Security for Planning Analytics Workspace (PAW) consists of three main parts: users, groups, and roles. It is important to realize that these three objects are PAW specific and just give access to PAW objects (books/views/dimension editors etc.) and these users will need to be set up in the Planning Analytics (PA or TM1) side first to be given access to a specific PA environment.

The goal of this article is to give you the knowledge of how to set up a user in PAW and assign appropriate groups and roles.

High Level Overview of PAW security:

  1. Verify that security has been set up in PA/TM1 for all users
  2. Add Groups to PAW
  3. Assign Folder Security to Groups
  4. Add Users to PAW
  5. Assign Roles to Users

To administer PAW go to the Admin -> Administer

 

 

 

 

From here you will administer the PAW security settings. This is different from the PA security settings which are visible from the Control Objects in PAW (}ClientGroups, }CubeSecurity etc.).

Add Group

PAW Groups are different from PA Security Groups. PAW Groups are useful in determining access to folders in the PAW environment.

 

 

 

 

 

 

 

 

There are two ways to add PAW Groups.

  1. “Upload Groups” button – this will upload a CSV file and is similar to how to upload users.
  2. Manually create groups one at a time in PAW.

To upload groups in a CSV:

  1. First click on “Export groups” to download a CSV of current groups
  2. Edit the file. Be sure to keep the three-column format. In the first column, add any additional groups. In the second column enter the user ids assigned to those groups. In the third column, add the directive (ADD or REMOVE).

  1. Save and upload the CSV file back into PAW by clicking on the “Upload Groups” button.

  1. View the results.

To create a group manually:

  1. Click the “Create” button.
  2. Fill in the name of the new group and the description as needed.

  1. Select the users that should be part of this group.
  2. View the results.

To edit group membership or other group details just select the group and click ”Edit.”

 

Assign Folder Security

Folder security is used to secure books and views within PAW. Frequently PAW is set up with different folders for different purposes. An example would be if different Departments require different views or books and they want to only allow people in their Department to view or edit their folder.

To change a folder’s security, select the three dots on the upper right corner of a folder.

Open Permissions

The following levels of permissions can be assigned for Planning Analytics Workspace content (workbooks, views, and folders):

  • View only – The user can view content in the book but can’t edit it.
  • View & edit – The user can view content in the book and edit the book’s content.
  • Full control – The user has full administrative control over the book and can modify and delete it.

*Note that the ability to view and edit data in PAW requires PA/TM1 permissions

By default, a new folder will inherit the permissions from its parent folder. You can optionally deselect this feature within this folders permission window.

In this case we want to set Corporate to have Full Control (ability to edit, create, and delete). All other groups will be given no access.

Note that “Full Control” means that any user in the Corporate group can delete content regardless of user’s PA permissions or PAW Role – be very careful when granting Full Control permission to users.

Although you can assign folder permissions to users and groups, it is best practice to assign permissions to groups alone. Use the ’Users and groups’ drop down to select only groups.

 

Adding User

Adding users to PAW is done most efficiently from uploading a CSV file with the appropriate information. These users will need the same usernames as those in your Planning Analytics environment. It is best practice to add all users at initial set up rather than having the users login and default to Analyst roles.

** Note that these users must be users in the PA environment that connects as the PAW host if you have multiple PA environments.

 

First you need to create a template for importing your PAW users. Select the ‘Export users’ button to generate a CSV file. This CSV file will output the current PAW users.

Update the CSV with the new users you would like to add – you can assign Roles at this time or later. If you leave the current users in the file, the user will not be duplicated.

The Status column states if the user is Active, Inactive or Inactive_suspended. Suspended users cannot login until they are activated. The Directive column states if users should be added or removed (ADD, REMOVE).

To upload the file, select ‘Upload users’ and drag and drop the CSV file into place.

Once loaded you can view the newly added users.

Assigning Roles

Roles are used to control access in PAW alone but do not determine what cubes, dimensions, or elements are visible to those users. Access to cubes, dimensions, or elements is determined by PA/TM1 security permissions. PAW security sits on top of PA/TM1 security and a user in PAW will not be able to do anything more or less than what they can do in Architect.(i.e. if a user has access to run a process in PA they will still have access to do so in PAW).

Summary of Roles:

To assign a user a role, click on a specific user to bring up user profile. Then select ”Roles” and make a selection.

All users without an imported assigned role will default to Analyst.

PAW Security Best Practices

Some tips to keep in mind when building out security in PAW.

  • Create native PA (TM1) security before building out PAW security
  • Add users, assign roles/groups and test their permissions before allowing them to login
  • Create intentional folder structures that mimic the userbase structure
  • Assign end-users either Analyst or Consumer roles
  • Assign developers Modeler roles if they will be actively developing in PAW
  • Assign users Administrator roles if they will be allowed to actively develop in PAW, grant security permissions, conduct performance monitoring or add/edit users and groups in PAW
  • The first user to login to PAW will automatically be assigned Admin rights – be intentional about who this is.
  • PAW groups should not necessarily mimic PA (TM1) groups. Think of PAW groups as reporting and data entry groups – who shares which reports or views?

 

Top PAW Security Questions

  1. What permissions are granted when I create new content (folders, views, books)? When new PAW content (folders, views, or books) is created, that content inherits the permissions of its parent folder by default.  In order for this object to be visible to a user, that user must have at least “View only” permission on the folder that contains the object.
  1. What are the minimum permissions I need to grant a user so that they can create new content in a folder? Users must be granted “Edit” permission to create new content within a folder and be assigned, at minimum, an “Analyst” role
  1. Users with Full Control permission on book/view/folders can modify the permissions of that content. Is there a way to override this? To override the current effective permissions of an object the ‘Inherit permissions from folder’ checkbox must first be deselected.

 

  1. What users are able to run a process in PAW? Running a process is a TM1 Security permission, and not a PAW Security permission. Therefore, if the user is able to run a process in Architect, then they will be able to run the process in PAW, regardless of their PAW role

 

  1. If a user logs into a dashboard, will they see only the data that they have permission to see? Yes, any user in PAW will only be able to see the data/cube/dimensions/elements/processes that they have been granted access to within their TM1 Security. To edit the access to cubes/dimensions/elements/processes, you must edit a user’s TM1 Security and not their PAW security. If the user does not have permission to see the data within a PAW object, then that object will throw an error, but the rest of the dashboard may still be visible. Keep this in mind when creating dashboards for your users.

 

  1. I have an “Analyst” user that can access a cube but cannot access the views underneath. Why? Make sure that these views are public and not private views. Then double check this user’s TM1 Security. Can the user see the data in the TM1 cube viewer? If not, grant the user proper access in TM1 Security. Ultimately, PAW Security user roles have no impact on this question, as it is driven solely by TM1 Security. You could be assigned an Admin role in PAW, but if you do not have the TM1 Security permission to see the cube/data/dimension/process, etc. then the user still would not be able to see the data in PAW.