Understanding Administrative Groups and Authority

TM1® supports the separation of administrative duties and roles in TM1 by dividing administrative users into the following predefined administrator groups:

ADMIN group - Members of the ADMIN group have access to all areas of TM1 and represent super-users with all privileges.
DataAdmin group - Members in the DataAdmin group have ADMIN privileges to everything that is not related to security. This group can view, edit and save TM1 objects, such as cubes, dimensions, rules and processes, Members in this group can view security settings in read-only mode but are not allowed to modify security settings.
SecurityAdmin group -The SecurityAdmin group can only perform security operations in TM1 . This includes creating, editing and deleting TM1 users and groups. This group can manage the access rights of other users to TM1 objects, such as cubes, dimensions and rules, but this group can not view the data in those same TM1 objects.

The security assignments for these three administrator groups are hard-coded and can not be modified.

You can use these predefined administrator groups to control and separate TM1 administrative roles among different users to satisfy internal or external security requirements and rules.

Note: Replication and synchronization operations in TM1 should only be performed by members of the ADMIN group. Members of the DataAdmin and SecurityAdmin groups do not have all the required access privileges to perform these operations.

The following sections provide details about each administrative group.