[Mondrian] Implicit access right for calculated member formulas

Luc Boudreau lucboudreau at gmail.com
Thu Aug 12 14:57:40 EDT 2010


Hello everyone,

I'm working on a case about roles and access rights. I have the following
scenario.

A CalculatedMeasure in the schema has a formula which is based on the
members of a given level in a given hierarchy. There is one role defined.
The role is only allowed to view the All Member level, not it's children.
The role can also access the calculated member. So let's say:


   - Cube
      - Dimension
         - Hierarchy
            - All Member level
               - Foo level
            - Calculated Member
         *(references "Foo level")*
      - Role
         - Cube grant
         - Heriarchy grant on "All Member Level" only

When a query is executed with the defined role privileges, the calculated
member returns no data, because Mondrian uses the role's access rights to
resolve the members of the Foo level.

Is this the correct behavior, or should calculated members that are part of
the core schema (not the query inline ones) give the role an implicit access
right? I'm puzzled as to decide if this is a bug or not. It has some obvious
security implications. IMO, things are fine as they are, but I thought I'd
seek a second opinion.

Cheers!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20100812/6cf359a1/attachment.html 


More information about the Mondrian mailing list