[Mondrian] base cube role restriction, impact on virtual cube

Brandon Jackson usbrandon at gmail.com
Thu Jul 25 23:35:34 EDT 2013 

I agree with Julian.  I want to see restrictions on cubes, then a derivative cube be able to use the prior with full access.  The key is to be able to put restrictions on that derived cube or virtual cube as they are now.

I just wish it was easier to audit effective permissions etc of users against Mondrian cubes.  It's not impossibly hard, but not as easy as it could be.

Sent from my iPhone

On Jul 25, 2013, at 4:37 PM, Julian Hyde <jhyde at pentaho.com> wrote:

> I always liked the fact that in a DBMS one could control access to a table by creating a view and only giving access to the view. Queries that use the view would succeed, and queries that use the underlying table directly would fail.
> 
> I would like a similar model of access-control in Mondrian. So, in Mondrian 3 we should allow people to access a virtual cube even if they cannot access all of the underlying cubes.
> 
> In Mondrian 4 a similar situation cannot arise, but if we were to introduce something similar to Microsoft's "perspective cubes", I would use the same access-control model.
> 
> Julian
> 
> 
> On Jul 25, 2013, at 8:25 AM, Matt Campbell <mcampbell at pentaho.com> wrote:
> 
>> 
>> I'm looking at a defect right now involving a role with no access to two
>> base cubes, but unrestricted on the virtual cube in which the cubes
>> appear.  The role does not restrict access to the data in those two
>> cubes when accessed via the virtual cube.  This is arguably correct
>> behavior, in that the designer of the virtual cube may have specifically
>> thought about what should be accessible from the underlying base cubes
>> and intentionally left it accessible.  I'm curious to hear what others
>> think.
>> 
>> The actual error in the defect is a NPE when ValidMeasure() resolves the
>> base cube one of the measures is on.   getCubes() only returns the cubes
>> accessible to the role.  If the current virtual cube role behavior is
>> correct then I think we'll need to find some way of looking up the full
>> set of base cubes in the virtual cube, even if in a restricted role.
>> 
>> I haven't tried yet, but I'm betting this is a non-issue in 4.0 since
>> virtual cubes have gone away.
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org
>> http://lists.pentaho.org/mailman/listinfo/mondrian
> 
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

More information about the Mondrian mailing list