Here I would like to explain some moments of managing security with IntegratedSecurityMode=5.
When you configure Cognos TM1 to use IntegratedSecurityMode = 5, in Security -> Clients/Groups you can import clients and groups from Cognos BI security.
The only way to add TM1 native security group is to use TI process function: AddGroup(GroupName);
You can add clients to native TM1 security groups, but if you try to add it to Cognos BI group, the changes will be lost during the next synchronization.
The synchronization happens when the user logins to TM1. So if you just manually added a user (Client) and Cognos BI group, you see no check mark in Clients/Groups. But it will appear on the first user’s login. You don’t even need to add the users manually in TM1. Just add the users in Cognos BI and it will import all the users to TM1 and sets the mapping for each Cognos BI group (to keep the things small TM1 will sync all with the imported Cognos BI groups only).
If a user belong to some group in BI, they will be able to login to TM1Web, but will see nothing there if they are not added to TM1 group.
If you rename a group in Cognos BI, TM1 will not pick up that change and you will need to delete the old & import a new group and re-assign the security.
How to add the first user on a freshly installed TM1 server configured with CAM security.
When you install TM1 server you have just admin user there which is a native TM1 user, so you cannot use it with IntegratedSecurityMode=5.
You need to add your first power user from Cognos BI directory and assign it to ADMIN native TM1 security group.
To do this follow the next steps:
1. Set IntegratedSecurityMode=5, ServerCAMURI and ClientCAMURI in Tm1s.cfg and start TM1 server
2. Login with Cognos BI user.
3. Stop TM1 server, change IntegratedSecurityMode=1, start TM1 server
4. Login as admin (the default password is either blank or “apple”)
5. Right-click your server and go to Security > Client/Groups
6. You will see the BI user you tried to login with before. Add that user to ADMIN group
7. Set IntegratedSecurityMode=5 and restart TM1 server
8. Try logging in with BI user again and check it has admin rights.