Save time testing TM1 security with impersonation

Setting the TM1 security data is a critical part of any IBM Planning Analytics project. TM1 gives developers a lot of flexibility in terms of security. If your TM1 applications have hundreds of TM1 users, testing the security is time-consuming. This article explains how the TM1 impersonation feature can save time when testing TM1 users’ security access.

With TM1 version 11.1.0 or later, TM1 enables an administrator to create a session impersonating another user. After the session has been created, the administrator will access TM1 as this person will see it.

Impersonation is a very powerful feature for TM1 admins as it enables them to login to TM1 as any user with their own credentials.

• If a user needs some help with one of its private objects (views, subsets, applications…), the administrator could just login as the user, go to the private object and fix the issue

• It can help troubleshooting security access as the TM1 admin will be able to see exactly which cubes, dimensions or elements the user can see.

Let’s see now how to use the TM1 impersonate feature.

Arc for TM1 has a dedicated editor for the TM1 security, gathering all TM1 security operations into one location.

With Arc, the TM1 impersonate feature is available in just one click.

In the Arc Security Editor, all non-admin users can be identified with a ghost icon. An admin can click on it to impersonate the user and be able to see the application as the user sees it.

If a user needs help with its private objects, you could use the Arc Security Editor to impersonate the user and check the private objects by yourself without having to contact the user.

To try the TM1 impersonate feature in Arc, just download it from the link below (Arc is very easy to set up and comes with a three-month trial license).

If you need to check the security of hundreds or thousands of users, you might prefer to automate this task.

TM1py is a python package that wraps the TM1 REST API into a simple-to-use library. Since v1.6, TM1py supports the TM1 impersonate feature.

When creating a new TM1 connection, you just need to add the parameter impersonate:

With TM1py, you can leverage the impersonation feature to test every aspect of TM1 security in an automated way. For instance, you can write tests like

• Sales must only see cost centre from their regions.

• Users outside of HR department must not see cubes with HR data.

• No users must have write permission to closed periods.

• Users from HR department must have write permission to HR cubes.

How the script will work:

1. Login as admin and get a list of elements that the user should see (For example all descendants of a specific region).

2. Impersonate the user and retrieve all elements from the dimension (You should get only the elements from the specific region).

3. Compare both sets of elements.

The advantage of using TM1py’s impersonation feature over writing your own logic with a TM1 process is that through impersonation the script perceives the TM1 model exactly like the user would. The user’s security simply applies.

Once you have a working script, you can schedule the execution or run it when new users have been added to the system. That provides confidence and auditability for your security model – and lets you have a good sleep at night.

If you need help writing your own python scripts, feel free to contact us.

• Deep dive into the Arc Security Editor

• TM1 hidden features

• Getting started with TM1py