SecurityAdmin group

Members of the SecurityAdmin group can access the security-related features of Planning Analytics, but cannot view the data in non-security objects, such as cubes, dimensions, and rules.

The members in this group are allowed to create, edit, and delete Planning Analytics users and groups. Additionally, these users can manage the access permissions of other users to objects such as cubes and dimensions.

If integrated login is not being used, the security administrator is also able to reset user passwords.

As a member of the SecurityAdmin group, you can manage Planning Analytics security with the following tools in Server Explorer.

Clients/Groups window: Assign TM1® clients to TM1 groups.
Security Assignments windows: Control user access to TM1 objects such as cubes, dimensions, and processes.
Security control cubes: Manually apply security privileges for TM1 objects and user groups.

Restrictions on replication and synchronization

Members of the SecurityAdmin group do not have all the required access privileges to perform replication and synchronization operations in TM1 and should not attempt to perform these operations.

Restrictions for rules and processes

Members in the SecurityAdmin group cannot write or modify rules and processes. They cannot view rules, but they can view processes in read-only mode.

For more information about processes, see the TM1 for Developers documentation.

Combining SecurityAdmin membership with other groups

Membership in the SecurityAdmin group is not intended to be combined with membership in the DataAdmin group or any other user group. The SecurityAdmin is restricted from accessing non-security objects and these restrictions always apply regardless of what other groups the user belongs to. Additionally, Planning Analytics does not allow users to be added to any other user group after they have been assigned to the SecurityAdmin group.

These restrictions prevent the SecurityAdmin from adding him or herself to another group to gain access to data or operations that are not allowed for the SecurityAdmin.

Using the SecurityAdmin Group with the TM1 C API

The TM1 C API does not allow programmers to configure joint membership with the SecurityAdmin group. The ClientGroupAssign function rejects any attempt to place a user that is a member of the SecurityAdmin group into another group.

Restrictions on adding users to the ADMIN group

Members of the SecurityAdmin group are not allowed to add users to the ADMIN group. Only members in the full ADMIN group can add other users to the ADMIN group. This prevents the SecurityAdmin from creating a user account in the ADMIN group that they could then use with full administrative privileges.