Interaction of Different Object Security Rights

If you apply different security rights to the objects that identify a cell of data, TM1 applies the most restrictive security right to the cell.

Scenario 1: User has Write access to elements but Read access to cube

Suppose that you assign a user Read access to the SalesCube cube, and Write access to the elements in this cube.

In this scenario, the Read access of the cube overrides the Write access of the elements, and the user can view cube data but cannot update the cube data.

Scenario 2: User has Write access to cube but Read access to the elements of the Dimension that identifies all cells in the cube

The SalesPriorCube cube contains the following dimensions:

  • Actvsbud
  • Region
  • Model
  • Account1
  • Month

Suppose that a user has Write access to the SalesPriorCube cube, Read access to all of the elements in the Actvsbud dimension, and Write access to all of the elements in the other dimensions.

In this scenario, the elements in the Actvsbud dimension identify every cell in the cube, and therefore the user cannot update any cube data.

Scenario 3: Users are assigned access to specific dimensions in a cube

You can change the security rights for both cubes and dimensions. When groups have security rights for a cube, those rights apply to all dimensions in the cube, unless you further restrict access for specific dimensions or elements.

Suppose that you want several regional groups of users to read all data in the SalesPriorCube cube. You also want each group to update data in its own region. For example, you want salespeople in the North America group to update North America data. To implement this security scheme, you can make the following changes:

  • Create groups that reflect sales regions.
  • Add users to the appropriate groups.
  • Grant each regional group Write access to the SalesPriorCube cube.
  • Grant the North America group Read access to those elements that do not reflect data for the North America region.

The TM1 sample data reflects this security scheme. Usr1 is in the North America group, which has Write access to the data associated with areas in the North America region, and Read access to the data associated with areas in other regions.