[Mondrian] XMLA Security

Julian Hyde julianhyde at speakeasy.net
Thu Apr 5 02:33:12 EDT 2007

Can you also contribute a unit test, against the foodmart schema? Code
without a unit test is like a really cool Xmas present with no batteries
included! See mondrian.test.AccessControlTest and
mondrian.test.SchemaTest for some examples.
I don't agree that members should be the total of only their visible
children. For example, if Fred has access to only [USA].[CA].[San
Francisco] and [USA].[CA].[Oakland], I think the total for [USA].[CA]
should include all cities in California.
I don't deny that there are cases where you would only want to see the
total of the accessible cities. But in my opinion it shouldn't be the
default behavior. I think there is some way to write a calculated member
for that - I would be open to extending the language to make that easier
to achieve. Anyone know what MSAS does here?


From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Pedro Casals
Sent: Wednesday, April 04, 2007 4:04 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security

Thanks to your hint I realized that code changes were small. Since I
have no access to CVS, I post here the changed classes. All changes are
marked with this comment: //PCF : role
Besides, I attach a default callback implementation and the needed
modification in web.xml.
I also attach the security role definition, that covers most of the
- Grant only some measures
- Deny a hole dimension. 
- Deny part of an hierarchy, both in levels and members
JPivot is not placing the role in the HTTP header. I will ask to Andreas
which is his preferred approach, and my proposed solution.
Known bug at this moment:
- Security role definition is order dependant, more than specified in
doc. For example: in my role definition, if the definition of
[Estructura Comercial] is placed before Dimension definition, the latter
is not taken into account!
- look at XMLA Security bug.xls attached file. If a member of a level of
an hierarchy is denied, the member is computed for the totals of the
ancestors (wich is wrong), but is not computed on its own level (wich is
----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: martes, 3 de abril, 2007 18:53:55
Asunto: RE: [Mondrian] XMLA Security


The problem with this security role is that when I try to retrieve all
the children from [Estructura Comercial].[Toda la Estructura].[01] I get
none, because the code navigates tries to solve the name one part at a
time, but we do not have access to [Estructura Comercial].[Toda la
Is it that the role definition is wrong or should I adjust the code
(which is really complicated!!!!) 

The code which looks up the member being granted should definitely do so
in a non-access-controlled context. By all means adjust the code (and be
sure to add a unit test for the bug). Maybe use the global schema
Mondrian mailing list
Mondrian at pentaho.org


LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/4837efbb/attachment.html 

More information about the Mondrian mailing list