What are the TM1 Administration Admin Roles

In TM1 we have multiple administration capabilities that can be assigned for differentiating the roles different administrators have within a TM1 model. These include:

In this post we will explain what each of these roles are and what capabilities are given to users who are assigned those roles.

TM1 Admin Role

People who are included in the Admin group have “God” access to the TM1 model. They can see and edit all data, run any process, change any rule. Essentially, they are the super admins with all privileges and can do anything inside the model.

Security Admin Group

Users who are added to the Security Admin Group can do anything that involves assigning security, such as creating, editing and deleting users or groups. They can also manage access to TM1 objects, such as cubes, dimensions or rules, but they can’t view data in those objects. So, therefore, they can’t see the data in a cube they have not been given explicit access to. Essentially the users in this group can manage security for objects, but not see the data in those objects.

Data Admin Group

Those admins who are given Data Admin rights can do everything that is not concerned with security. They can view and edit TM1 objects like cubes, dimensions, rules and processes. They can view and edit all data in the model, as if they are full Admins except security, where they can see security settings, but cannot change them.

Note re Data Admin and other TM1 Groups

A Data Admin has rights to see all data. Therefore, if they are assigned membership of any other group (except the Security Admin role), those additional groups are redundant because the person can already see all data.

Note re Dual Group Membership – Data Admin and Security Admin Groups

As Data Admin and Security Admin are mutually exclusive TM1 administration roles, it is not intended that a person is assigned rights to both simultaneously. If this is desired, assign them a full Admin role. If, both Data Admin and Security Admin groups are assigned, only the Security Admin group is used.

Operations Admin Group

The limited administration group called Operations Admin can maintain the model, such as cancelling threads or disconnecting users. They also have access via the TM1 Rest API to execute a number of commands. They have no access to any TM1 data or metadata.

Assigning Different Admin Roles inside TM1

TM1 administration roles are assigned manually in TM1 security, rather than via any external namespace (like CAM or AD security).

License Requirements for Admin Roles

Each person assigned one of these roles requires a TM1 Modeller license.

Need Help with Your Planning Analytics Security?

If you need some help defining how your TM1 security model should work we’d be delighted to help you. Please get in touch with the form below.

  • This field is for validation purposes and should be left unchanged.

Leave a Reply

Your email address will not be published. Required fields are marked *

Log In