Planning Analytics

 View Only
Expand all | Collapse all

Connect to Active Directory

  • 1.  Connect to Active Directory

    Posted Wed March 04, 2020 03:28 PM

    Good Afternoon,

     

    In our PA Local environment we currently use IntegratedSecurityMode 5 and have the integration with our CA environment. Has anyone ever tried connecting PA directly to their Active Directory? Any help on this would be greatly appreciated.

     

     

    Andrew Hornyak

     

    Sent from Mail for Windows 10

     


    #PlanningAnalyticswithWatson


  • 2.  RE: Connect to Active Directory

    Posted Thu March 05, 2020 06:06 AM
    Hi Andrew,

    Mode 5 is only for CAM security. Planning Analytics is able to communicate with any LDAP source with mode 3.

    You can review all parameters here:
    https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_securityandauthenticationoverview.html

    Review the LDAP Authentication from above link.

    Kind Regards,

    ------------------------------
    Robert Vautour
    Advocate, IBM Planning Analytics and Cognos
    ------------------------------

    Original Message


  • 3.  RE: Connect to Active Directory

    Posted Thu March 05, 2020 07:05 AM
    I strongly recommend using CAM authentication and have Cognos connect use AD for authentication.

    Benefits of using CAM with AD
    1 - Group memberships in TM1 are updated automatically to reflect membership changes in AD groups
    2 - Common AD and Cognos groups can be reused in multiple TM1 databases
    3 - Much simpler SSO (there is no SSO for TM1 Applications Web in mode 3).  Setting up mode 3 for TM1Web is fairly complex (although the config for Workspace is easy).  
    4 - You can create and manage groups in Cognos that can be used in multiple TM1 models.  The benefit of Cognos groups is that you don't need to wait on AD admin to modify groups.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 4.  RE: Connect to Active Directory

    Posted Thu March 05, 2020 04:23 PM

    Hi Andrew

     

    It is my understanding that while you can potentially still run the PA Server in Mode 2 or 3 which is Windows Authentication, in practice to use any of the new tools, ie PAW or PAX, you need to use Mode 1 or 5 ie TM1 Authentication or CAM Authentication.

     

    TM1 Authentication doesn't offer strong enough security for us.

     

    Therefore our only option is to use CAM Authentication, which we don't like, because of its various limitations, but there is no real choice. I can't see IBM changing this as CAM Authentication is at the heart of Cognos Analytics, which they generally want to sell alongside Planning Analytics.

     

    Regards

     

    Paul

    Paul Simon

    Success Cubed Ltd

    Tel: +44 7941 506 197

    www.successcubed.co.uk

    Skype Name: paulsimongb

    Skype Tel: +44 20 3287 4616

     




    Original Message


  • 5.  RE: Connect to Active Directory

    Posted Fri March 06, 2020 07:09 AM
    Just one small clarification...we provide Cognos Analytics with Planning Analytics as a supporting program.  No need to pay for Cognos Analytics if you are just using it for CAM authentication or even reports based on the Planning Analytics data source.  Recommended CAM authentication has nothing to do with selling Cognos to our Planning customers.

    I suspect that OIDC support will be the path forward for IBM Planning Analytics authentication, even for authentication between Cognos and Planning.

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 6.  RE: Connect to Active Directory

    Posted Fri March 06, 2020 12:00 PM
    Hi Stuart

    I agree that OIDC would be a good future direction. We use this in other applications. I would much rather that user names were based on something intelligible but unique such as their corporate email address rather than a CAMID derived from their Active Directory ID which contains characters that don't play well with TI or Excel. 

    However, at present, OIDC is not yet available, so to answer the original posters question, CAM is probably the only option at present.

    Just to clarify, as I understand it, the key difference between Planning Analytics Workspace and Cognos Analytics is that Planning Analytics can allow both entry and reporting of data but only to/from a Planning Analytics data source, whereas Cognos Analytics is only designed to report data but it can do this from a range of data sources including SQL, Planning Analytics, etc. Given this I hope you will forgive me for pointing out that using CAM at present makes it easier for IBM to sell both products to its customers.

    Regards

    Paul SImon

    ------------------------------
    Paul Simon
    ------------------------------

    Original Message


  • 7.  RE: Connect to Active Directory

    Posted Fri March 06, 2020 12:21 PM
    Paul - You're forgiven!  :)  Of course we want our Planning customers to look at Cognos.  We don't want CAM authentication in PA to be the reason why our Planning customers look at Cognos.  

    Longer term, we want closer integration of Planning and Cognos Analytics.  We are currently working on aligning the experience of the Cognos dashboard and PAW book.  The idea is that we will take the best of both components and building a single dashboard that works in both Cognos and Planning.   I think that data writeback to TM1 in a Cognos dashabord is not out of the question, neither is the using non-TM1 data sources in the PAW book.  


    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 8.  RE: Connect to Active Directory

    Posted Fri March 06, 2020 01:29 PM

    Stuart,

     

    If I am understanding this correctly, even if we were to get rid of our Cognos Analytics environment we can still use an instance of Cognos in order to use CAM authentication to our PA environment? I really like the idea of the two having a seamless integration in the future.

