The TM1 Application Server enforces various business rules that determine whether or not a user is permitted to view or edit data. These rules determine the Rights set on the Application; whether or not a given user has Ownership of the node or Application; and whether or not a node has been Submitted.
- TM1 Security
- The most fundamental layer.
- Data Reservation
- Controls who can write to a particular range of cells but applies only to specific users (not Groups) and is used to enforce the Ownership concept. See Using Data Reservations for details on using Data Reservations.
- Security Overlay
- This layer also controls who can write to a particular range of cells. Security Overlay, however, applies to all users in the TM1 server, not just the users with rights to the TM1 Application. The Security Overlay is used to enforce the Submission concept to lock data.
The following table describes some right enforcement scenarios.
| Concept | TM1 Server | Explanation |
|---|---|---|
| Rights | Element and/or Cell Security | When the administrator sets Rights for an Approval or Responsibility Application along the Approval Hierarchy and Control Dimension, these Rights are translated into either Element or Cell Security. Element or Cell Security is determined by the Application's configuration. |
| Ownership | Data Reservation | When a cube is used in an Approval or Responsibility application, the REQUIREDSHARED mode of Data Reservation is applied to the cube. This mode of Data Reservation requires that a user must have a Data Reservation before they can write to the cube. The TM1 Application Server grants a Data Reservation to a user who takes Ownership of an Approval Hierarchy node or set of Nodes. A Data Reservation is specific to a particular User, not a Group. Only one user can have Ownership of a leaf node at any time. The Data Reservation granted by the TM1 Application Server is scoped to the relevant Approval Hierarchy nodes. If a Control Dimension is used, the Data Reservation is scoped to the writeable Control Dimension slices for the Application. Remember: The Data Reservation method is set by the
TM1 Application Server with an entry in the
}CubeProperties control cube that
applies to the whole cube. Because the Data Reservation mode
applies to the entire cube, even if a TM1 Application is
scoped to only one slice of a cube with the Control
Dimension, a Data Reservation is required in order to write
to any region of the cube.
For Central applications, the ALLOWED mode of Data Reservation is used. This mode permits you to optionally take Ownership if you want to have exclusive write access to all the cells in the scope of the Application. Users in a Central application are able to write by default without taking Ownership subject to normal TM1 security. |
| Submit | Security Overlay | The action of Submitting a node applies only to Approval applications. When a node is submitted, the slice of data that is identified by the Approval Hierarchy node and Control Dimension, if used, is locked, preventing any further data entry. This locking is done with a Security Overlay cube. |
