Monday morning arrives with its tedious normal pace, however, this start to the week is different
from all others. You’ve been eagerly waiting for your IBM Planning Analytics Welcome kit and opening Outlook has never been more exciting. You found your golden ticket and are ready to start your Journey with Planning Analytics but you can’t help but notice there are quite a few differences to your on-premise version of TM1…. so where do you get started?
Well, following on from Tridant’s Dashboard issue on Planning Analytics, here’s a deeper dive into some topics from lessons learned and some tips & tricks from the Tridant team.
Once you have one welcome kit per environment, you’ll have to dig out the other mail from IBM with the password before you can extract the zip files. What you’ll find is three pre-configured RDP files so you can connect your PA instance. (For mac users, Microsoft Remote Desktop Version 8.0.34 works best). The remote desktop connection is now provided over HTTPS (port 443) so that ports do not need to be opened in your corporate firewall.
Your Dev and Prod environments have a couple of key differences to start with. Development uses TM1 native Security (and yes that means you don’t get to access the PA Canvas - at the time of reading this blog) – so get started by using the admin account provided and set up your security the normal TM1 way.
Production defaults to IBM ID; this is where you’ll need the administrator of the IBM Account to set you up as the System administrator. Follow the URL to get started with the Administration.
Enter the users detail, and make sure you apply the appropriate Role.
- By default, the administrator role is assigned to the first user in your organisation's Planning
Analytics Workspace account. Administrators can assign roles to users, including the administrator role. Only the subscription administrator can add new users.
- Administrators can see all content in the workspace. At least one user in an organisation must have the administrator role. If the organisation has only one administrator, this user cannot be deleted or assigned to another role.
- Analysts can create, edit, and share books and views. They can create and share content, and edit content that is shared with them. In addition, they have all the rights of a consumer. Analysts can delete books and views if they have the right share permissions.
- Consumers can open books and views and other content that is shared with them.
- Consumers cannot create their own books and views, but they can share content that is shared with them with consumer rights only.
- Consumers cannot edit or delete books or views.
If you want to bulk load users, select that option.
You can always check that you are not breaching your entitlements by “Managing User Accounts”.
If you wish to utilise your own authentication provider, then there’s a bit of work to get through with Cloud Ops and your Network and Security teams. You’ll need to open a PMR to get the ball rolling. This gives you a week to roll your sleeves up in PA while they look after this for you.
The overall On-Boarding steps:
In order to be able to onboard the enterprise federation service associated with IBMid, you must have an IBM employee as a business sponsor that can confirm and own the IBM relationship with the customer/partner.
Additionally, you must have an organisational "identity provider" which its users can be directed to by the IBMid system to authenticate through, and which supports the following baseline technical requirements:
- The organisational Identity Provider must support SAML 2.0, and be able to support signed SAML assertions.
- While Identity Provider initiated flows are allowed and supported, Service Provider initiated flows are highly preferred for the most optimal user experience.
- The SAML "Nameid" returned by the organisations identity provider must be set to equal the valid email address for the organisational users email address.
- The following SAML Attributes must be provided in the SAML assertion, with these exact attribute names:
- firstName, lastName, country and emailAddress
- Any other attributes provided by the organisation in the SAML assertion will be sent through to the end IBMcloud service being used by the user, but will not be persisted in the IBMid system in any way.
Set up your Security model leveraging the Cognos BI Administration portal and create custom groups for your integrated TM1 and BI environment. (See the URL’s section in your Welcome Kit) Then in Architect, add in the Custom Groups you’ve created.
Where’s my data directory? Well, you’ll need to map to the shared folder from your RDP jump box – grab the “Fileshare” credentials from your Welcome kit and map the network drive \\data\s.
So you can now see the root folders for your client installations and your data directory. Great, but how do you rename your TM1 instance? Cloud Ops will have to help you out here so set up a PMR using the link above.
There have been a few changes to the tm1s.cfg file parameters and there are some things that you just can’t change (e.g. port numbers) – clicking here will clear up any questions that you may have.
A good explanation for these clients can be found here.
Oh, and if you’ve just rolled out Office 2016, you’ll want to download Café 10.2.2 FP 6 from here instead of using the Café installations provided on your cloud instance.
Right, so you’re good to go now and there’s nothing quite like having a brand new environment to play with. If you're wanting to migrate your content to PA from an on-premise instance, you’ll probably want to have a think about a transitioning plan before you go bounding ahead. For further info, click here, but in a nutshell, you’ll need to consider:
- Existing Network Infrastructure
Ok, so the plan is in place, how do I move across my content? Well, you can copy and paste small files over RDP from your local machine, but this won’t cut it moving large data directories.
Check out your Welcome Kit for the FTPs details to the shared folder. For Mac users, Cyberduck is pretty good but if you’re not sure which client is best for you then there’s some light reading here.
Remember you need FTPs and port 21.
You’ll need to restart your TM1 instance using the Control Web Portal page to refresh your migrated objects.
Use the credentials for the control account found in your Welcome Guide.
The instance is now up and running and you’ll probably want to jump straight to the PA Canvas, roll up your sleeves and play with your new toys – go on then, jump ahead to Part 2 of this blog, but make sure you come back to this part. You’re going to need to read this to set-up the secure gateway for integration with your on-premise data sources.
You’ve already read Page 31 on integration with IBM’s Secure Gateway here, however, if you would like to read an in depth guide of how to set this up then please send us an email at email@example.com.
Good-bye Framework Manager
You no longer need Framework Manager to publish a TM1 package. Here are a few quick steps to get you up and running.
- Set up a new data source (TM1 instance) or edit the existing one.
- Select Create Package (using Dynamic Query Mode).
3. Select the Cubes and define the Aliases.
4. Done – you’re now ready to write BI Reports from your TM1 Data.
Tip: Check your browser if you have missing buttons or functionality.
A couple of other things to consider:
- Your Servers time is set to Coordinated Universal Time (UTC) - be mindful when defining automation.
- You only get access to a Jump box – monitor your RAM consumption using the Ops Console – Memory Usage Chart
- How do I restrict access to Planning Analytics to a range of ip addresses? Set-up a PMR and work with Cloud ops to implement “White listing”.
- How do I hook in my existing Cognos BI Reports? You’ll need to set up the data source connection to TM1 (see section Goodbye Framework Manager) and either copy the report .xml OR create another PMR so that IBM can drop your deployment package on the server for you to deploy in.
For more information on IBM Planning Analytics, please feel free to contact me on the details below.