Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

As yet the Workspace API is for UI components only:

https://ibm.github.io/planninganalyticsapi/

There have been requests to gain access to the security model via an API and it has been tagged for future consideration (not on the current roadmap)

https://ibm-data-and-ai.ideas.ibm.com/ideas/PAOC-I-947

------------------------------
Edward Stuart
------------------------------

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

In the past I've built a python bot using Selenium that would crawl into workspace, go to the users page and import a new csv file with the new users and groups, but that was with the old layout, it was kinda buggy but it would work most of the times. I haven't touched the html code from the new layout so I don't know how easy it is to set up again. ​

------------------------------
Luiz G Ribeiro
------------------------------

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------
#PlanningAnalyticswithWatson

I have created TI to build the CSV in the PAW format for User/Admins in 1 file and the respective Groups in 2nd file. 

So that works great but I have the same questions as the OP as I havent provided the Business Admin rights in PAW and would love an automated solution to import the Users/Groups using a file drop in a shared folder so the Business can continue to run the Action Button to generate the listings and dont have to logon to PAW as wel....

Shahhere
Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

me also searching for it.

------------------------------
Rafiq sons
------------------------------

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

Hi Andy,
You can follow the instructions here : Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local

Ibm		remove preview
Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local To add multiple users to IBM Planning Analytics Workspace Local, you upload a list of users and then can you activate, deactivate, or delete them. View this on Ibm >

------------------------------
Charbel Abou-Khalil
------------------------------

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

Hi Charbel,
To echo some of the other sentiments on this post, we are running into a similar problem where on the IBM Cloud, the subscription management is somewhat disjointed from managing user access to environments and databases.  We have several environments which we plan on provisioning to specific users based on divisional roles, however we are unable to automate any of this functionality as we cannot assign environment/tenant access until the user has accepted the invitation.

What we have found is that within the cloud, prior to a user accepting the invitation you can upload a file and process it with a TI to add users to a database by generating a CAMID with the following form  --> CAMID("pans:u:<email address>") using the ADDCLIENT function, and subsequently adding them to any local TM1 Database groups.

We can automate that portion with a number of scripts and calls to AD groups to enable/configure the appropriate access to TM1 models, however what we cannot do is to provision the users into environments/subscriptions as we have no API or other reachable endpoint, requiring us to have a significant amount of effort to manage our users within our databases, where on prem we are doing this through AD Groups associated directly with CAM.

Happy to discuss in more detail to see if you have any other thoughts on how we can make this happen.

------------------------------
Roman Harasymiak
------------------------------

Original Message:
Sent: Mon October 10, 2022 01:08 PM
From: Charbel Abou-Khalil
Subject: Import Users/Groups PAW API

Hi Andy,
You can follow the instructions here : Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local

Ibm		remove preview
Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local To add multiple users to IBM Planning Analytics Workspace Local, you upload a list of users and then can you activate, deactivate, or delete them. View this on Ibm >

To upload your users.

Essentially any browser request is an API request , so in theory an http/rest client such as curl, postman, or your own custom built, can be used to submit the exact same request. The only thing you will require is authentication. Which is also another http form submit.

See here for more details on authentication : https://ibm.github.io/planninganalyticsapi/#logging-in

Hope this helps.

Charbel

------------------------------
Charbel Abou-Khalil

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

1. We have multiple (3-4) IBM PA Local instances hosted in AWS.
2. I have another standalone "Login" instance where all the users from those other 3-4 instances are added and a chore on the Login instance that runs every minute to look for a CSV file in a folder to keep compiling new files.
3. The Login instance is used as the authentication instance for PAW. 
4. I have a PAW front end for the Business Admins to add new userIDs which also creates a CSV noted above to add the users to the Login IBM PA instance.
5. That same front end creates a CSV file in the PAW Administration format so that each time a new user is added it creates a User and a Group CSV that can be loaded into PAW Administration.

As noted in my earlier post I have all this working seamlessly and copying the 2 files User/Group to PAW shouldn't be too hard but is another step that is missing the automation and so someone has to manually do that step hence the need for an API type automation request.

If anyone has any questions about the 5 items I posted above feel free to reach out.

Shahhere
Original Message:
Sent: Thu October 13, 2022 05:19 PM
From: Roman Harasymiak
Subject: Import Users/Groups PAW API

Hi Charbel,
To echo some of the other sentiments on this post, we are running into a similar problem where on the IBM Cloud, the subscription management is somewhat disjointed from managing user access to environments and databases.  We have several environments which we plan on provisioning to specific users based on divisional roles, however we are unable to automate any of this functionality as we cannot assign environment/tenant access until the user has accepted the invitation.

What we have found is that within the cloud, prior to a user accepting the invitation you can upload a file and process it with a TI to add users to a database by generating a CAMID with the following form  --> CAMID("pans:u:<email address>") using the ADDCLIENT function, and subsequently adding them to any local TM1 Database groups.

