11. Setting up Security in TM1
Introduction to Security in TM1
You can control access to TM1 objects by assigning specific levels of object security to a TM1 group. Each object type in TM1 can be assigned specific level of security. For example, cubes, dimension, processes, applications, chores etc.
Basic security in TM1 can be defined in 3 steps:
1. Creating and managing clients
2. Assigning clients to groups
2. Defining security for groups
NOTE: Remember, you can not apply security directly at user level. Users are added into groups and security is then defined on groups.
Creating and managing clients
Launch your TM1 app server (If you’re following this series you would already have setup TM1Beginner app server). Login to the server, right click on server icon and go to Security > Clients/Groups …
The security editor will open.
Go to Clients > Add new Client and assign a name TestClient to the new client.
Similarly add a group TestGroup too.
Assigning clients to groups
Now against TestClient and TestGroup you’d notice a check box. Click on it. Then notice that there’s a heading Password under security settings. In front of TestClient, you’d notice Undefined. Click on it and enter 1234 as your password and hit enter. It will ask you to confirm the password so reenter it and press OK. Undefined will change into Defined now.
Our Testclient has been created and has been added to TestGroup. We’ll now apply security to TestGroup.
Defining Security for Groups
NOTE: This section is specific to TM1Beginner server that we’ve been using all along this series. If you don’t have it either set it up and create all objects that we’ve created in this series (follow all tutorials), or just read the concept from this section and apply it on your corresponding objects.
Go to Cubes in Architect, right click and go to Security Assignments …
Assign TestGroup the Read access to Products cube and write access to Products2 cube. For remaining cubes, set none access and click OK.
Similarly, if you wanted you could do the same thing for dimensions too. If user must not access some dimensions, you could go to Dimensions and apply dimension level security to those dimensions. For now, we’ll skip this
So our TestGroup (and hence all clients which are added in this group. e.g. TestClient) will just be able to see Products cube and will be able to write Products2 cube. But what if we don’t want the group to write actuals data? This data will be loaded directly. So we need to restrict specifically Actuals dimension item of Version dimension. We do this by applying element level security in TM1.
Go to Versions dimension in Architect. Right click and go Security > Element Security Assignments …
Click on Write against Actuals and then from bottom, select Read.
Click Save and OK.
Next we’ll assign the security of Processes. The testGroup must not have access to any processes because running processes is work of an Admin not users. We’ll restrict TestGroup’s access to None for processes.
Right click on Processes and select Security Assignments…
You’ll notice that the default access for TestGroup must already be coming as None. If it’s not, then change it to none and click OK.
This way you can right click on any object type and assign security in TM1.
Verify the Assigned Security
Log off from your admin account and login using:
Press F5 to refresh the Architect view.
In Architect, you’ll see that you only have access to Products and Products2 cube. You don’t have access to any processes. Double click on Products2 cube. You will see that you have write access to budget version. Now go to Actuals version and verify that you just have a read access on that version.
This concludes our tutorial on Security in TM1.
Apply security on Applications. Disable all applications for TestGroup and verify the changes. Then give read access to Products2 cube and verify the change.
p : TestClient