[Mondrian] Row-level Security

Nizar Mabroukeh nmabroukeh at crosscommercemedia.com
Wed Jan 2 12:38:42 EST 2013


Thank you Luc and Pedro.

Isn't it better to simply push RLS to the sql level, bypassing role level?

I am thinking of the following scenario:

1- Each row in the fact table and most dimension tables in the data
warehouse is already secured by a user key.
2- Mondrian needs to use this user key in its outgoing sql statements such
that only data that this user is allowed to see gets pulled out of the DB,
so:
  2a- Mondrian will need to get the user key from authentication system (or
pentaho session).
  2b- push it down to its SQL layer to be used in sql queries against the
DB.

I think that Mondrian cache should also be made aware of this, maybe by
tagging data in the cache as being owned by a certain user key.

Conceptually, this is what RLS is about, and the described scenario is a
more direct implementation of it. This implementation also avoids all the
hassle and overhead of programmatic roles or dynamic schema processors.

Regards,
Nizar








On Wed, Jan 2, 2013 at 11:39 AM, Luc Boudreau <lucboudreau at gmail.com> wrote:

>
> This should help you get started. (
> http://infocenter.pentaho.com/help/topic/analysis_guide/concept_role_restriction_measures.html)
>
> Note that in multi-tenant situations, we recommend using programmatic
> roles instead. (
> http://devdonkey.blogspot.ca/2012/09/programmatic-roles-in-mondrian.html )
>
> Good luck
>
> Luc
>
>
> On Wed, Jan 2, 2013 at 11:15 AM, Pedro Alves <pmgalves at gmail.com> wrote:
>
>>
>> Roles == RLS....
>>
>>
>>
>> On Wed 02 Jan 2013 04:08:49 PM WET, Nizar Mabroukeh wrote:
>> > Hi there everyone, happy new year 2013!
>> >
>> > Are there any success stories or showcases in which row-level security
>> > (RLS) is implemented with Mondrian?
>> >
>> > We are trying to use Mondrian in a multi-user and multi-tenant
>> > environment. Using only role or cell-level security does not really
>> > cut it for us, I see the need for RLS in Mondrian is getting more
>> > urgent. Any feedback on this?
>> >
>> > Thank you and regards,
>> > Nizar Mabroukeh
>> > http://www.cs.uwindsor.ca/~mabrouk
>> >
>> >
>> >
>> > _______________________________________________
>> > Mondrian mailing list
>> > Mondrian at pentaho.org
>> > http://lists.pentaho.org/mailman/listinfo/mondrian
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org
>> http://lists.pentaho.org/mailman/listinfo/mondrian
>>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20130102/f3fb4aef/attachment.html 


More information about the Mondrian mailing list