Application Security with rules TM1 9.5.1

chenbaolei

Hi guys,

the idea was to use Rules in }ApplicationSecurity-Cube to control visibility of Applications for users. The rules seem to work - the cube is filled with correct access priviliges for groups. But after "Security Refresh" users still can't see their applications (in any Clients - Perspectives and TM1 Web), also not after server has been restarted. If I go to Applications-> Security Assignments for all non-admin groups security is set to 'none'.

Rules in }CubeSecurity and }DimensionSecurity, which have very similar logic, work fine - the users can access only cubes/dimensions defined there.

Does anyone had this problem before?

Thanks a lot.

TM1 9.5.1 HF13, 64-bit Admin-Server

fuanxx

are they fed correctly?

香香公主的家

Hi,

For TM1 Web, we've had some issues (IIS) with what seem like caching.

After restarting TM1 *and* IIS all rights were OK.

Good luck.

wcb79

There are no feeders at all (as well es no skipcheck) -> this works fine for Cubes and Dimensions, but not for Applications.

sf656

I would also not really know what to feed, because rules are like:
[Group1, Application1] = s: read;
[Group2, Application2] = s: read;

shaochaowei

i assume you typed those rather than copy / paste and they really read;

['Group1', 'Application1'] = s: 'read';

Application security is the inverse of Cube / Dimension / Element security. Everyone gets access to everything unless you state otherwise. Might be an idea to paste a real version of the rules along with an example of what the application hierarchy looks like. The examples are fine but i'm guessing your real rule are not so simple and that might be where the problem lays. The order of the rules is especially critical...

a23742212

Yes, i typed it;)

I already noticed the fact, that new groups automaticaly see all applications, that's why the idea was to use rules to avoid this.
Original rules were more complicated, but now i have this ones:
['Group1', 'Central Cost Planning'] = S: 'read';
['Group2', 'Market Cost Planning'] =s:'read';
[] = s: 'none';

What i expect is, that after security refresh, my Group1 user will see node Applications and under it node Central Cost Planning (with no children). But this is not the case.

Application structure:

• Central Cost Planning
  
  
  
  • Data Entry
    
    
    
    • Data Entry -View 1
      
    • Data Entry-View 2
      
    
    
  • Assumptions
    
    
    
    • Data Entry -View
      
    
    
  • Reporting
    
    
    
    • Report - View 1
      
    • Report - View 2
      
    • Report - Excel 1
      
    
    
  
  
• Market Planning
  
  
  
  • Data Entry
    
    
    
    • Data Entry -View 1
      
    • Data Entry-View 2
      
    
    
  • Assumptions
    
    
    
    • Data Entry -View
      
    
    
  • Reporting
    
    
    
    • Report - View 1
      
    • Report - View 2
      
    • Report - Excel 1
      
    
    
  
  

Thanks

wquyhytuoy

I might also add that it depends on what is actually in the folder(s) as well. For example, if you have a view in one of the folders, it is not enough to just give rights to the applicaton, the user has to have rights to the cube and dimensions that the view uses too. Also, assigning rights to a folder does not assigng rights to all the objects under the folder, just the folder itself. You have to assign rights to each object as well. It should also be noted that if you have rights to a folder, but not to any of the objects underneath the folder, you won't be able to see the folder. You have to have rights to the folder and at least one of the objects unbderneath it.

245317177

Thanks for the remark, but this all has already been arranged - cubes/dimension security rules work fine. When user see the applications, they can also open all views and excels.
It is also clear to me, that i have to set rights for ALL application objects. I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.

cat-hao

Tati wrote:I just started from the very beginning - if it doesn't work for the first level, even in }ApplicationSecurity this nodes are set to read - then i don't need to bother with the rest. As i told in the example above i expect my Group1-User to see Applications->Central Cost Planning, after Security Refresh i see only Applications.

You can't just look at part of the tree to see if it's going to work because as I explained, you have to have rights to the actual objects themselves, not just the folders they are in, or it's not going to work.

This rule statement: [] = s: 'none'; sets all rights to NONE, meaning no one can see any object in the application tree, either application or folder. Now you have to add rights.

This rule statement: ['Group1', 'Central Cost Planning'] = S: 'read'; gives rights to the folder Central Cost Planning to Group1. It does not give rights to the folder Data Entry, and more importantly, it doesn't give Group1 the rights to the application object Data Entry - View 1. Since Group1 doesn't have rights to any application objects underneath Central Cost Planning they can't see Central Cost Planning. You need to add these rule statements:

['Group1', Central Cost Planning'Data Entry']=s:'read';
['Group1', 'Central Cost Planning'Data EntryData Entry - View 1']=s:'read';

After this, members of Group1 will be ablelto see the Applications folder, expand it and see Central Cost Planning, expand it and see Data Entry, expand it and see Data Entry - View 1.