[Mondrian] Security issue with roles when using user-session role mapper

Ricardo Fradinho ricardo.fradinho at webdetails.pt
Tue Nov 12 07:54:22 EST 2013


In that case, assuming you have also the "Authenticated" in the roles list, you can add:

         <!-- by default nobody has access -->
         <Role name="Authenticated">
           <SchemaGrant access="none">
           </SchemaGrant>
         </Role>

You can find some details here:
http://forums.pentaho.com/showthread.php?95951-Access-Control-Mondrian-One-To-One-UserRoleMapper
http://wiki.bizcubed.com.au/xwiki/bin/view/Pentaho+Tutorial/Mondrian+Security+Example+Tried

On 12/11/2013 12:45 , Dejan Gambin wrote:
> Oh, I set defaultRole but it doesn't help. Default role is used only 
> if user mondrian role is not set at all. In my case all of my users 
> have mondrian role set but it is not defined in all of the schemas. I 
> can of course define all the roles in all the schemas but that doesn't 
> make sense
>
> On 12. stu. 2013., at 13:39, Ricardo Fradinho wrote:
>
>> Hi dejan,
>> I guess you are looking to set a default role at the schema level:
>> <Schema name="my_schema" defaultRole="role_ABC">
>> [...]
>> 	<Role name="role_ABC">
>> 	  <SchemaGrant access="none">
>> 	  </SchemaGrant>
>> 	</Role>
>>
>> </Schema>
>> BR,
>> Ricardo Fradinho
>>
>> On 12/11/2013 12:30 , Dejan Gambin wrote:
>>> Hi,
>>>
>>> I am using user-session role mapper to map session attribute taken from database table to mondrian role. The problem is (using Saiku) - if user mondrian role is not defined in schema, this user can see all the cubes in the schema, by default. I have made a test with one2one role mapper and the behaviour is the opposite (and correct I suppose) - the user can't see any cube in schema if his role is not defined in this schema.
>>>
>>> I would just like to know if this is supposed to be so and do I have to make some workarounds - I am thinking about defining the session variable as an array (now it is a string) and give all the users additional role, for example "none" and define something like this in all of my schemas:
>>>
>>> 	<Role name="none">
>>> 	  <SchemaGrant access="none">
>>> 	  </SchemaGrant>
>>> 	</Role>
>>>
>>> I think this is much simpler than defining all the roles in all schemas :-)
>>>
>>> Btw, I am using mondrian from saiku 2.6, I think the version is 3.6
>>>
>>> Thanks very much on any useful information
>>>
>>> regards, dejan
>>>
>>>
>>> _______________________________________________
>>> Mondrian mailing list
>>> Mondrian at pentaho.org
>>> http://lists.pentaho.org/mailman/listinfo/mondrian
>>
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org <mailto:Mondrian at pentaho.org>
>> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131112/d77457a9/attachment-0001.html 


More information about the Mondrian mailing list