Controlling access to services and shared folders

You can request that only specific computers have access to your web services. You can also control which people have access to shared folders and what their permissions are.

Controlling computer access to web services

Your Planning Analytics services are accessed through a single URL behind an IBM firewall. To enhance security, you should explicitly specify IP ranges of client computers that are allowed to access this URL endpoint. This process is called "allow-listing." Any attempt to connect to your service endpoint from an IP address that is not included in the allow list is blocked by the IBM firewall.

Note: As a best practice, include the IP addresses of all computers that require access to your web services in the allow list.

To ensure a high level of IBM support, the Monitoring tools and Operations team for IBM® Planning Analytics will still have access to your web services, even if you do not include their IP addresses in an allow list file.

  1. Open a service request and assign it to IBM Support.
  2. Create a text file and give it the name incoming_firewall_whitelist.txt. This is your allow list.
  3. In the text file, list the IP addresses that you want to have access to the web services. CIDR notation is supported to allow for IP ranges.
    Tip: Computers whose IP addresses are listed will have access to all web services, for example, FTPS, SFTP, RDP, and HTTPS.

    HTTPS is used by Planning Analytics Workspace, TM1® Web, and Planning Analytics for Microsoft Excel.

  4. Attach the file incoming_firewall_whitelist.txt to the service request.
  5. Submit the service request.

Controlling user access to shared folders

You can request that certain user permissions be applied to specific sub-folders in your shared folder.

For more information, see Planning Analytics shared folder.

Note: Your IBM Planning Analytics environment will go offline while your requested changes are applied.
  1. Open a service request and assign it to IBM Support.
  2. Create a text file and give it the name shared_folder_acls.txt.
  3. Create a table with up to five columns, which are separated by tabs. Each row represents a separate Access Control List (ACL).

    Here is an example:

    Path User Permissions Inherited Type
    / fs_rp2team4_admin rwd true allow
    /prod/data/ fs_rp2team4_user1 r true allow

    The column entries in the table represent the following properties:

    • The first column entry is the Path and uses forward slashes (/). A single forward slash (/) indicates the root of the shared folder.
    • The second column entry is the User name. It must start with "fs_", followed by the environment name, followed by a final part that you can define. The entry is limited to 20 characters.
      Tip: You should create a user with full permissions, such as "fs_rp2team4_admin" in the example.
    • The third column entry is the Permissions - r (read), w (write) and delete (d). If no permission is specified, then rwd is assumed.
    • The fourth column entry indicates whether the ACL should be Inherited (that is, child folders will inherit this ACL). The default is true. The options are "true" and "false".
    • The fifth column entry indicates the Type of permission, "allow" or "deny". The default is "allow".

    If the shared_folder_acls.txt file contains multiple entries for a single user, the last entry for any given folder takes precedence. For example, here are two entries for a single user, fs_rp2team4_user1.

    /prod/data/    fs_rp2team4_user1    rwd    true    allow
/    fs_rp2team4_user1    r    true    allow

    The first entry grants rwd (read, write, and delete) permissions for the /prod/data/ folder. The second entry grants r (read) permission for the root shared folder and the true inherit property indicates that sub-folders inherit the r permission. As a result, the user has r permission for the root shared folder and all sub-folders, including /prod/data/, because r permission on the root directory takes precedence.

    If you want to specify varying levels of permission to multiple folders for an individual user and want to use the true Inherited property, you should specify the ACLs in order of most general Path to most specific. For example:

    /   fs_rp2team4_user1    r    true    allow
/prod/data/   fs_rp2team4_user1    rw    true    allow
/prod/data/sales/   fs_rp2team4_user1    rwd    true    allow
  4. Attach the file shared_folder_acls.txt to the service request.
  5. Submit the service request.

Controlling TM1 Server access to data in shared folders

IBM Planning Analytics allows, by default, any of your TM1 Servers to access any data files that are in your shared folder.

Note: In previous versions of IBM Planning Analytics, a TM1 Server could access only its own data directory and sub-folders. The data directory folder is located at the same level as the file tm1s.cfg.

If you want to keep the previous restrictions in place to ensure that one TM1 Application cannot access the files of another TM1 application, send a PMR to the Cloud Operations team.