[Mondrian] Unable to secure virtual cube dimensions

Julian Hyde jhyde at pentaho.com
Thu Feb 24 18:12:13 EST 2011

> Andy Grohe wrote:
> I have been able to integrate Pentaho BIS roles with mondrian 
> roles for base cubes.  The security does not seem to apply to 
> virtual cubes.
> is this a design choice or defect?

If I were writing the specification, it would allow you to apply access
control to virtual cube dimensions just like regular cube dimensions.

The access you have to the underlying cube dimension would not automatically
propagate to the virtual cube dimension. (This is by analogy with relational
databases: you can create a view that exposes columns of a table is
otherwise hidden.)

Suppose you deny access to some members of the Time dimension in the Sales
cube. Now you create a virtual cube Warehouse and Sales on the Sales cube,
and you include the Time dimension. Then users of the Warehouse and Sales
cube will have full access to that cube's Time dimension, unless you create
specific access control for the virtual cube dimension.

I see there is one test for access control on virtual cubes --
AccessControlTest.testVirtualCube -- so apparently the basics work. We could
definitely use some more tests, however.

If mondrian doesn't behave as the above specification, please log a jira


More information about the Mondrian mailing list