How to Change TM1 to use Cognos Security (CAM)
Configuring TM1 to use Cognos security allows you to use your corporate directory server (like Microsoft’s Active Directory) and move the addition of users and placement of users into groups into that company-wide directory server. When TM1 (or Planning Analytics) is first set up or you activate a sample model (like Planning Sample, Proven Techniques, GO New Stores, GO Scorecards, SData or 24Retail), they have standard TM1 security. If you are using TM1 in a corporate environment you will probably want to connect your TM1 models to your company’s Active Directory server.
This post walks you through the steps required to convert a TM1 model from using standard TM1 security to using Cognos CAM security, which is connected to the directory server. In technical parlance, to change from Integrated Security Mode 1 to Integrated Security Mode 5.
There are a couple of steps involved in making the change for TM1/Planning Analytics from native security to CAM security. They are:
- Modifying the configuration for the specific model
- Deploying and modifying BI Interop files
Steps to Change TM1 to use Cognos Security
These are Model Specific Changes for each TM1 Model
- With IntegratedSecurityMode still set to 1, open TM1 Architect with tm1 native security. This forces your user to be added to TM1 security.
- Close Architect.
- Open TM1s.cfg and modify the setting for:
- IntegratedSecurityMode to be 4.
- Restart the TM1 service for this model.
- Login to Architect now using the AD connection. This will add you to the Security, Clients/Groups in the model with no rights in TM1, but you will be added!
- Logout of the model.
- Change the security mode in tm1s.cfg back to 1 and restart the service for the model (this is so you can then log in and change your Active Directory ID as an Admin).
- Log back in using TM1 native security.
- Open Security, Clients/Groups for the model.
- Find your Active Directory ID and check the ADMIN box.
- Save Data for the model.
- Change the security mode in tm1s.cfg to 5 and restart the service for the model.
- You can now log in using your AD login and have full control.
Deploy BI Interop Files from the TM1 Server to the BI Server(s)
The last step involves making changes directly on the BI server itself. There are files that need to be copied from the TM1/Planning Analytics server to the BI server and then modified once in place. For Planning Analytics 2.x, all required files can be found at /tm1_64/bi_interop/ and for TM1 10.2.2, they are at tm1_64/webapps/tm1web/bi_files (for TM1Web) and /tm1_64/bi_interop/ (for pmpsvc and pmhub). Alternatively, you can just download them here (the files are identical for both PA 2.0.x and TM1 10.2.2).
- Unzip the bi_interop.zip file.
- Merge the contents of the templates folder (not the folder itself) with the templates folder on the BI application server.
- Modify the file “variables_TM1.xml” to refer to the TM1 server using a fully qualified domain name.
- Restart the BI server.
- Merge the contents of the webcontent folder (not the folder itself) with webcontent folder on each BI gateway (or web) server.
- If Cognos 11 is being used, also copy to the webcontent/bi folder. No restart is required.
- Modify the planning.html, pmhub.html, and tm1web.html files to match the TM1 server. Each has a var line that needs to be modified as follows:
- tm1web.html – var tm1webServices = [“http://tm1webserver.domain.local:9510”];
- planning.html – var planningServices = [“http://tm1webserver.domain.local:9510”];
- pmhub.html – var pmhubURLs = [“http://tm1webserver.domain.local:9510”];
- (Tip: modify the three files in the respective webcontent and TM1 folders and then copy the modified files to the BI and BI/TM1 folders).
- If there are multiple TM1 or Planning Analytics servers, or you are using a separate server for TM1Web or Planning Analytics Workspace, enter each one inside the square brackets, separating each entry with a comma. Each entry must be contained in inverted commas (rabbit ears).
- Importantly, the var line in the pmhub.html file is a “whitelist” of servers that can access the TM1 server. The entries in it must be identical to what is entered in a browser to access that service. Therefore, for the PAW server (which does not require a port to access it), enter the address as “http://PAWservername.domain.local”.