[Mondrian] UnionRole and explicit / implicit rules

Julian Hyde jhyde at pentaho.com
Mon Nov 26 12:03:00 EST 2012


That's mostly right.

The philosophy is a bit different than you describe. It's irrelevant whether a role has explicit or implicit access to a particular object (cube, dimension, etc.) If role A can see X, and role B cannot, then the union role can see it. For example, even if A explicitly cannot see cube X (because of a <CubeGrant name='X' access='none'/>) and B implicitly can see cube X (because of a <SchemaGrant access='all'/>), the result is still that the A-union-B role can see cube X.

Julian


On Nov 26, 2012, at 3:47 AM, Paul Stoellberger <p.stoellberger at gmail.com> wrote:

> So I was just playing with roles and I configured my foodmart to use both roles "No HR Cube" and "California Manager" for my dummy user.
> 
> Now the result is rather interesting:
> 1) I don't see a HR cube, but all other (although california manager has only access to sales), so the union works as i expect it
> 2) the customer / store hierarchy in Sales are restricted (top / bottom level) => see http://jira.pentaho.com/browse/MONDRIAN-1168
> 3) i can see the city  "Los Angeles" in the results, althoug I was expecting not to see them.
> 
> If the level restriction (access none) worked, so should the member access.
> While there is now a Math.min() for levels, its a max() for members etc.
> 
> The "No HR Cube" doesn't set explicit access restriction on the customer / store hierarchy, so the one from california manager should overrule it.
> If both had access set explicitly on that hierarchy / member it should use max() of both, but not if only 1 sets it.
> 
> 
> Before I propose any changes to RoleUnionImpl I wanted to know if you agree with that?
> 
> -Paul
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian



More information about the Mondrian mailing list