[Mondrian] Security issue with roles when using user-session role mapper

Ricardo Fradinho ricardo.fradinho at webdetails.pt
Tue Nov 12 07:39:38 EST 2013


Hi dejan,

I guess you are looking to set a default role at the schema level:

<Schema name="my_schema" defaultRole="role_ABC">

[...]
	<Role name="role_ABC">
	  <SchemaGrant access="none">
	  </SchemaGrant>
	</Role>

</Schema>

BR,

Ricardo Fradinho


On 12/11/2013 12:30 , Dejan Gambin wrote:
> Hi,
>
> I am using user-session role mapper to map session attribute taken from database table to mondrian role. The problem is (using Saiku) - if user mondrian role is not defined in schema, this user can see all the cubes in the schema, by default. I have made a test with one2one role mapper and the behaviour is the opposite (and correct I suppose) - the user can't see any cube in schema if his role is not defined in this schema.
>
> I would just like to know if this is supposed to be so and do I have to make some workarounds - I am thinking about defining the session variable as an array (now it is a string) and give all the users additional role, for example "none" and define something like this in all of my schemas:
>
> 	<Role name="none">
> 	  <SchemaGrant access="none">
> 	  </SchemaGrant>
> 	</Role>
>
> I think this is much simpler than defining all the roles in all schemas :-)
>
> Btw, I am using mondrian from saiku 2.6, I think the version is 3.6
>
> Thanks very much on any useful information
>
> regards, dejan
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131112/a551dcba/attachment.html 


More information about the Mondrian mailing list