     

     

     

    Thank You,

     

    Andrew

     




    Original Message


  • 9.  RE: Connect to Active Directory

    Posted Sun March 08, 2020 05:10 PM

    Hi Paul

    I hate to "well actually" you, but technically OIDC is there,.. but only through CAM.  So right back where we started.

    Native OIDC would be great as that the direction a lot of our customers are going.



    ------------------------------
    Nick McCoy
    ------------------------------

    Original Message


  • 10.  RE: Connect to Active Directory

    Posted Mon March 09, 2020 07:46 PM
    Hi Nick

    I have used OKTA and I have used CAM. There is no comparison in terms of ease of use regardless of whether or not both support OIDC.

    CAM returns a CAMID, which unnecessarily looks like a function call. The CAMID unnecessarily includes double quotes, which if you output it to a CSV file doesn't work too well as the double quote is used to delineate string fields in a CSV file. Outputting and reading from CSV files is very common with TM1/PA. Consequently before you can output you have to remove the double quotes and you have to re-introduce them again when you read in from the CSV file otherwise it won't be recognised as a CAMID. Either that or you have to ensure that you output the Display Value. However, TI Functions like ElementSecurityPut only work on the raw CAMID.

    The Client/User created using the CAMID is unrecognisable to a user. 

    The oddly named }TM1_DefaultDisplayValue that is the alias for the CAMID to turn it into a recognisable name generally takes the format domain\user. If you attempt to output that in a file name, then again it doesn't work as \ is the folder separator on Windows, and I know that IBM would like us all to use Linux but the reality is that most of us use Windows for better or worse. We therefore have a process in our Startup chore to remove the domain\, which we don't need since as I am sure is generally the case, all our users are in the same domain. Our users don't want to see domain\ in front of their name. I can't remember which way round it is now but one of the changes when moving from 10.1 to PA was that the slash changed to a backslash or vice-versa.

    Another thing that changed when we moved to PA, was that we got a hidden double login issue when users sign in to TM1 Web. We raised a support ticket for this 2 years ago but have never got a fix. IBM regarded it as a feature rather than an upgrade bug. Instead we were asked to write something ourselves in Javascript using the outdated dojo library. This has never got to the top of our priority list. It does mean that all users wait an extra 10-20 seconds when first logging in to TM1 Web.

    The other major issue with CAM is that the Client element is not created until the user actually signs in. You can work around that with complex links via SQL to AD but it is not an easy workaround. That means that you cannot set up things in advance for the user, for example storing their default cost centre in a cube, creating a default subset for them etc. There are no hooks in TM1/PA that allow you to trigger a TI Process when a user first logs in that could mitigate this.

    So I don't care whether CAM conforms to OIDC or any other standard. IBM could have made better choices in terms of the format of the.CAMID and decision to only create the user when they first login.

    In terms of licensing we have never been able to get a straight answer from IBM as to whether they look at the number of users defined in the }Client dimension or the number of users in the AD Domain. With our current licensing this is no longer an issue, but it was for a long time.

    By comparison, OKTA returns an email address which is recognisable and much easier to handle.

    I already have to cover everything from inter-company eliminations to asynchronous javascript as well as transactional SQL, PA, and PowerBI, so forgive me if I am not too well up on security standards. I just want something that is easier to use than a CAMID, that also works with things that are not Cognos.

    Regards

    Paul Simon

    ------------------------------
    Paul Simon
    ------------------------------

    Original Message


  • 11.  RE: Connect to Active Directory

    Posted Tue March 10, 2020 01:07 AM
    +1 to all of this

    In addition to all of these issues, users and their AD group associations are only updated upon authentication. So when a users group membership changes it is not updated in TM1 and there is no way to force it to update. This makes reflecting the results of other automated permission processes very difficult.

    For example, a user is granted temporary access to cover for a co-worker. The user is added to a group in AD (via a company wide permissions portal) that grants write permissions to the plan.  The user is then removed from that group when the work is done. If that user's session remains open/active the group membership change is not reflected. AD says they are no longer a member of the write group, but PA does not reflect that update until another authentication event. A bit of a security flaw maybe?



    Original Message


  • 12.  RE: Connect to Active Directory

    Posted Tue March 10, 2020 04:46 PM
    Hi Ryan

    Thanks for covering that additional issue with CAM

    Just to clarify on the double login issue, this occurs when we use the TM1 Web URL API. There is a hidden login with every call which incurs a delay of 7-20 seconds each time. This delay did not occur in 10.1. As we went straight from 10.1 to PA, I cannot say if it existed in 10.2, but I suspect that it was introduced with the change from Dot Net to the Java based version of TM1 Web.

    There are only two work around for this.

    The first is to include the Adminhost, Server Name and User Name with every call. However, as we typically use the Excel HYPERLINK function to make the calls and this is limited to 255 characters, by the time that you have included all that as well as the URL path, there is no room left for parameters, to specify eg the cube view that you want to display. 

    The second is to write something in JavaScript using DoJo in an iFrame, which we have never had the time to do. In any event it is out understanding that support for iFrames is being phased out.

    As we only use CAM I cannot say whether this is a CAM issue rather than a general TM1 Web issue.

    Regards

    Paul Simon

    ------------------------------
    Paul Simon
    ------------------------------

    Original Message