Interaction of Different Object Security Rights
If you apply different security rights to the objects that identify a cell of data, TM1 applies the most restrictive security right to the cell.
Scenario 1: User has Write access to elements but Read access to cube
Suppose that you assign a user Read
access to the SalesCube cube, and
Write
access to the elements in this cube.
In this scenario, the Read
access of the cube overrides the
Write
access of the elements, and the user can view cube data but cannot update the
cube data.
Scenario 2: User has Write access to cube but Read access to the elements of the Dimension that identifies all cells in the cube
The SalesPriorCube cube contains the following dimensions:
- Actvsbud
- Region
- Model
- Account1
- Month
Suppose that a user has Write
access to the SalesPriorCube cube,
Read
access to all of the elements in the Actvsbud dimension, and
Write
access to all of the elements in the other dimensions.
In this scenario, the elements in the Actvsbud dimension identify every cell in the cube, and therefore the user cannot update any cube data.
Scenario 3: Users are assigned access to specific dimensions in a cube
You can change the security rights for both cubes and dimensions. When groups have security rights for a cube, those rights apply to all dimensions in the cube, unless you further restrict access for specific dimensions or elements.
Suppose that you want several regional groups of users to read all data in the SalesPriorCube cube. You also want each group to update data in its own region. For example, you want salespeople in the North America group to update North America data. To implement this security scheme, you can make the following changes:
- Create groups that reflect sales regions.
- Add users to the appropriate groups.
- Grant each regional group
Write
access to the SalesPriorCube cube. - Grant the North America group
Read
access to those elements that do not reflect data for the North America region.
The TM1 sample data reflects this security scheme. Usr1 is in the North America group, which has
Write
access to the data associated with areas in the North America region, and
Read
access to the data associated with areas in other regions.