[Mondrian] Row-level Security

Julian Hyde jhyde at pentaho.com
Wed Jan 2 13:13:55 EST 2013


Pushing security to the SQL level causes more problems than it solves. One of these problems is that you are working against Mondrian's cache rather than with it. (In member-based security, Mondrian first applies security constraints, then all requests share a cache. A DSP basically forces everyone to have their own cache -- even if 99% of their data is common.)

I'll admit that implementing security using programmatic roles and/or dynamic schema processors is tricky. Best practices are evolving, and Pentaho server's role mapper can now handle more and more cases programmatically.

Will Back, Gretchen Moran and I have been working on a proposal to allow each tenant/user to have their own role, but sharing a cache, and without writing a DynamicSchemaProcessor. It is written up as the following case: http://jira.pentaho.com/browse/MONDRIAN-1281. I'd appreciate feedback.

Julian


On Jan 2, 2013, at 8:08 AM, Nizar Mabroukeh <nmabroukeh at crosscommercemedia.com<mailto:nmabroukeh at crosscommercemedia.com>> wrote:

Hi there everyone, happy new year 2013!

Are there any success stories or showcases in which row-level security (RLS) is implemented with Mondrian?

We are trying to use Mondrian in a multi-user and multi-tenant environment. Using only role or cell-level security does not really cut it for us, I see the need for RLS in Mondrian is getting more urgent. Any feedback on this?

Thank you and regards,
Nizar Mabroukeh
http://www.cs.uwindsor.ca/~mabrouk



_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org<mailto:Mondrian at pentaho.org>
http://lists.pentaho.org/mailman/listinfo/mondrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20130102/27956f54/attachment.html 


More information about the Mondrian mailing list