[Mondrian] Security issue with roles when using user-session role mapper

Dejan Gambin dejan.gambin at coin.hr
Tue Nov 12 07:30:56 EST 2013


Hi,

I am using user-session role mapper to map session attribute taken from database table to mondrian role. The problem is (using Saiku) - if user mondrian role is not defined in schema, this user can see all the cubes in the schema, by default. I have made a test with one2one role mapper and the behaviour is the opposite (and correct I suppose) - the user can't see any cube in schema if his role is not defined in this schema.

I would just like to know if this is supposed to be so and do I have to make some workarounds - I am thinking about defining the session variable as an array (now it is a string) and give all the users additional role, for example "none" and define something like this in all of my schemas:

	<Role name="none">
	  <SchemaGrant access="none">
	  </SchemaGrant>
	</Role>

I think this is much simpler than defining all the roles in all schemas :-)

Btw, I am using mondrian from saiku 2.6, I think the version is 3.6

Thanks very much on any useful information

regards, dejan




More information about the Mondrian mailing list