IntegratedSecurityMode
Here I would like to explain some moments of managing security with IntegratedSecurityMode=5.
When you configure Cognos TM1 to use IntegratedSecurityMode = 5, in Security -> Clients/Groups you can import clients and groups from Cognos BI security.
The only way to add TM1 native security group is to use TI process function: AddGroup(GroupName);
You can add clients to native TM1 security groups, but if you try to add it to Cognos BI group, the changes will be lost during the next synchronization.
The synchronization happens when the user logins to TM1. So if you just manually added a user (Client) and Cognos BI group, you see no check mark in Clients/Groups. But it will appear on the first user’s login. You don’t even need to add the users manually in TM1. Just add the users in Cognos BI and it will import all the users to TM1 and sets the mapping for each Cognos BI group (to keep the things small TM1 will sync all with the imported Cognos BI groups only).
If a user belong to some group in BI, they will be able to login to TM1Web, but will see nothing there if they are not added to TM1 group.
If you rename a group in Cognos BI, TM1 will not pick up that change and you will need to delete the old & import a new group and re-assign the security.
How to add the first user on a freshly installed TM1 server configured with CAM security.
When you install TM1 server you have just admin user there which is a native TM1 user, so you cannot use it with IntegratedSecurityMode=5.
You need to add your first power user from Cognos BI directory and assign it to ADMIN native TM1 security group.
To do this follow the next steps:
1. Set IntegratedSecurityMode=5, ServerCAMURI and ClientCAMURI in Tm1s.cfg and start TM1 server
2. Login with Cognos BI user.
3. Stop TM1 server, change IntegratedSecurityMode=1, start TM1 server
4. Login as admin (the default password is either blank or “apple”)
5. Right-click your server and go to Security > Client/Groups
6. You will see the BI user you tried to login with before. Add that user to ADMIN group
7. Set IntegratedSecurityMode=5 and restart TM1 server
8. Try logging in with BI user again and check it has admin rights.
Cognos/TM1 
Can you disable proxy and try again?
Can you try your script locally on TM1 server machine?
LikeLike
Ok . I can try your option.
Environment set up as
Client Machine — Proxy Machine —- Remote Server Machine 1 (Tm1 installed using port 8000)
—- Remote Server Machine 2 (Tm1 installed using port 8000)
Tm1 Rest api and Tm1 weburl api request from client to Remote Server Machine 1 is working as expected.
Tm1 web url api is working fine but Tm1 Rest api calls are not working with REmote Server Machine 2.
I checked in the wireshark, which shows the network traffic, but I can see only the Tm1 web url request. Tm1 REST api call trace was not there. It may be the port problem??
What could be the problem? Any guess?
LikeLike
Hi,
Is there any search option available in Tm1 REST api? I would like to search the elements in Dimension as search string “G0*” with respect to alias.
LikeLike
Hi Vald I found some below,
http://host:8001/api/v1/Dimensions('DimName‘)/Hierarchies(‘DimName’)?$expand=Elements($select=Name, Attributes,Type;$filter = contains(Name, ’00’))
This gives the matching elements on ‘Elements Name’. But I have to search on attributes[L01]. Any idea how to do that??
LikeLike
I never needed that using tm1 REST api, but in MDX you can filter by attribute, see an example here: http://didenko.ca/blog/tm1-mdx-filter-by-substring/
LikeLike
It was helpful and filterbyAttribute working as expected in mdx, but the same is not working using TM! rest api.
I have another quick question:
Is there a way to collapse and expand a particular element in dimension using mdx statement.
I have used
TM1DRILLDOWNMEMBER( {[dimname].[element]}, ALL ),
TM1SUBSETALL( [dimname] ), ALL
but it doesnt work as i expect.
I would like to pass the element to drill down the particular element in dimension and save to subset or dimension itself.
Example;
A1 Consolidated
A2 Consolidated
A3 Consolidated
When i passs A2 drilldown, then the result should be
A1
A2
-….. A21
…. A22
……A23
A3
LikeLike
To expand only one level:
{ [dimname].[A1 Consolidated], [dimname].[A2 Consolidated].children, [dimname].[A3 Consolidated]}
To expand all the levels use {TM1DRILLDOWNMEMBER( {[dimname].[A2 Consolidated]}, ALL, RECURSIVE )}
LikeLike
k..Thanks for your reply. I am clear with TM1DRILLDOWNMEMBER() function, but for the first example which you have specified, its something like I have to specify all the root elements available in dimension???
LikeLike
If you want to expand all the elements just use {TM1SUBSETALL( [dimname] )}
If you want to select all root elements and expand just one level, you can use
{TM1DRILLDOWNMEMBER( {Filter({TM1SubsetAll([dimName])},[dimName].CurrentMember.Parent.Name=””)} , ALL )}
LikeLike
Hello,
I would like to implement securitymode=3. But struggling with SPN registration.
>setspn -U -F -S HTTP/host.domain.com domain\user
host.domain.com – Tm1 server FQDN
but it says..
Error 0x2098 / 8344 -> The access rights are not sufficient for this process.
I have admin rights.
Run the cmd as adminstrator.
Do I need to run the cmd in the machine where Active Directory is installed?
Dont have idea how to proceed further.
LikeLike