TM1 Security to restrict users from Compensation cub ...

670648633

Question regarding TM1 Security to restrict users from accessing Compensation cube or Salary data
---------------------------------------------------------------------------------------------------------------------
TM1 Ver 9.5.2 (64-bit) running on Windows Server 2008 R2

In my model I have Finance and Compension cubes
I have implemented Element level security on scenario and department dimensions and it all works great.
Basically I have one group per department and the users are assigned to the group(dept) they own.
(I am using rules to accomplish this). The users have WRITE Access to both cubes so they can enter budget data.

The client would like to add a couple of new users who would have READ access to ALL Departments but only in FINANCE cube and NOT in Compensation cube. Alternatively, it would be ok if these users see the Compensation cube but be able to see the "Salary" element.

I have tried several different approaches including rules in the CubeSecurity cube, but to no avail. I would appreciate any ideas that you may have to accomplish this. thank-you in advance.

小蚂蚱

Surely for their group if you give that group only read access to the finance cube that should do it as the salary bit is an alternative. If this isn't the case I may have misunderstood you and you may need to expand a little further.

BTW What's a TM1Guru doing, asking for help from us mere mortals???  

jinanday

TM1Guru wrote:The client would like to add a couple of new users who would have READ access to ALL Departments but only in FINANCE cube and NOT in Compensation cube.  Alternatively, it would be ok if these users see the Compensation cube but be able to see the "Salary" element.

It's pretty simple. Create a group for these new users, give that group READ to all elements in the Departments dimension, and NONE to the Compensation cube (in CubeSecurity). BTW, you did say NEW users. If these users aren't NEW, meaning they are already TM1 users with other rights, then this may not work because TM1 security rights are cumulative. You get the combination of all the rights you have from all the groups you are in. But you already knew that, right, being a guru and all.  

公孑

Hi,
I really appreciate the suggestions. It is working now. Just an FYI - Here is what I have done.

a) Created a group called "NoComp"
b) Assigned the new user to "NoComp" group ONLY

c) Provide "NoComp" Group READ Access to all departments (See rule below)
Rules in the Element Security Cube of Department dimension
------------------------------------------------------------------------
['Admin'] = S: STET;
['TOTAL'] = S: 'READ';
['NoComp'] = S: 'READ';
[] = S: IF (!Department @= !}Groups, 'WRITE', 'NONE');

https://picasaweb.google.com/115664559711295198173/March282013#5860426302323701298


d) For the Compensation cube, provide no rights to "NoComp" group (see rule below)
Rules in Cube Security
------------------------------------------------------------------------
['Admin'] = S: STET;
['Compensation','NoComp'] = S: 'NONE';
[] = S: 'WRITE';