Planning Analytics

Planning Analytics

Get AI-infused integrated business planning

 View Only

  • 1.  Login now required for Drive Explorer in PAoC

    Posted Wed May 21, 2025 07:01 AM

    Hi,

    So with the overnight (20/05/25) upgrade to PAoC  a further log in step is required to access the Drive Explorer.

    Control user access to shared folders in Drive explorer

    I'm not really clear what the justification for this is? It is already tied down to only full admins of PAoC plus they need to given the capability.  As it stands now a log-in is required every time the drive explorer is opened, even in the same session, it does seem to be impractical.

    The document also mentions an ACL but doesn't really explain what this is or how to use it?

    It would be beneficial if there was some kind of advance notification of a change like this so that we can notify customers in advance and avoid support tickets being raised.  (Apologies if I have missed this)

    We do have a support ticket open with IBM where the ftp credentials supplied in the welcome pack are not working, so suggest all check their ftp credentials are working.

    How would enhancement request to turn off this functionality be regarded.

    Steve Rowe - InfoCat



    ------------------------------
    Steven Rowe
    ------------------------------


  • 2.  RE: Login now required for Drive Explorer in PAoC

    Posted Wed May 21, 2025 12:07 PM

    Hi Steve

    I agree with you, I've found this to be really annoying today.  The only users in our environment who can use the drive explorer are TM1 Admins.  It seems to be a degradation of functionality rather than an enhancement. 

    I also found it really annoying to have to log on to every tab you add.  I have 3-4 tabs of Drive explorer saved in each of my workbench books, so that I can easily navigate between file loading areas and log files.  

    This makes the Drive Explorer particularly unappealing to use and I doubt that I will use it again unless there is a way to turn this off. 

    Kind regards

    Helen



    ------------------------------
    Helen Ward
    ------------------------------

    Original Message


  • 3.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 02:05 PM
    Same here.
     
    We were also more than surprised by this change yesterday. It's not the end of the world, but let's face it:
     
    Drive Explorer isn't the most convenient tool in the world as it is and this change certainly doesn't make it any better for the user.
     
    What's more, yesterday after the changeover, it was no longer possible for us to log in to Drive Explorer. It took several rounds of support to solve the problem. Apparently something had to be changed in our accounts because of the use of the ACL. This was annoying because we urgently needed FTP access at the time.
     
    It would really be better if we were better informed about such changes in advance in the future.
     
    Ralf 


    ------------------------------
    Ralf Schulze
    ------------------------------

    Original Message


  • 4.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 02:50 AM
    Edited by Bernd Siebert Thu May 22, 2025 02:59 AM
    Q:
    "The document also mentions an ACL but doesn't really explain what this is or how to use it?"
     
     
    A:
    For more information on Access Control Lists (ACL) or Allow Lists see
     
     
    https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=cloud-controlling-access-services-shared-folders
    Controlling access to services and shared folders
     
    Controlling user access to shared folders
    Shared folders do not apply allow lists, but you can request that certain user permissions be applied to specific sub-folders in your shared folder.
     
    1. Open a service request and assign it to IBM Support.
    2. Create a text file and give it the name shared_folder_acls.txt.
    3. Create a table with up to five columns, which are separated by tabs. Each row represents a separate Access Control List (ACL).
     
    Here is an example:
     
    Path                 User                                  Permissions    Inherited    Type
    /                         fs_rp2team4_admin    rwd                    true              allow
    /prod/data/    fs_rp2team4_user1     r                          true              allow
     
    The first entry grants rwd (read, write, and delete) permissions for the /prod/data/ folder.
    The second entry grants r (read) permission for the root shared folder and the true inherit property indicates that sub-folders inherit the r permission. As a result, the user has r permission for the root shared folder and all sub-folders, including /prod/data/, because r permission on the root directory takes precedence.
     
    The column entries in the table represent the following properties:
    - The first column entry is the Path and uses forward slashes (/). A single forward slash (/) indicates the root of the shared folder.
    - The second column entry is the User name. It must start with "fs_", followed by the environment name, followed by a final part that you can define. The entry is limited to 20 characters.
      Tip: You should create a user with full permissions, such as "fs_rp2team4_admin" in the example.
    - The third column entry is the Permissions - r (read), w (write) and delete (d). If no permission is specified, then rwd is assumed.
    - The fourth column entry indicates whether the ACL should be Inherited (that is, child folders will inherit this ACL). The default is true. The options are "true" and "false".
    - The fifth column entry indicates the Type of permission, "allow" or "deny". The default is "allow".
     
    4. Attach the file shared_folder_acls.txt to the service request.
    5. Submit the service request.
     
    Note: Your IBM Planning Analytics environment will go offline while your requested changes are applied.



