[Mondrian] Row-level Security

Nizar Mabroukeh nmabroukeh at crosscommercemedia.com
Fri Jan 4 10:02:19 EST 2013


I looked at the proposal in MONDRIAN-1281. This is exactly what I am
looking for.
We want a way to declare a role with parameters like tenant-id and
employee-id that can be resolved and created dynamically at runtime.
Something like:

  <Role name="SalesPerson">
    <SchemaGrant access="none">
      <CubeGrant cube="LeadsCube" access="none">
        <HierarchyGrant hierarchy="Date" access="all">
        </HierarchyGrant>
        <HierarchyGrant hierarchy="Industry" access="custom">
          <MemberGrant member="[Industry].[{tenant-id}].[{employee-id}]"
access="all">
           </MemberGrant>
        </HierarchyGrant>
      </CubeGrant>
    </SchemaGrant>
  </Role>

  <Role name="Organization">
    <SchemaGrant access="none">
      <CubeGrant cube="LeadsCube" access="none">
        <HierarchyGrant hierarchy="Date" access="all">
        </HierarchyGrant>
        <HierarchyGrant hierarchy="Industry" access="custom">
          <MemberGrant member="[Industry].[{tenant-id}]" access="all">
          </MemberGrant>
        </HierarchyGrant>
      </CubeGrant>
    </SchemaGrant>
  </Role>

So we can limit user's access to data as well as dimension levels.

It seems that the asXml() method would be perfect for this, it can house
all the code we need to resolve the parameters inside the XML blob and
create a role out of it on the fly.

Please tell me if I can be of any further help.


Regards,
Nizar Mabroukeh


On Wed, Jan 2, 2013 at 1:13 PM, Julian Hyde <jhyde at pentaho.com> wrote:

> Pushing security to the SQL level causes more problems than it solves. One
> of these problems is that you are working against Mondrian's cache rather
> than with it. (In member-based security, Mondrian first applies security
> constraints, then all requests share a cache. A DSP basically forces
> everyone to have their own cache -- even if 99% of their data is common.)
>
> I'll admit that implementing security using programmatic roles and/or
> dynamic schema processors is tricky. Best practices are evolving, and
> Pentaho server's role mapper can now handle more and more cases
> programmatically.
>
> Will Back, Gretchen Moran and I have been working on a proposal to allow
> each tenant/user to have their own role, but sharing a cache, and without
> writing a DynamicSchemaProcessor. It is written up as the following case:
> http://jira.pentaho.com/browse/MONDRIAN-1281. I'd appreciate feedback.
>
> Julian
>
>
> On Jan 2, 2013, at 8:08 AM, Nizar Mabroukeh <
> nmabroukeh at crosscommercemedia.com> wrote:
>
> Hi there everyone, happy new year 2013!
>
> Are there any success stories or showcases in which row-level security
> (RLS) is implemented with Mondrian?
>
> We are trying to use Mondrian in a multi-user and multi-tenant
> environment. Using only role or cell-level security does not really cut it
> for us, I see the need for RLS in Mondrian is getting more urgent. Any
> feedback on this?
>
> Thank you and regards,
> Nizar Mabroukeh
> http://www.cs.uwindsor.ca/~mabrouk
>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20130104/1ff237b4/attachment.html 


More information about the Mondrian mailing list