List of TM1 Objects that UX Users Require Access to

R.B · December 6, 2018, 4:15am

Hi,

Is there a complete list of TM1 objects (cubes / dimensions / processes) that UX users need access to? I have the “C3 PUser” and “C3 User” groups, but no access rights populated for them. I assume there will be different read / write access for the different groups.

Thanks.

cw-ch-scott · December 6, 2018, 7:05am

Hi @R.B
The objects for the UX deployment should ship with a copy of the needed security settings on board. You can find this in the cube }APQ Security Manage Object Access

The minimum access requirements are stored against the group “APQ User” (or this group name could be changed by modifying the name in the }APQ Settings cube). All users who will use the UX must be members of this group.
To change the security it is stored against the APQ User attribute in the respective APQ dimension (i.e. }APQ Cubes, }APQ Dimensions, }APQ Processes).

To set the security the easiest is to run the process }APQ.Security.Objects.LoadAccessRights
However WARNING this process assumes you are managing ALL object security in the }APQ Security Manage Object Access cube and not just for the }APQ objects. If this is a new model or PoC I would strongly advise to do this as it will make life easier. If it is an established model then you can copy the access rights into whatever has already been set up to manage security.

If your security management cube and attributes cubes don’t have the settings stored then it’s possible they have been inadvertently cleared. If so the Excel file below should list what access is needed.
APQUXSecurity.xlsx (15.5 KB)

Also FYI as we are using the Rest API which implicitly does cube data queries for everything it is a must that all users have access to

any }ElementAttributes cube for which they have dimension read access
drill string cubes in addition to drill processes

R.B · December 6, 2018, 8:17am

@cw-ch-scott,

Thanks for that I’ll take a proper look tomorrow.

One thing I did notice is that the APQ User group has write access to a couple of cubes. What will happen if users don’t have write access? We have mostly read-only licenses here so the users don’t have write access to any cubes (set in the }ClientProperties cube).

cw-ch-scott · December 6, 2018, 9:33am

The only cubes which have write access are }APQ Picklist General & }APQ Picklist Dimension.

I don’t think }APQ Picklist General is an issue as this cube is just provided for the use case of using DBR cells in place of SUBNM. This is mainly applicable for TM1Web applications. For UX deployments where we have the settings service I think this would be very rarely used.

The }APQ Picklist Dimension cube on the other hand is built into the application. You see a slice of this cube when clicking on your user name in the top right of the application. The idea of this is that users can override the global defaults when the settings service is initialized on login. As this is saved in the cube it persists over sessions. This might be especially important for dimensions that have element security applied. If the users are read only then they won’t be able to select default elements for filter selections which are different from the globally set defaults. I don’t think this wouldn’t cause an error but the dialog would present as read only to the user. If you still needed to have this feature (or user level filter default values) then this would need to become a central admin task to set the values.

R.B · December 10, 2018, 1:11am

@cw-ch-scott I’ve given the users access to the objects in the spreadsheet with the exception of the following that don’t exist in the model.

}ElementAttributes_}Cubes
}ElementAttributes_}Dimensions
}Annotation_ApplicationID
}AnnotationAppContextFacets
}AnnotationMeasures
}ApplicationParameters

However, the “View Definition” option doesn’t appear for them. The users are in PUser group. Is it caused by the missing dimensions or is there something else?

cw-ch-scott · December 10, 2018, 9:01am

The assumption is that all users must be members of the APQ User group, then APQ PUser grants some additional privileges (i.e. being able to create and modify UX views). So membership of just the APQ PUser group is insufficient to do anything, … but I’m only stating this for clarity and I assume that you didn’t do this.

For trouble-shooting

Check that element security has been set for APQ User & APQ PUser groups for }APQ C3 Canvas View dimension
For one of the affected users check their access in architect to }ElementAttributes_}APQ C3 Canvas View and }APQ C3 Canvas View. Write access is needed to both cubes.

I’ll follow up and check if there is anything else needed, but I don’t think so …

cw-ch-scott · December 10, 2018, 3:13pm

Hi @R.B
I think I misread your question. I thought you were talking about these icons to launch the view definition dialog (which we always show even when the user doesn’t have access to the view management app.

But on re-reading I am now pretty sure you are talking about this drop-down menu?

This is kind of a throwback to the earliest days of the UX as the admin apps displayed in this list come from the }APQ C3 Canvas App dimension and not the views dimension.
So for this option to display for the APQ PUser members this group should

have READ access to }APQ C3 Canvas App dimension
in element security have READ access to the element apq-c3-adm-view
apq-c3-adm-view element should have “active” attribute set to value of 1

Pretty sure that should do it!

Note that all other “admin apps” have been decommissioned and don’t do anything. So users should have NONE element security access to the following:
apq-c3-adm-imp-gl
apq-c3-adm-imp-dim
apq-c3-adm-recon
apq-c3-adm-dim-attr
apq-c3-adm-dim-sub