Locking out some admins

林玫玫

I think the answer is no, but thought I would ask anyway... Is there a way to prevent some admins having access to one cube in a model?

I know I could put the cube in different model, however I want the sensitive cube to pass data (salaries aggregated to department level) back to the the non-sensitive cube. If they were in seperate models the only way I can see to pass data is via a data export/import which is not secure.

We have two system accountants that develop basic rules, therefore admins, that should not be able to see this information at leaf level.

315196952

This doesn't necessarily help with your question but...

if the 2 System Accountants are only developing "basic rules" is it not preferable to in fact defer that responsibility to someone else considering that the licence for a Developer is circa 拢10k as compared to 拢1500 for a standard read/write user (that is last time I checked anyway.)

香香公主的家

Hmm possibly but we got a pretty good deal on the licenses and it's a big system.

I want to restrict sensitive information to some users which is easy, but lock out all but one admin which I cant think how to do.

gaohua5201

How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...

... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)

They would also need Admin access to all dims, process etc.

itoto

declanr wrote:How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...

... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)

They would also need Admin access to all dims, process etc.

That would work for cubes, even dims but it won't work for processes and chores as the only options for non-admin users are Read or None.  If they don't write TI then perfectly acceptable.

0o小坏o0

AmbPin wrote: but lock out all but one admin which I cant think how to do.

is that not a really bad idea from a business continiuity perspective? what happens when said person is on holiday, off sick, run over by a bus....

wkinki

Lotsaram,
Cheers for the clarification.

AmbPin,
Of course that is just a way to solve the specific question but personally I would point to my earlier post as I tend to recommend that users have the minimum security access possible to do their jobs well. Although this must be combined with a minimum of 2 full Admin users for reasons as pointed out by Steve Vincent.


Does anyone know how the IBM licencing works in regards to giving a user partial Admin access?
I imagine in the case of having Admin access tot he majority of cubes a user would need a full on "developer" licence but at what point does that stop? For example what if a user is standard read/write with admin access to 1 dimension?

sjgogo

Simple answer - there isn't. TM1only has 2 types of license, to get access to various menus that are greyed out to a client you must have the admin license. There is no halfway house - you can limit an admin to just securityadmin or dataadmin (detailed in the help guide) but you still require the admin license in order to use them.

王山振

declanr wrote:How about adding said 2 users to a new group "AlmostAdmin" and removing them from "Admin"...

... whilst setting "AlmostAdmin" to have Admin access to all cubes (except the one in question.)

They would also need Admin access to all dims, process etc.

This almost works, but if they have security admin then they can give themselves access to the cube I want hidden from them.

yseen

If they are only writing rules for a specific few cubes, just give them Admin access to those cubes and give them write access to everything else.

If you need them to be able to change security for other users in addition to having admin access to data then I doubt you would have any option other than giving them full blown Admin access.