Integrated login

Integrated login enables you to use Microsoft Integrated Windows Authentication (IWA) and control access to IBM® TM1® data based on Users and Groups defined in Microsoft Active Directory (AD).

Note: Integrated login is supported on Microsoft Windows only. You cannot use integrated login to access TM1 Server running on UNIX.

In integrated login mode (security mode 3), TM1 authentication compares the user's domain-qualified Microsoft Windows login name to the contents of the UniqueID element of the }ClientProperties cube.

If there is a match, the user is authenticated to TM1. If Active Directory groups have been imported into the TM1 Server, Active Directory group memberships are honored.

If no match is found, TM1 displays an error message stating that the client name does not exist. TM1 Server does not prompt for login information.

To populate the UniqueID elements and import groups from Microsoft Active Directory, you can use the ETLDAP utility, TurboIntegrator jobs, or manual steps. For more information, see Configure integrated login for the IBM TM1 Server.

Users who want to access TM1 data in a server that is configured for integrated login must authenticate to Microsoft Windows first and then use TM1 clients to access the TM1 Server.


Suppose a user with the user name Robert, which is defined in the Windows domain, logs in to his Windows workstation. When Robert uses a TM1 client that uses integrated login, such as TM1 Architect, to access a TM1 Server configured for security mode 3, the TM1 client forwards Robert's Windows login information to the TM1 Server using Integrated Windows Authentication. The TM1 Server looks for a match to Robert@EMEA in the UniqueID elements of the }ClientProperties cube. If there is a match, Robert is authenticated by TM1 successfully.

Note: Only the name of the actual domain that the user is defined in can be used. Using the fully qualified domain name (for example, EMEA.COMPANY.COM) will fail.