企业绩效管理网

 找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 905|回复: 21

Application Security with rules TM1 9.5.1

[复制链接]

82

主题

414

帖子

607

积分

高级会员

Rank: 4

积分
607
QQ
发表于 2014-3-20 02:45:51 | 显示全部楼层 |阅读模式
Hi guys,

the idea was to use Rules in }ApplicationSecurity-Cube to control visibility of Applications for users. The rules seem to work - the cube is filled with correct access priviliges for groups. But after "Security Refresh" users still can't see their applications (in any Clients - Perspectives and TM1 Web), also not after server has been restarted. If I go to Applications-> Security Assignments for all non-admin groups security is set to 'none'.

Rules in }CubeSecurity and }DimensionSecurity, which have very similar logic, work fine - the users can access only cubes/dimensions defined there.

Does anyone had this problem before?

Thanks a lot.

TM1 9.5.1 HF13, 64-bit Admin-Server
回复

使用道具 举报

87

主题

373

帖子

564

积分

高级会员

Rank: 4

积分
564
QQ
发表于 2014-3-20 04:18:32 | 显示全部楼层
are they fed correctly?
回复 支持 反对

使用道具 举报

83

主题

396

帖子

573

积分

高级会员

Rank: 4

积分
573
QQ
发表于 2014-3-20 04:32:29 | 显示全部楼层
Hi,

For TM1 Web, we've had some issues (IIS) with what seem like caching.

After restarting TM1 *and* IIS all rights were OK.

Good luck.
回复 支持 反对

使用道具 举报

86

主题

396

帖子

584

积分

高级会员

Rank: 4

积分
584
QQ
发表于 2014-3-20 05:11:13 | 显示全部楼层
There are no feeders at all (as well es no skipcheck) -> this works fine for Cubes and Dimensions, but not for Applications.
回复 支持 反对

使用道具 举报

74

主题

428

帖子

599

积分

高级会员

Rank: 4

积分
599
QQ
发表于 2014-3-20 05:23:22 | 显示全部楼层
I would also not really know what to feed, because rules are like:
[Group1, Application1] = s: read;
[Group2, Application2] = s: read;
回复 支持 反对

使用道具 举报

75

主题

409

帖子

574

积分

高级会员

Rank: 4

积分
574
QQ
发表于 2014-3-20 05:30:00 | 显示全部楼层
i assume you typed those rather than copy / paste and they really read;

['Group1', 'Application1'] = s: 'read';

Application security is the inverse of Cube / Dimension / Element security. Everyone gets access to everything unless you state otherwise. Might be an idea to paste a real version of the rules along with an example of what the application hierarchy looks like. The examples are fine but i'm guessing your real rule are not so simple and that might be where the problem lays. The order of the rules is especially critical...
回复 支持 反对

使用道具 举报

83

主题

416

帖子

588

积分

高级会员

Rank: 4

积分
588
QQ
发表于 2014-3-20 05:41:56 | 显示全部楼层
Yes, i typed it;)

I already noticed the fact, that new groups automaticaly see all applications, that's why the idea was to use rules to avoid this.
Original rules were more complicated, but now i have this ones:
['Group1', 'Central Cost Planning'] = S: 'read';
['Group2', 'Market Cost Planning'] =s:'read';
[] = s: 'none';

What i expect is, that after security refresh, my Group1 user will see node Applications and under it node Central Cost Planning (with no children). But this is not the case.

Application structure:

  • Central Cost Planning

    • Data Entry

      • Data Entry -View 1
      • Data Entry-View 2

    • Assumptions

      • Data Entry -View

    • Reporting

      • Report - View 1
      • Report - View 2
      • Report - Excel 1


  • Market Planning

    • Data Entry

      • Data Entry -View 1
      • Data Entry-View 2

    • Assumptions

      • Data Entry -View

    • Reporting

      • Report - View 1
      • Report - View 2
      • Report - Excel 1



Thanks
回复 支持 反对

使用道具 举报

58

主题

371

帖子

514

积分

高级会员

Rank: 4

积分
514
发表于 2014-3-20 05:45:46 | 显示全部楼层
I might also add that it depends on what is actually in the folder(s) as well. For example, if you have a view in one of the folders, it is not enough to just give rights to the applicaton, the user has to have rights to the cube and dimensions that the view uses too. Also, assigning rights to a folder does not assigng rights to all the objects under the folder, just the folder itself. You have to assign rights to each object as well. It should also be noted that if you have rights to a folder, but not to any of the objects underneath the folder, you won't be able to see the folder. You have to have rights to the folder and at least one of the objects unbderneath it.
回复 支持 反对

使用道具 举报

64

主题

404

帖子

556

积分

高级会员

Rank: 4

积分
556
QQ
发表于 2014-3-20 05:47:11 | 显示全部楼层
Thanks for the remark, but this all has already been arranged - cubes/dimension security rules work fine. When user see the applications, they can also open all views and excels.
It is also clear to me, that i have to set rights for ALL application objects. I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.
回复 支持 反对

使用道具 举报

78

主题

397

帖子

582

积分

高级会员

Rank: 4

积分
582
QQ
发表于 2014-3-20 05:59:55 | 显示全部楼层
Tati wrote:I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.
You can't just look at part of the tree to see if it's going to work because as I explained, you have to have rights to the actual objects themselves, not just the folders they are in, or it's not going to work.

This rule statement: [] = s: 'none'; sets all rights to NONE, meaning no one can see any object in the application tree, either application or folder. Now you have to add rights.

This rule statement: ['Group1', 'Central Cost Planning'] = S: 'read'; gives rights to the folder Central Cost Planning to Group1. It does not give rights to the folder Data Entry, and more importantly, it doesn't give Group1 the rights to the application object Data Entry - View 1. Since Group1 doesn't have rights to any application objects underneath Central Cost Planning they can't see Central Cost Planning. You need to add these rule statements:

['Group1', Central Cost Planning'Data Entry']=s:'read';
['Group1', 'Central Cost Planning'Data EntryData Entry - View 1']=s:'read';

After this, members of Group1 will be ablelto see the Applications folder, expand it and see Central Cost Planning, expand it and see Data Entry, expand it and see Data Entry - View 1.
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|小黑屋|企业绩效管理网 ( 京ICP备14007298号   

GMT+8, 2018-10-22 21:46 , Processed in 0.208125 second(s), 12 queries , Memcache On.

Powered by Discuz! X3.1 Licensed

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表