Picture of Rick Stevenson

Rick Stevenson

Security Changes on MDX Subsets in Planning Analytics 2.0.9

IBM TECHNOTE:

IBM will revert the change in behavior that is described in this tech bulletin, it is expected to be released by the end of July.  For more information, please reference IBM’s tech note at Security Changes MDX and Dynamic Subsets Planning Analytics.
 
This Technote was updated on 6/30/2020 with important details regarding the intent to revert the change in behavior described by this Technote. A change was made to security on MDX and dynamic subsets in the Planning Analytics 2.0.9 and 2.0.9.1 releases. This change may prevent some dynamic subsets and MDX based views from returning expected members to non-admin users.
 
Update (July 17th, 2020):

 

The behavior change described in this Technote has been reverted in the Planning Analytics 2.0.9.2 release.  In the 2.0.9.2 release security will no longer be evaluated when processing an MDX statement.  The results of the MDX statement will only be filtered based on member security.  This is consistent with the behavior in 2.0.8 and lower versions.   Planning Analytics customers are encouraged to update to the 2.0.9.2 release.

A future release of Planning Analytics may include a feature that allows for optional evaluation of security when processing MDX statements.  This planned feature would allow the TM1 database owner to determine if security should be evaluated during MDX processing.  The default behavior from 2.0.8 and 2.0.9.2 will be maintained in any future release of Planning Analytics 2.0.9.
 
Update (June 30th, 2020):
The IBM Planning Analytics team will revert the change described in this Technote in an Interim Fix for Planning Analytics 2.0.9.1.  This Technote will be updated as additional details about the Interim Fix are available.  The current 2.0.9.1 release that is available on IBM Passport Advantage and IBM Fix Central will be updated when the Interim Fix is available. 
 
The version of the 2.0.9.1 release on Passport Advantage and IBM Fix Central with the change in MDX security behavior is 2.0.91.41.  For example:  tm1_winx64h_2.0.91.41_ml.tar.gz This Technote will be updated to include the version number of the 2.0.9.1 release where the MDX security behavior has been reverted.
 
The change in behavior described in this Technote applies only to the REST (ODATA) API as of the 2.0.9 release.  Planning Analytics Workspace, Planning Analytics for Excel, and Cognos Analytics reports using the Planning Analytics data source connection use the REST API to connect to TM1.
 
The change in behavior described in this Technote applies to both the REST API and the C-API only as of the 2.0.9.1 release.  TM1 Architect, TM1 Perspectives, TM1Web, and TM1 Applications use the C-API to connect to TM1.  These clients are not impacted in the 2.0.9 release (but are impacted in 2.0.9.1).
 
June 15th, 2020

Prior to the Planning Analytics 2.0.9 release the list of elements returned by subset MDX (dynamic subset) is filtered based on element security.  If element security is present then a non-admin user must have READ or greater security on an element in order to see that element in the subset.  Security was only applied after the MDX statement was evaluated.

An MDX expression may also reference specific member names. Consider the DESCENDANTS MDX functions such where a specific member is named as the parameter value.

Planning Analytics 2.0.9 introduces a change where security is evaluated during the evaluation of the MDX statement.  If a user does not have READ or greater access on a member referenced by a MDX function the MDX function will return an empty set.  The impact to users in some cases may be an empty subset.

This is an intentional change in behavior that addressed a potential security concern.  Consider the case where a non-admin user knows the name of a consolidated member but does not have READ access for that member.  If this user has READ access to one or more children of the consolidation they could execute MDX that allows them confirm the consolidated element is the parent of the children.  The parent child relationship between these members may be considered sensitive information in the TM1 model.  

In the case where a dynamic subset is impacted by this change in behavior the following options may be considered:

1 – When possible change the MDX in the dynamic subset so that it does not reference members that users do not have READ access on.

2 – Consider the use of static subsets.  The list of elements in a static subset are still filtered for non-admin users based on element security.

If you have any additional questions or need assistance, please contact ForQuest Solutions at [email protected]