We can automate that portion with a number of scripts and calls to AD groups to enable/configure the appropriate access to TM1 models, however what we cannot do is to provision the users into environments/subscriptions as we have no API or other reachable endpoint, requiring us to have a significant amount of effort to manage our users within our databases, where on prem we are doing this through AD Groups associated directly with CAM.

Happy to discuss in more detail to see if you have any other thoughts on how we can make this happen.

------------------------------
Roman Harasymiak

Original Message:
Sent: Mon October 10, 2022 01:08 PM
From: Charbel Abou-Khalil
Subject: Import Users/Groups PAW API

Hi Andy,
You can follow the instructions here : Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local

Ibm		remove preview
Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local To add multiple users to IBM Planning Analytics Workspace Local, you upload a list of users and then can you activate, deactivate, or delete them. View this on Ibm >

To upload your users.

Essentially any browser request is an API request , so in theory an http/rest client such as curl, postman, or your own custom built, can be used to submit the exact same request. The only thing you will require is authentication. Which is also another http form submit.

See here for more details on authentication : https://ibm.github.io/planninganalyticsapi/#logging-in

Hope this helps.

Charbel

------------------------------
Charbel Abou-Khalil

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson

That's a great approach @Shahhere, well done!

I also wanted to share my approach to manage TM1 users and groups​​ (and all TM1 object security as well)
I have a Google Sheets document containing 1 tab with users & groups for each TM1 environment.
That document is shared with some business users who can add\edit\delete users.
A little bit of formatting and you get a nice table with group dropdowns:


Using Google Sheets security (overall document access + and protected ranges) I can control permissions for business users.
Using Google Sheets file version, I can easily track all the changes.
When some changes are made, business users add a comment to sync security and I receive a notification from Google Sheets.
Once I sync the security I mark the comment as resolved and the user automatically gets a automated.
The process can create new user accounts and even security groups.
For some "power users" I can give permissions to run this "security synchronisation" from Google Sheets.
Nothing needs to be installed on TM1 servers or added to your TM1 models.
Access and manage all from your browser / Google Sheets

More details:
https://www.linkedin.com/feed/update/urn:li:activity:6975577306840875008
https://succeedium.com/teamone/doc/users

Using TeamOne you can document and manage TM1 object security as well:

• cube security
• dimension/hierarchy
• application security
• process security

https://succeedium.com/teamone/doc/functions.html#element-security

Using TeamOne Impersonate user feature, you can easily troubleshoot user access:
https://www.youtube.com/watch?v=bxk_ppmhGAc

NOW:
It is possible to export users from Google Sheets as a CSV file so it can be uploaded to PAW

SOON:
There is a new feature coming to TeamOne - background task automation with ability to create tasks which will be run "when you are not present" in Google Sheets. This feature will open up so many great opportunities for automation.

FUTURE:
Once the PAW security API is released, TeamOne will be able to sync users and groups in both TM1 and PAW

------------------------------
Vlad Didenko
Founder at Succeedium
TeamOne Google Sheets add-on for IBM Planning Analytics / TM1
https://succeedium.com/teamone/
------------------------------

Original Message:
Sent: Fri October 14, 2022 08:54 AM
From: Shahhere
Subject: Import Users/Groups PAW API

1. We have multiple (3-4) IBM PA Local instances hosted in AWS.
2. I have another standalone "Login" instance where all the users from those other 3-4 instances are added and a chore on the Login instance that runs every minute to look for a CSV file in a folder to keep compiling new files.
3. The Login instance is used as the authentication instance for PAW. 
4. I have a PAW front end for the Business Admins to add new userIDs which also creates a CSV noted above to add the users to the Login IBM PA instance.
5. That same front end creates a CSV file in the PAW Administration format so that each time a new user is added it creates a User and a Group CSV that can be loaded into PAW Administration.

As noted in my earlier post I have all this working seamlessly and copying the 2 files User/Group to PAW shouldn't be too hard but is another step that is missing the automation and so someone has to manually do that step hence the need for an API type automation request.

If anyone has any questions about the 5 items I posted above feel free to reach out.

Shahhere
Original Message:
Sent: Thu October 13, 2022 05:19 PM
From: Roman Harasymiak
Subject: Import Users/Groups PAW API

Hi Charbel,
To echo some of the other sentiments on this post, we are running into a similar problem where on the IBM Cloud, the subscription management is somewhat disjointed from managing user access to environments and databases.  We have several environments which we plan on provisioning to specific users based on divisional roles, however we are unable to automate any of this functionality as we cannot assign environment/tenant access until the user has accepted the invitation.

