Subscriptions
IBM Subscription Management can be used to see current usage by subscription.  This can be opened from the Planning Analytics Administration page and selecting IBM Subscriptions Management on the users and groups sub page

The Planning Analytics Administration page users and groups sub page can be used to assign a subscription to an invited user.

Subscriptions are used in Planning Analytics as a charging metric and to allow flexibility in usage vs the price paid. Subscriptions allow flexibility in deployment by not enforcing a particular capability or data access in Planning Analytics.  Clients must configure the system, so users capabilities do not exceed their entitlements.

There are three main subscriptions to date:

Each Subscription allows for greater capabilities and are assigned per user invited to Planning Analytics.

Descriptions defining the allowed capabilities of each subscription are found in the Service Description: IBM Terms

Confusingly, these subscriptions are defined in section 1.1.6 of the Service Description as “User Roles”

To change a users subscription please see: Change a user's subscription (cloud only) - IBM Documentation

Alternatively,  a user can be assigned a subscription by selecting the user in the Workspace Administration users section.

Please Note,  Only a Subscription Administrator (Account Administrator) can manage users and see subscriptions management.  For a new system,  the initial Subscription Administrator is set as the initial technical contact on the order.  Additional Subscription administrators can be defined in the subscriptions management tool: Manage user invitation capability (cloud only) - IBM Documentation

User Roles are used to restrict the capabilities of a user within Planning Analytics Workspace.

There are four user roles to date:

A complete list of roles and their capabilities within the workspace are defined here: User roles - IBM Documentation

Please note,  database security, such as the ability to edit data and database objects (if a user can see a dimension/cube etc), is controlled in the database itself.  This allows for differing data security by database model/databases. E.g. read only on a group reporting database while having read/write on a subsidiaries forecasting application.

Groups are used to simplify object security within Planning Analytics Workspace. For example, If a user can access a folder and/or the books within.

Permissions can be set on folders or subfolders which inherit permissions from above, as well as on an individual book and workbench.  Please see: Set permissions on the Shared folder and subfolders - IBM Documentation

User Roles
Roles are assigned to a user in the Users and Groups section of Workspace administration.  Search and Select a user to see current assignments.

Groups
Users can be assigned to groups in the Users and Groups section of Workspace administration.  Select a group and Manage to define members of the group.

Database Security
Groups and users

Object and data security

The Planning Analytics Database security applies to data and database objects

The TM1 Database within Planning Analytics has a robust security model covering objects, such as dimensions and cubes, and data such as view, read and/or write permissions on dimensional data and cells.  The security can even be applied down to a cell level however dimensional matrix security impacts performance less.

TM1 Database security uses defined users invited to Planning Analytics mapped to groups for security. There are two types of groups, workspace groups and database specific groups (that are native to the database). This separation when using database groups allows for an overall database group/admin to be separate from administration and operations of the workspace so sensitive data, such as employee salary, can be made inaccessible to the overall workspace administrators.

To watch a video on managing workspace users and groups see: Planning Analytics - Managing users and groups - YouTube

For more information on database security please see: Object security - IBM Documentation

Please note,  Each database in the Planning Analytics Workspace has its own security model to cater for differing requirements.

When initially adding a workspace group, the users and their membership are added.  As at the point of writing, membership is not synchronised so to refresh workspace groups and members used in the database security, Unassign all users by right clicking the group, Then re add the same workspace group using the button.

ONLY a modeler or administrator subscription can be assigned to the five database admin roles:

The two most misunderstood areas are:

As can be seen in prior slides,  database groups are separate and different to Planning Analytics Workspace groups.  Once this is understood the concept of applying security with groups is simple.  Database vs the GUI workspace.  Create native database groups for database object and data security and Workspace groups for frontend assets such as books.

IBM Planning Analytics has defined workspace roles associated with their corresponding subscription type.  Within a subscription type (such as Planning Analytics user) there is the flexibility to define a role as consumer or analyst depending on the business need.

Given the current subscriptions found in the Service Description what is the recommendation?

When adding users and selecting the role and subscription always adhere to Table 1 here: Administer users on cloud - IBM Documentation

Validate subscription usage per user by selecting the user in the users and groups area of the Workspace administration page.

How does IBM recommend you map and configure the Subscriptions and security?
Roles by Subscription

Subscription usage

Explorer subscription and data security

In addition to setting the correct user role for a users subscription it is important to also apply any restrictions on data capabilities.

To date,  the ONLY subscription that restricts data capabilities is the IBM Planning Analytics Explorer subscription.

The service description states that this role is a read only subscription.

IBM’s guidance is to apply an Explorer group to all databases and set permissions on that group to read only access for all data.

Once all Explorer users are added to this database group then the entitlement is adhered to. 

Please note, Explorer users should not belong to any other group that would give write access.

An Environment is a container for databases with its own Compute, RAM and Storage.  By default, Planning Analytics with Watson (standard) is supplied with one non-production and one production environment.

Clients can subscribe to additional environments for extra separation i.e., user acceptance testing or business units that require dedicated environments.  In addition,  environments can have add-ons for storage and RAM as well as upgrade to premium hardware with increased compute.

Where multiple environments are used (including on the standard production and non-production environments) the first Production environment is called the primary environment.  All other environments link to the Primary as the “golden source” of users.  Users are invited and managed from the primary environment.

Users can then be given access and rights managed in their secondary environments i.e., a developer is invited to the production environment(Primary) and given access to the development environment (Secondary).

IBMs recommendation is to invite all users to the production environment and secure appropriately for this environment.  These users can then be added to other environments.

For more information you may find the following blog useful:

Managing Users with Multiple Planning Analytics Workspace Tenants on Cloud (ibm.com)