IBM Support

Security Changes on MDX and Dynamic Subsets in Planning Analytics 2.0.9

General Page

This Technote was updated on 6/30/2020 and again on 7/17/2020 with important details regarding the intent to revert the change in behavior described by this Technote.

A change was made to security on MDX and dynamic subsets in the Planning Analytics 2.0.9 and 2.0.9.1 releases. This change may prevent some dynamic subsets and MDX based views from returning expected members to non-admin users.


Update (July 17th, 2020):
The behaviour change described in this Technote has been reverted in the Planning Analytics 2.0.9.2 release.  In the 2.0.9.2 release security will no longer be evaluated when processing an MDX statement.  The results of the MDX statement will only be filtered based on member security.  This is consistent with the behaviour in 2.0.8 and lower versions.   Planning Analytics customers are encouraged to update to the 2.0.9.2 release.
A future release of Planning Analytics may include a feature that allows for optional evaluation of security when processing MDX statements.  This planned feature would allow the TM1 database owner to determine if security should be evaluated during MDX processing.  The default behaviour from 2.0.8 and 2.0.9.2 will be maintained in any future release of Planning Analytics 2.0.9.
Update (June 30th, 2020):

The IBM Planning Analytics team will revert the change described in this Technote in an Interim Fix for Planning Analytics 2.0.9.1.  This Technote will be updated as additional details about the Interim Fix are available.  The current 2.0.9.1 release that is available on IBM Passport Advantage and IBM Fix Central will be updated when the Interim Fix is available. 
The change in behaviour described in this Technote applies only to the REST (ODATA) API as of the 2.0.9 release.  Planning Analytics Workspace, Planning Analytics for Excel, and Cognos Analytics reports using the Planning Analytics data source connection use the REST API to connect to TM1. 
The change in behaviour described in this Technote applies to both the REST API and the C-API only as of the 2.0.9.1 release.  TM1 Architect, TM1 Perspectives, TM1Web, and TM1 Applications use the C-API to connect to TM1.  These clients are not impacted in the 2.0.9 release (but are impacted in 2.0.9.1).
June 15th, 2020
Prior to the Planning Analytics 2.0.9 release the list of elements returned by subset MDX (dynamic subset) was only filtered based on element security.  If element security is present then non-admins user required READ or greater security on an element in order to see that element in the subset.  Security was only applied after the MDX statement was evaluated.
Planning Analytics 2.0.9 introduced a change that would cause to security to be applied during evaluation of MDX statements.  If a non-admin user does not have READ or greater access on a member referenced in an MDX statement that MDX statement will now return an empty set.  This may cause some non-admin users to see empty subsets and views.
This change in behaviour addresses a potential security concern, depending on model design.  Consider the case where a non-admin user knows the name of a consolidated member but does not have READ access for that member.  If this user has READ access to one or more children of the consolidation they could execute MDX that allows them confirm the consolidated element is the parent of the children.  The parent-child relationship between members may be considered sensitive information in a TM1 model.  
In the case where a dynamic subset is impacted by this change in behaviour the following options may be considered:
1 - When possible, modify the MDX in the dynamic subset so that it does not reference members that users do not have READ access on.
2 - Consider the use of static subsets.  The list of elements in a static subset are still filtered for non-admin users based on element security.
Note that it is possible to generate a static subset based on an MDX statement in a Turbo Integrator process using the SubsetMDXSet TurboIntegrator function.  This use case is covered in the following documentation: https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_ref.2.0.0.doc/r_tm1_ref_tifun_subsetmdxset.html.  Because the MDX statement is evaluated in a TurboIntegrator process it will be evaluated without element security being applied.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z0000000ArQAAU","label":"Troubleshooting->TM1Web->Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
17 July 2020

UID

ibm16226890