[Mondrian] Row-level Security

Nizar Mabroukeh nmabroukeh at crosscommercemedia.com
Fri Jan 4 09:57:26 EST 2013


I looked at the proposal in MONDRIAN-1281. This is exactly what I am
looking for.
We want a way to declare a role with parameters like tenant-id and
employee-id that can be resolved and created dynamically at runtime.
Something like:

  <Role name="SalesPerson">
    <SchemaGrant access="none">
      <CubeGrant cube="LeadsCube" access="none">
        <HierarchyGrant hierarchy="Date" access="all">
        </HierarchyGrant>
        <HierarchyGrant hierarchy="Industry" access="custom">
          <MemberGrant member="[Industry].[{gid}].[{uid}]" access="all">
          </MemberGrant>





The asXml() method would be perfect.




On Wed, Jan 2, 2013 at 1:13 PM, Julian Hyde <jhyde at pentaho.com> wrote:

> Pushing security to the SQL level causes more problems than it solves. One
> of these problems is that you are working against Mondrian's cache rather
> than with it. (In member-based security, Mondrian first applies security
> constraints, then all requests share a cache. A DSP basically forces
> everyone to have their own cache -- even if 99% of their data is common.)
>
> I'll admit that implementing security using programmatic roles and/or
> dynamic schema processors is tricky. Best practices are evolving, and
> Pentaho server's role mapper can now handle more and more cases
> programmatically.
>
> Will Back, Gretchen Moran and I have been working on a proposal to allow
> each tenant/user to have their own role, but sharing a cache, and without
> writing a DynamicSchemaProcessor. It is written up as the following case:
> http://jira.pentaho.com/browse/MONDRIAN-1281. I'd appreciate feedback.
>
> Julian
>
>
> On Jan 2, 2013, at 8:08 AM, Nizar Mabroukeh <
> nmabroukeh at crosscommercemedia.com> wrote:
>
> Hi there everyone, happy new year 2013!
>
> Are there any success stories or showcases in which row-level security
> (RLS) is implemented with Mondrian?
>
> We are trying to use Mondrian in a multi-user and multi-tenant
> environment. Using only role or cell-level security does not really cut it
> for us, I see the need for RLS in Mondrian is getting more urgent. Any
> feedback on this?
>
> Thank you and regards,
> Nizar Mabroukeh
> http://www.cs.uwindsor.ca/~mabrouk
>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20130104/58d0f2fa/attachment.html 


More information about the Mondrian mailing list