to GMail and much as I justifiably b*tched about the Outlook object model, at least the sodding thing has one.

Weaknesses:
- It got the last active date from loading up the server log files. (It was the same database that I used to query my logs but of course every time I hit the 2 gig barrier on the Access back end database I had to start a new one);
- That information was built around the assumption that the transaction log would contain reliable records of people logging in, as it used to in ye olde versions but doesn't in the current ones;
- It was slow. Gods Access is slow. Until I created a .Net app to write my log files into SQL Server I had no idea how slow, just that it was SO slow;
- Being Access it wasn't really practical as a solution for multiple administrators.

That's why I've started to rebuild it as a VB.Net app with a SQL Server back end but it's only a "sometimes on the train" project since the Access database and its API code can still handle the nastier aspects of client management.

Alan Kirk wrote:{Raises hand} I do.

OK, maybe not bad, bad, horrendously bad in a TI Editorsaurus kind of way, and not "an abomination in the eyes of the gods and man" in a Performance Muddler kind of way, but it's not even on the same continent as "good".

I never said it was good, and I wasn't pointing out that you cant get any from it, I was simply saying that saying it is un-user friendly was bit harsh. The interface while a bit bricky isn't difficult to understand.

jim wood wrote:

Alan Kirk wrote:{Raises hand} I do.

OK, maybe not bad, bad, horrendously bad in a TI Editorsaurus kind of way, and not "an abomination in the eyes of the gods and man" in a Performance Muddler kind of way, but it's not even on the same continent as "good".

I never said it was good, and I wasn't pointing out that you cant get any from it, I was simply saying that saying it is un-user friendly was bit harsh. The interface while a bit bricky isn't difficult to understand.

I don't think that Gareth was arguing that it was difficult to understand, and I certainly wasn't... but there are other ways that things can be user-unfriendly. Specifically by them being more fiddly than necessary to work with it, or taking you longer to get to where you want to go than you would need to in a well designed tool.

In the case of the clients and groups panel, it's (for example) the fact that if you add a new client they automatically appear at the bottom of the grid. That does have the advantage that it's easier to find them to do their password assignment (if applicable) and group assignments. (Though in reality it was probably done that way to avoid the need to redraw the grid rather than with that advantage in mind.) However if the new user is being brought in to take over Betty Abrahams' role and will need the same group access, you need to scroll alllll the way up to the top of the list to see which groups she's in, make a note of them, scroll alllll the way back to the bottom and (if you have more than a handful of groups) scroll allll the way to the right to check each relevant box. You don't have the option of filtering to those two clients to be able to copy and paste the groups or, better still, selecting the new client and having a menu item that allows you to "Copy groups from client x". Yes, you can do that through the client groups cube, but then what should be a one step process becomes several steps (factoring in navigating to wherever the cube or your view of it is), and multiply this by N for the number of servers that you have. Then there's the issue of tracking information about the account in the ways that Gareth and I described; there's no integrated way of doing that so again you would need to do it externally when you reply on the built-in tools, and that's another step needed. So yes, the process is simple, no argument with you there... but no, I wouldn't call it user friendly.

Another example is the cube security assignment grid. It's a no-brainer, dead easy to understand, I would agree completely on that point. But it's slow and lumbering to load, and you can't filter either the cube list or the group list so there's a bunch of scrolling to do. Again, if you want to assign the same permissions to multiple cubes there is no copy and paste option. Do it through the security cube, some might suggest. Yes, you can do that BUT the grid automatically handles assigning the security to the dimensions as well, while entering directly to the cube security view doesn't so unless you want to handle that manually as well you have no choice but to either do it through the grid or write a TI to do it. That one's been on my "make a replacement for it" list for a while as well, but admittedly with very low priority since thankfully it's something that I don't have to do very often. Again really simple to use... but I still don't think I'd call it user friendly on that basis.

Your not wrong on any of your points and your arguments are sound. You have swayed my opinion some what. I guess for me it would make sense to build one but it would depend on the number of users you're looking at and how often you would see adding / removing users. If you've got a model with only 10 users I couldn't see the point.

I does ask the question why IBM haven't really looked at this? They introduced the admin console that helps you create services easily and manage the CFG settings. Surely building security setting in to this would have made a service admin one stop shop?

Thanks for the feedback guys, you both bring up some interesting points. I didn't mean that the default account management is useless but as Alan mentioned, if you are managing hundreds of users over multiple servers, it can get cumbersome. Our users ask for the rights they want (so it can be authorised) and automation means it doesn't need to be keyed twice as well as making my job quicker and easier not having to compare groups and clients.

Alan, other than being able to monitor when users log on, are there any advantages of using your DB to manage rights when you could store user details as client attributes. I would of thought you could clone and archive subsets/views using TI and bat files. Only asking as we use a spreadsheet that can handle our needs but just thinking of reasons for doing it differently.

I might put together a TI/bat file to archive user objects, thanks for the idea.

Alan Kirk wrote: "an abomination in the eyes of the gods and man" in a Performance Muddler kind of way

I personally cant wait for the 80's style grey buttons come back in style. It's hip to be square action buttons.

Stex