<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16527" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>First of all, make sure that this really is a security
issue, not information hiding. Often people want to hide things to reduce
information overload, not because of any security concern. If this is the case,
the best solution is to tag dimensions and members as 'hidden', and make the UI
comply with those tags -- don't use access-control at all.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>It's alarming that you can use a
restricted dimension from within a calculated member, but I can see that it is
also powerful in some situations. It is analogous to the access control in
databases such as Oracle, where you can create a view on a table and give a user
access to that view even though they cannot see the table. It is an effective
way of giving fine-grained access control.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>Access-control should apply to calculated members. If it
doesn't please log a bug. It should be possible to explicitly grant access to
calculated members.</FONT></SPAN>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV></FONT></SPAN>It
should definitely be a bug if you can use a restricted dimension from
within a calc member defined in a query. That's a big security loophole. Can you
log a bug if that is the case.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>If you can use a restricted dimension within a calc member
defined as part of the cube (i.e. in the schema file) the security aspects are
much less worrying, because presumably the cube designers know what they are
doing. But sometimes you would want to apply access control (say to only sum the
visible children of a member) and sometimes you would want to ignore it (so you
could see dimensions which are invisible to the end user). So ideally you would
need to be able to specify whether a calc member in a cube is
access-controlled:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2><Cube name="Sales"></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2> ...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2> <CalculatedMember name="Foo"
accessControlled="false"</FONT></SPAN><SPAN class=601501422-15082007><FONT
face=Verdana color=#000080 size=2>></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>
<Formula>Aggregate([Product].CurrentMember.Children)</Formula></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2> </CalculatedMember></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2> <CalculatedMember name="Bar"
accessControlled="true"</FONT></SPAN><SPAN class=601501422-15082007><FONT
face=Verdana color=#000080 size=2>></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>
<Formula>Aggregate([Product].CurrentMember.Children)</Formula></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2> </CalculatedMember></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN
class=601501422-15082007></Cube></SPAN></DIV></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>In the above "Foo" and "Bar" would give different results
if you are running in a role which has restricted access to the Product
dimension.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>Given these bugs and missing features, your strategy is the
right one to use today. If we fix the bugs, I will be sure to add the features
to make your use case work; you will have to change your app a bit, but not too
much. I'd appreciate if you could log a bug for the missing/broken
functionality. Also create testcases to capture the current behavior you are
relying on (even if it is broken!) so we will be aware of the impact of any
future change.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2>Julian</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=601501422-15082007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV><FONT face=Verdana color=#000080
size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mondrian-bounces@pentaho.org
[mailto:mondrian-bounces@pentaho.org] <B>On Behalf Of </B>Matt
Campbell<BR><B>Sent:</B> Wednesday, August 15, 2007 1:52 PM<BR><B>To:</B>
Mondrian@pentaho.org<BR><B>Subject:</B> [Mondrian] Re: Role based security and
calculated members<BR></FONT><BR></DIV>
<DIV></DIV><SPAN class=gmail_quote></SPAN>Sorry-- I sent that last email
accidentally before completing it.<BR><BR>We have a need to hide dimensions
which are used only in the definitions of calculated measures. That is,
end users want to be able to use certain measures on reports, but not the
dimensions that are used to define those measures. To do this we were
thinking about using role based security and set <HierarchyGrant
access='none' ... >. <BR><BR>Currently in Mondrian you can use a
calculated member which is defined with a dimension member, even if your role
doesn't have access to that dimension. That's actually good for us if we
use this approach, but seems like it could be considered a bug. I don't
want use this approach if the behavior is changed to prevent access in this
case. <BR><BR>BTW-- it doesn't appear you can use a restricted dim in a calc
mem in Analysis Services 2K.<BR><BR></BLOCKQUOTE></BODY></HTML>