FAP and security

Users and authorization groups in IBM® Cognos® Controller are published to TM1®, and the authorization groups get prefixes to avoid naming conflicts.

The following security modes are available for IBM Cognos Controller and FAP in TM1:

Basic security mode

For TM1 9.4.1 and TM1 9.5.x, IBM Cognos Controller users and authorization groups are published and can be leveraged if CAM authentication is not used to access the IBM Cognos Controller Financial Analytics Publisher cube (for example from the TM1 Excel plug-in, but not from BI).

Note: IBM Cognos Controller users and authorization groups present in IBM Cognos Controller are deleted in TM1 during the initial publish operation.

CAM security mode

For TM1 9.4.1, all CAM users in IBM Cognos Controller are published, but they are published without the integrated security from IBM Cognos Controller that is present in the TM1 cube.

For TM1 9.5 and later, security is integrated between IBM Cognos Controller and TM1. Users and authorization groups in IBM Cognos Controller are published to TM1. Then for all CAM users present in TM1, the CAM user ID is connected to the IBM Cognos Controller user ID and gets the appropriate authorization groups (provided the CAM information has been maintained in IBM Cognos Controller).

Attempted use of TM1 security mode settings that are not supported by IBM Cognos Controller results in the termination of the initial publish process and the data mart being set to Error. The following TM1 API security modes are not supported:

  • Distributed

    Implies that the TM1 server is a distributed server that accepts connections without specifying any credentials.

  • Mixed

    Implies that the TM1 server accepts user authenticating either using Basic authentication or Windows Integrated Authentication.

  • WIA

    Implies that the TM1 server accepts connections that can authenticate based on Windows Integrated Authentication.