[Mondrian] Cross-dimension role based security

[Matt Campbell]

MONDRIAN-1257<http://jira.pentaho.com/browse/MONDRIAN-1257> describes a currently unsupported use case in which a restriction on one dimension impacts the members available in another dimension.  For example, if I define a role with access to only a single member of the [Market] dimension, I'd like to also restrict the [Customer] dimension down to just those members that have data within the permitted [Market] member.

I'm curious what people think about this.  I have a couple half- baked thoughts:


1)      Allow MDX sets within role definitions.  This could allow a filter definition to restrict Customers who have data within a Market.  SSAS allows member set restrictions like this.

2)      Enforce restrictions based on relationships within a dimension.  If Market and Customer were both attributes within a single dimension, and there was a defined relationship between the two attributes (e.g. each customer is in exactly one market), then Mondrian could implicitly restrict customer based on market.

The expectation in the ticket is that the customer restriction would just happen.  I'm not sure that's practical, though--automatically handling cross-dim restrictions seems like a huge overhead, since we'd need to effectively fire native non empty queries for each dimension.  We wouldn't know up front what relationships are relevant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20130319/09708f11/attachment.html