Product:
Planning Analytics 2.0.9.3
Microsoft Windows 2019 server
Issue:
In a TM1 solution where CAM security with Cognos Analytics is used, user can login to the TM1WEB, as long they are validated by CA11 – but then not see anything in TM1 as they have no access in the TM1 product.
But the user leave a mark (name) in the }ClientSecurity cube. That may be registered in the ILMT software scan of TM1 license usage.
Can we prevent them from login?
Solution:
A Cognos Analytics user that run reports on TM1 data, should in most cases be good with the license of CA11 they have, and not need a license for TM1 access. TM1 access are in many license forms included in the Cognos BI license.
If you active the tm1s.cfg parameter CreateNewCAMClients=F on a TM1 Instance, then no one can login if they not are already part of the security setup.
This mean you have to manually add new users to TM1 Security in TM1 architect.
Please note: to be able to run a Cognos report with TM1 data, the user that run the report must have read rights in the TM1 cube, and therefor in most cases be registered inside TM1 security. Only when the access to TM1 is done with a special TM1 account in Cognos Data Source connection, this may not be needed.
When CreateNewCAMClients=F
and a logon is attempted with a valid set of CAM credentials, but a corresponding Planning Analytics client does not exist in the security cube, the Planning Analytics client is not created and the logon is rejected.
User who have left the company or do not need access to TM1, need to be manually removed from the }Clients dimension.
Users are not automatically removed from a TM1 database – even if the TM1 database is configured for Cognos authentication. IBM Planning Analytics customers must manually remove users that are no longer licensed to use Planning Analytics and no longer should have access to the TM1 database.
Failing to remove inactive users from the TM1 database may result in over-counting the number of Authorized Users, which can lead to auditing issues.
You can also inside Cognos Analytics Configuration set that users must be part of a Cognos group to be allowed to login:
- Open Cognos Configuration and under the ‘Security’ tab, click on ‘Authentication’.
- Against ‘Restrict access to members of the built-in namespace?’ set the value to ‘True’. This excludes all others from third party authentication sources who are not explicitly part of a Cognos namespace group or role as defined in Cognos Analytics 11.
- Save the configuration and restart the Cognos service.
Then the user can not login to CA11, and therefor also not login to Tm1 that are using CAM security (IntegratedSecurityMode=5).
More information:
https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=pitfaecp-createnewcamclients
https://pmsquare.com/analytics-blog/2021/6/4/setting-up-security-in-cognos
https://www.ibm.com/support/pages/node/6513214
https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=roles-default-permissions-based-licenses
https://www-40.ibm.com/software/sla/sladb.nsf/lilookup/D82A3B8F5404959F00258760000B8233?OpenDocument
IBM® TM1® Server generates IBM Software License Metric Tag (SLMT) files. Versions of IBM License Metric Tool that support SLMT files can generate License Consumption Reports that provide information about license usage for your TM1 Server.
For complete details on installing and using IBM License Metric Tool, see IBM License Metric Tool on IBM Knowledge Center.
The initial generation of SLMT files is determined by the LicenseMetricTime Tm1s.cfg parameter. When the generation of SMLT files is enabled with LicenseMetricTime, a new SLMT file is created every 24 hours.
The AUTHORIZED_USER metric
The AUTHORIZED_USER metric can have the following subtypes:
- IBM Cognos Enterprise Planning TM1 Modeler – Any user that is a member of the Admin, DataAdmin, or SecurityAdmin user groups on the TM1 Server.
- IBM Cognos Enterprise Planning TM1 Contributor – Any user that is not a Modeler, but is assigned to a group with write access to at least one cube on a TM1 Server. A group is defined to have write access for a cube if the group is assigned one of the following security permissions for the cube: Write, Lock, Reserve, or Admin.
- IBM Cognos Enterprise Planning TM1 Explorer – Any user that is not a Modeler or a Contributor.
For each of these subtypes, the AUTHORIZED_USER metric records the number of users who have logged on to the TM1 Server during the period identified in the SLMT file.
Location of Software License Metric Tag files
On all operating systems, the SLMT files are created in the slmtag directory at the same level as the bin64 directory in the TM1 install location. For example, C:\Program Files\IBM\cognos\tm1_64\slmtag. All SLMT files use the .slmtag file extension.
I think the modern ILMT tool only reads the }ClientSecurity.cub file to find out number of users in the TM1 installation.
https://www.linkedin.com/pulse/fact-myth-i-have-correct-ibm-cognos-licenses-bi-tm1-cole-j-d-/
- I want to use TM1 Data in a BI report but use TM1 security to pass through from BI. Do I need a TM1 license for the Cognos BI user? TM1 is just another data source to BI. If you want to use TM1 as a base for Cognos BI, you need to have the appropriate Cognos BI license. However, real issue is that to assign security on the TM1 data which is being passed to BI, you need to put the user in a TM1 group. For example, if you need to have cell level security, you need to set them up in TM1. If the user will not access TM1, and are only set up in TM1 to assign security, they will NOT need a TM1 user license. This is specified in the TM1 License which states that BI Analytics Users or Explorers don’t need additional authorized user entitlements to TM1. They do however, need the appropriate IBM Cognos Analytic Server license.