What we have found is that within the cloud, prior to a user accepting the invitation you can upload a file and process it with a TI to add users to a database by generating a CAMID with the following form  --> CAMID("pans:u:<email address>") using the ADDCLIENT function, and subsequently adding them to any local TM1 Database groups.

We can automate that portion with a number of scripts and calls to AD groups to enable/configure the appropriate access to TM1 models, however what we cannot do is to provision the users into environments/subscriptions as we have no API or other reachable endpoint, requiring us to have a significant amount of effort to manage our users within our databases, where on prem we are doing this through AD Groups associated directly with CAM.

Happy to discuss in more detail to see if you have any other thoughts on how we can make this happen.

------------------------------
Roman Harasymiak

Original Message:
Sent: Mon October 10, 2022 01:08 PM
From: Charbel Abou-Khalil
Subject: Import Users/Groups PAW API

Hi Andy,
You can follow the instructions here : Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local

Ibm		remove preview
Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local To add multiple users to IBM Planning Analytics Workspace Local, you upload a list of users and then can you activate, deactivate, or delete them. View this on Ibm >

To upload your users.

Essentially any browser request is an API request , so in theory an http/rest client such as curl, postman, or your own custom built, can be used to submit the exact same request. The only thing you will require is authentication. Which is also another http form submit.

See here for more details on authentication : https://ibm.github.io/planninganalyticsapi/#logging-in

Hope this helps.

Charbel

------------------------------
Charbel Abou-Khalil

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------
#PlanningAnalyticswithWatson

Hi Roman,
The case described appears to be a cloud v local as per the OP. Cloud introduces Subscription & Subscriber management for billing , licenses and compliance purposes.

As long as your users have been through the invitation process the rest of user management is unchanged. Your main primary Csv allows you to manage all your users envs access from your primary env.

Users that no longer require access to the system, their subscriptions will need to be revoked. The subscription removal will clean up the users in primary and all other envs where they have access.

The request to perform the remove is an API rest call. The only challenge you will have is getting a valid session. If you are able to follow the login handshake there is no reason why you can not replicate the same using api. Worst case scenario , you can manually login and fire off your api calls. I would start there.

Note that currently and even though a revoked user is not cleaned from tm1 server, that user will no longer have access to the system as soon as they are revoked from the subscription. 

Hope this helps.

Charbel

------------------------------
Charbel Abou-Khalil
------------------------------

Original Message:
Sent: Thu October 13, 2022 05:19 PM
From: Roman Harasymiak
Subject: Import Users/Groups PAW API

Hi Charbel,
To echo some of the other sentiments on this post, we are running into a similar problem where on the IBM Cloud, the subscription management is somewhat disjointed from managing user access to environments and databases.  We have several environments which we plan on provisioning to specific users based on divisional roles, however we are unable to automate any of this functionality as we cannot assign environment/tenant access until the user has accepted the invitation.

What we have found is that within the cloud, prior to a user accepting the invitation you can upload a file and process it with a TI to add users to a database by generating a CAMID with the following form  --> CAMID("pans:u:<email address>") using the ADDCLIENT function, and subsequently adding them to any local TM1 Database groups.

We can automate that portion with a number of scripts and calls to AD groups to enable/configure the appropriate access to TM1 models, however what we cannot do is to provision the users into environments/subscriptions as we have no API or other reachable endpoint, requiring us to have a significant amount of effort to manage our users within our databases, where on prem we are doing this through AD Groups associated directly with CAM.

Happy to discuss in more detail to see if you have any other thoughts on how we can make this happen.

------------------------------
Roman Harasymiak

Original Message:
Sent: Mon October 10, 2022 01:08 PM
From: Charbel Abou-Khalil
Subject: Import Users/Groups PAW API

Hi Andy,
You can follow the instructions here : Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local

Ibm		remove preview
Upload users in bulk using a CSV file to invite them to Planning Analytics Workspace Local To add multiple users to IBM Planning Analytics Workspace Local, you upload a list of users and then can you activate, deactivate, or delete them. View this on Ibm >

To upload your users.

Essentially any browser request is an API request , so in theory an http/rest client such as curl, postman, or your own custom built, can be used to submit the exact same request. The only thing you will require is authentication. Which is also another http form submit.

See here for more details on authentication : https://ibm.github.io/planninganalyticsapi/#logging-in

Hope this helps.

Charbel

------------------------------
Charbel Abou-Khalil

Original Message:
Sent: Sat October 08, 2022 01:42 AM
From: Andy Hsu
Subject: Import Users/Groups PAW API

Hi Everyone,
Does anyone know how to import users/groups using API? Because we make a TI to insert users/groups in PA. We should wait user first-login to sync to PAW. But we should set up the authority to plan/application and can not waiting user first-login. We need a PAW API to  import  users/groups. Anyone have solution?

------------------------------
Andy Hsu
------------------------------

#PlanningAnalyticswithWatson