[Mondrian] Implicit access right for calculated member formulas

Julian Hyde jhyde at pentaho.com
Thu Aug 12 18:04:18 EDT 2010 

I agree that it might be useful if a calc member could see more than the
current role. It could then act as a 'gatekeeper', and be used for
fine-grained access control. (In most relational database, views work this
way.)
 
However, that's not the way it is currently intended to work. Making it work
differently would take a bit of effort.
 
And, in some cases people would want to keep the current behavior. Most, in
fact, because the new behavior would blow a hole in access control and make
the system vulnerable if calc members were implemented carelessly. So we
would need a member property to control whether the calc member runs in the
access control context of the current user or of the cube owner (i.e.
system).
 
If anyone would like this behavior, they should log a feature request.
 
Julian


  _____  

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On
Behalf Of Luc Boudreau
Sent: Thursday, August 12, 2010 11:58 AM
To: Mondrian developer mailing list
Subject: [Mondrian] Implicit access right for calculated member formulas


Hello everyone,

I'm working on a case about roles and access rights. I have the following
scenario. 

A CalculatedMeasure in the schema has a formula which is based on the
members of a given level in a given hierarchy. There is one role defined.
The role is only allowed to view the All Member level, not it's children.
The role can also access the calculated member. So let's say:



*	Cube 


*	Dimension 


*	Hierarchy 


*	All Member level 


*	Foo level

*	Calculated Member
   (references "Foo level")


*	Role 


*	Cube grant


*	Heriarchy grant on "All Member Level" only

When a query is executed with the defined role privileges, the calculated
member returns no data, because Mondrian uses the role's access rights to
resolve the members of the Foo level. 

Is this the correct behavior, or should calculated members that are part of
the core schema (not the query inline ones) give the role an implicit access
right? I'm puzzled as to decide if this is a bug or not. It has some obvious
security implications. IMO, things are fine as they are, but I thought I'd
seek a second opinion.

Cheers!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20100812/b30ad196/attachment.html

More information about the Mondrian mailing list