Planning Analytics Security
You can create and implement a security scheme in TM1\Planning Analytics to secure objects and data in your server by defining security groups and clients (users), assigning access permissions to those groups and then assigning users to one or more of the groups. A good security schema will typically consider controlling access at the Element-level – which controls access to cells in a cube that are identified by elements. An example might be preventing a group of users from updating a particular group of general ledger accounts.
Control Cubes
Planning Analytics uses control cubes to manage security (as well as other functionality, including performance monitoring) and automatically generates the control cubes it needs. To see the control cubes within a TM1/PA database you can toggle the display in Server Explorer by clicking View then Display Control Objects. If you are using Planning Analytics Workspace (or PAW), and appropriate permissions have been granted to you, all control objects (including security control cubes) are listed under a separate folder and can be expanded within the Databases pane.
Element Security
Security control cubes apply security privileges for TM1/Planning Analytics objects to user groups on the Planning Analytics database. Element Security cubes apply security privileges based upon elements. You can manually create an element security cube using Architect (if you have administrator privileges) by right-clicking on a dimension for which you want to define element-level security and then select Security, Create Cell Security Cube. TM1 will then automatically create a security control cube using the naming format }ElementSecurity_ CubeName where CubeName is the name of the dimension that you selected.
Although there is a programming method to create a Cell Security cube (CellSecurityCubeCreate creates a security cube from an existing cube), there currently is not an equivalent method to create element security cubes. You can, however, use the ElementSecurityPut() function, and if the }ElementSecurity_ cube does not already exist, Planning Analytics will create it.
Don’t Want Security on a Dimension?
Regardless of how you chose to create an Element Security cube within your Planning Analytics database, suppose you inadvertently create an element security cube on a dimension that should not have it? Or you “inherit” a model that includes element level security on a dimension that no longer requires security at that level?
The following simple steps can be used to remove and reset security on a specific dimension:
- Identify the dimension that you wish to remove implemented element security. In other words, if element security has been implemented on a dimension, you should find an element security control cube for that dimension.
- Remove the }ElementSecurity cube and refresh security. This will reset security for all the elements within the dimension to WRITE for all security groups.
Note: Be careful when making any changes (security or otherwise); we would advise you “prototype” any maintenance in a development environment first and then promote or repeat th validated changes to your controlled or production environment to avoid incorrect results or even loss of data.
An Example
In the below illustration, we see that element security has been implemented on the Model dimension as the }ElementSecurity_Model control cube shows:
If you right-click on the cube and try to delete the cube, you will notice that the Delete Cube… option is grayed-out and disabled (regardless of your access privileges):
To properly remove the control cube, you can use the CubeDestory function. This is a TurboIntegrator function, so it is valid only in a TurboIntegrator process, so you’ll need to create a new process (the below image is using Planning Analytics Workspace):
Once you have a new process, you can add the function’s to the Prolog section of the process in the following fashion (note: when I am working with security, I always add a SecurityRefresh as the last step in my script):
Finally, save the process and run it. Once it is complete, check that indeed the }ElementSecurity_ CubeName control cube has been removed. If you feel that you need some assistance performing these steps, please reach out to QueBIT and we will be glad to asset with this or any there Planning Analytics security need.