Tag Archives: security

Birst security filtering

birst

Quite a while since the last blog post but here we go again! As I’ve been involved with Birst lately it’s time to blog some under-the-hood stuff about Birst respectively.

I want to share the experience that is mentioned there and there around the Birst community articles. It’s about securing dimension attributes and how they affect the related fact measures depending on how the data sources are configured.

In my example I have the following fact, dimension and “access stable” data sets:

birst_fact

birst_dimension

birst_accesstable

I want to secure the fact data depending on which business unit (BU) the user belongs to. As we can see the test user should be able to see only the HR fact data.

By using the basic security filtering feature via birst it can be accomplished:

birst_security_ds

birst_sales_nodimension_full

Then when using Visualizer under the test users’ account we can see that the filtering works OK. Or does it?

Depends on what you consider as the correct output. By default, Birst is applying the security filter ONLY when the corresponding dimension is used in the visualization:

birst_sales_by_bu

As we can see if we only choose the sales measure and no dimension attributes it shows the total amount of sales and doesn’t apply the security filter behind the dimension attribute (as it’s not being explicitly used).

At some times we may want to filter the underlying fact measure data “automatically” without explicitly adding the dimension attribute to the visualization. IMO I find this problematic as then you violate the “one set of numbers”-rule as every user could see different total amount depending on how their data is filtered via security filters.

Anyhow, if this is acknowledged and there’s no problem with the output the way to do it in Birst is to check the filtered attribute field as a Measure (not so “logical” I think but it works :)). Then we’ll end up having filtered total amount without using the dimension attribute:

birst_sales_nodimension

Advertisements

TM1: Application Maintenance utility and CAM security. The INVALID_IDENTITY challenge.

In the newest TM1 versions it’s possible to refresh the TM1 Applications user permissions and do some other maintenance work via command line. The bad thing is that is still has some issues when working with CAM security (which happens to be the case almost in 100% of the production environments). One may encounter some INVALID_IDENTITY – related error messages like this:

com.ibm.cognos.fpmsvc.exception.FPMSVCException: INVALID_IDENTITY
exitCode=700

IBM’s official answer says that one must use SDK and develop some custom code to get a grip on a cookie value that is set by the IBM Cognos BI portal. Luckily fellow TM1 gurus found also an alternative way of fetching the cookie “cam_passport” value but unfortunately the value could keep changing multiple times a day. Now if you have automated the maintenance utility it may keep going for a while but when the cookie value expires the utility stops working. And that’s bad.

So we need a way to automatically fetch the “cam_passport” cookie value when executing the application maintenance utility (app_maintenance.bat). Once again PowerShell comes to rescue! Here’s what you should do inside a PowerShell script:


$url = "https:///ibmcognos/cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/cc.xts&gohome="
$cookiejar = New-Object System.Net.CookieContainer
$webrequest = [System.Net.HTTPWebRequest]::Create($url);
$webrequest.CookieContainer = $cookiejar
$credut = New-Object System.Net.NetworkCredential;
$credut.UserName = "username";
$credut.Password = "password";
$credut.Domain = "domain.com"
$webrequest.Credentials = $credut
$response = $webrequest.GetResponse()
$cookies = $cookiejar.GetCookies($url)

$cookies["cam_passport"].Value | Out-File "d:\temp\cam_passport.txt"

Basically what it does is make a http request to the IBM Cognos portal using the credentials provided (these must be the credentials of a TM1 admin user that has priviledges to run the app_maintenance.bat). On the last line it writes the “cam_passport” cookie value into a temporary file.

Save the script into a file for eg. “Update_CAM_passport.ps1” and run it via cmd command line by:

powershell.exe -Noninteractive -Noprofile -Command 
"D:\TM1\scripts\Update_CAM_passport.ps1"

Now, to make sure that the cam_passport is valid through all times you can schedule the command above to Windows Scheduler and put it running say every 30 minutes.

The final step is to call the app_maintenance.bat by giving it the recently fetched cam_passport value as parameter and we can achieve it as follows (a batch file contents):

@Echo on 
timeout 2
set /p p_cam_password=<d:\temp\cam_passport.txt
"D:\Program Files\ibm\cognos\tm1_64\webapps/pmpsvc/WEB-INF/tools/app_maintenance.bat" 
-op refreshrights  -serviceurl https://tm1hostname.com:9514 
-credentials CAM:%p_cam_password% -app <application_id>

Where the application_id is the unique id of your application.

Se on siinä! As we would say in finnish. That’s about it. Now you can sleep safely knowing that your automated application maintenance utility keeps running even if the cam_passport value changes.