Cognos BI – TM1 Security Integration
By
Background
One of our clients recently needed security integration between Cognos 10 and TM1 9.5.1. I did some research and quickly realized that it is not a very straightforward issue. I also came across this IBM technote called IBM Cognos BI CAM Authentication Limitation with Cognos TM1 Data.
I worked with IBM Cognos support and did some of my own tests to confirm the most appropriate approach in order to overcome these limitations. We came up with 2 approaches, both of which also apply to TM1 9.5.2. Neither of these methods is perfect; however to my knowledge these are the only available security integration approaches as of this moment. Approach 1 (see diagrams below) is more or less detailed in the IBM article. I believe that Approach 2 is easier to setup and maintain and that’s why I am focusing on that particular approach in this post.
You also need to decide for yourself whether it makes sense to wait or invest effort in security integration and/or its automation at this point. It is likely that we will see some changes in regards to the BI/TM1 security integration in the next software release.
Glossary
- Application Groups: groups used to secure TM1 objects (cubes, dimensions, elements…)
- TM1 Admin Groups: Admin, Data Admin and Security Admin groups
- Cognos TM1 native groups: groups created in TM1
- Cognos TM1 CAM groups: groups created in Cognos namespace and then imported into TM1
- Group Membership: joining users to groups
- Group Permissions: Read/Write/None TM1 objects’ access permissions assigned to application groups
- 3rd Party Authentication Provider: Active Directory or other LDAP-compliant authentication provider that contains users for Cognos authentication purposes. Provider is configured as a security namespace in Cognos Configuration.
- CAM: Cognos Access Manager
Overview Diagrams
Security Setup (Data Authentication)
- Import CAM administrator user (e.g. cogadmin) into TM1, grant this user TM1 Admin rights (join user to native TM1 Admin group/s). The only native groups that we will leverage are the native Admin groups. They are not imported from Cognos namespace.
- Switch TM1 Security Mode to 5.
Security Setup (Data Authorization)
- Decide on and create the source (CSV or ODBC) that defines: List of application groups, Application group memberships, Application group permissions
- Create TM1 Admin and Application groups in Cognos Namespace. Automate creation of Application groups using Cognos SDK if required.
- Join users from 3rd party Authentication Provider to Cognos namespace groups in Cognos Namespace. Automate group membership using SDK if required.
- Import users and application groups (CAMIDs) from Cognos namespace into TM1. Automate using Cognos SDK and TM1 API/TI if required. There is no need to bring in group memberships, TM1 will rely on the memberships defined in Cognos namespace. Technically, there is also no need to import users as they will be imported automatically upon login; however users deleted in Cognos namespace will not be automatically deleted from TM1, so if you are going to automate users’ deletion in TM1, you might as well manage the whole process of creation and deletion of users in TM1.
- Assign imported CAM group permissions in TM1 using TI.
Framework Manager Package Publish (signon setup)
- When creating a connection in Framework Manager set the signon of TM1 Datasource to be “No authentication”.
CAM group memberships are still passed to TM1, and so if you’ve setup data security based on CAM group membership in TM1, this security will persist.
Integrated Signon
- Setup integrated security in Cognos BI as usual, no special steps required
- Setup integrated security in TM1 as usual, no special steps required
Users will not have to enter credentials when using Architect, TM1 Web, or Cognos BI. Authentication will happen automatically.