    ------------------------------
    Bernd Siebert
    ------------------------------

    Original Message


  • 5.  RE: Login now required for Drive Explorer in PAoC

    Posted Fri May 30, 2025 09:14 AM

    Hi Bernd,
    Is your explanation correct? It seems you have the first and second entry reversed in the explanation.
    Also does the _user1 part of the User need to match an IBM ID or a Group Name in PA?
    Also does the User need to have a password associated with it? How does that bit work?

    Thanks for trying to help.

    --------------------------------
    Shaun
    -------------------------------

    Here is an example:
     
    Path                 User                                  Permissions    Inherited    Type
    /                         fs_rp2team4_admin            rwd                    true          allow
    /prod/data/         fs_rp2team4_user1            r                         true           allow
     
    The first entry grants rwd (read, write, and delete) permissions for the /prod/data/ folder.
    The second entry grants r (read) permission for the root shared folder and the true inherit property indicates that sub-folders inherit the r permission. As a result, the user has r permission for the root shared folder and all sub-folders, including /prod/data/, because r permission on the root directory takes precedence.


    ------------------------------
    Shaun Richardson
    ------------------------------

    Original Message


  • 6.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 02:59 AM
    Q:
    "I'm not really clear what the justification for this is?"

    A:
    This question was asked in the Planning Analytics Ask Me Anything (AMA) May 2025 webinar which took place Wednesday 2025-05-21 11:00 AM EDT. This webinar has been recorded.
     
     
    Minutes 37:08 - 38:43
     
    Q:
    So the next question came from Walter.
    Is the change to the Drive Explorer permanent with it needing file share credentials for the environment you were logged into, not just the remote environment. 
    It wasn't that way yesterday before the PAW 2.0.104 upgrade. 
     
    A:
    So we did deploy 104 yesterday last night, so you would have seen it this morning, and one of the changes in the Drive Explorer if you're on cloud customer is Allow lists. 
    That was something many of our clients when the Drive Explorer appeared. They really wanted that capability. 
    When we included the Allow list, that immediately creates a situation where everyone has to provide credentials.
    So if you have any Allow list capability, everybody needs to provide theirs. 
    So there is no intention right now to go back in time because we're solving a problem many of our clients were very concerned about. 
    So there's no plan to go back, leaving the Drive Explorer wide open that once you get in, you can see everything seemed a little too pervasive if you will. 
    So that was really the approach. 
    If you have feedback on the changes in the Drive Explorer, please let us know either through the community and email. 
    I think I think everyone has heard this before.
    Please let us know, but that is the approach. 
    I will say it would have been nice if we've been able to get this information everybody a couple of days earlier just so aware of things coming.
    Due to various and assorted reasons we did not publish it a few days ahead normally when we We call it the EN, the early notification. 
    We also provide the upcoming changes in the product. 
    Unfortunately, that did not happen with that release, so it's one of the things that we're adjusting to some changes in process here at IBM. 
    I'll apologize for that, something we'll try to improve. 
    So hopefully, Walter, I provided the information on why that happened and what happened.


    ------------------------------
    Bernd Siebert
    ------------------------------

    Original Message


  • 7.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 09:44 AM

    The change makes sense as it closes a major security hole in drive explorer. The initial implementation assumes that all modelers have full access to the local S drive and only get challenged when accessing a remote directory.

    In many cases this is true, but not all. It is especially important for customers that have multiple File Share accounts and ACLs for those FS accounts. In some cases, not every modeler has all encompassing access to the file store and may only have a very specific are that they can access. 

    That said, the logins on the local and remote are definitely annoying for those that do a lot of work in Drive Explorer. In the Rich Tier days, you could map the drives and not have to worry about the credentials for quite a while, so this is certainly a nuisance in comparison. 

    I opened an RFE to investigate if the IBM ID can somehow be tied to one or more fileshare accounts or somehow incorporated into the ACLs and thus alleviating the need to be challenged for credentials in Drive Explorer.  

    https://ibm-data-and-ai.ideas.ibm.com/ideas/PAOC-I-1757



    ------------------------------
    Matthew Berson
    ------------------------------

    Original Message


  • 8.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 10:01 AM

    I think that this has been implemented the wrong way round. 

    It should have been designed so that those who want to apply extra security could have the option, rather than apply these restrictions to everyone.  



    ------------------------------
    Helen Ward
    ------------------------------

    Original Message


  • 9.  RE: Login now required for Drive Explorer in PAoC

    Posted Thu May 22, 2025 10:09 AM

    I've asked the same thing several times with the IBM team on implementing access via IBMID vs FS accounts 

    Waiting for this to be added to the roadmap as well. 



    ------------------------------
    Roman Harasymiak
    ------------------------------

    Original Message


Related Content