<div class=""><img class="" id=":192" tabindex="0" src="https://mail.google.com/mail/u/0/images/cleardot.gif" alt=""></div>I looked at the proposal in MONDRIAN-1281. This is exactly what I am looking for. <br>We
want a way to declare a role with parameters like tenant-id and
employee-id that can be resolved and created dynamically at runtime.
Something like:<br>
<br> <Role name="SalesPerson"><br> <SchemaGrant access="none"><br> <CubeGrant cube="LeadsCube" access="none"><br> <HierarchyGrant hierarchy="Date" access="all"><br>
</HierarchyGrant><br> <HierarchyGrant hierarchy="Industry" access="custom"><br> <MemberGrant member="[Industry].[{tenant-id}].[{employee-id}]" access="all"><br>
<div id=":18n">
</MemberGrant><br> </HierarchyGrant><br> </CubeGrant><br> </SchemaGrant><br> </Role><br><br> <Role name="Organization"><br> <SchemaGrant access="none"><br>
<CubeGrant cube="LeadsCube" access="none"><br> <HierarchyGrant hierarchy="Date" access="all"><br>
</HierarchyGrant><br> <HierarchyGrant hierarchy="Industry" access="custom"><br> <MemberGrant member="[Industry].[{tenant-id}]" access="all"><br>
</MemberGrant><br> </HierarchyGrant><br> </CubeGrant><br> </SchemaGrant><br> </Role><br><br>So we can limit user's access to data as well as dimension levels.<br>
<br>It seems that the asXml() method would be perfect for this, it can house all the code we need to resolve the parameters inside the XML blob and create a role out of it on the fly. <br><br>Please tell me if I can be of any further help.<br>
<br><br>Regards,<br>Nizar Mabroukeh<br></div><div class="gmail_extra"><br clear="all"><div><div> </div></div>
<div class="gmail_quote">On Wed, Jan 2, 2013 at 1:13 PM, Julian Hyde <span dir="ltr"><<a href="mailto:jhyde@pentaho.com" target="_blank">jhyde@pentaho.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="word-wrap:break-word">Pushing security to the SQL level causes more problems than it solves. One of these problems is that you are working against Mondrian's cache rather than with it. (In member-based security, Mondrian first applies security constraints, then all requests share a cache. A DSP basically forces everyone to have their own cache -- even if 99% of their data is common.)<div>
<div><br></div><div>I'll admit that implementing security using programmatic roles and/or dynamic schema processors is tricky. Best practices are evolving, and Pentaho server's role mapper can now handle more and more cases programmatically.</div>
<div><br></div><div>Will Back, Gretchen Moran and I have been working on a proposal to allow each tenant/user to have their own role, but sharing a cache, and without writing a DynamicSchemaProcessor. It is written up as the following case: <a href="http://jira.pentaho.com/browse/MONDRIAN-1281" target="_blank">http://jira.pentaho.com/browse/MONDRIAN-1281</a>. I'd appreciate feedback.</div>
<div><br><div>
<div>Julian</div><br>
</div>
<br><div><div>On Jan 2, 2013, at 8:08 AM, Nizar Mabroukeh <<a href="mailto:nmabroukeh@crosscommercemedia.com" target="_blank">nmabroukeh@crosscommercemedia.com</a>> wrote:</div><br><blockquote type="cite">Hi there everyone, happy new year 2013!<br>
<br>Are there any success stories or showcases in which row-level security (RLS) is implemented with Mondrian?<br><br>We are trying to use Mondrian in a multi-user and multi-tenant environment. Using only role or cell-level security does not really cut it for us, I see the need for RLS in Mondrian is getting more urgent. Any feedback on this?<br>
<br>Thank you and regards,<br>Nizar Mabroukeh<br><a href="http://www.cs.uwindsor.ca/~mabrouk" target="_blank">http://www.cs.uwindsor.ca/~mabrouk</a><br clear="all"><div><div> </div><div> </div><br></div>
_______________________________________________<br>Mondrian mailing list<br><a href="mailto:Mondrian@pentaho.org" target="_blank">Mondrian@pentaho.org</a><br><a href="http://lists.pentaho.org/mailman/listinfo/mondrian" target="_blank">http://lists.pentaho.org/mailman/listinfo/mondrian</a><br>
</blockquote></div><br></div></div></div><br>_______________________________________________<br>
Mondrian mailing list<br>
<a href="mailto:Mondrian@pentaho.org">Mondrian@pentaho.org</a><br>
<a href="http://lists.pentaho.org/mailman/listinfo/mondrian" target="_blank">http://lists.pentaho.org/mailman/listinfo/mondrian</a><br>
<br></blockquote></div><br></div>