[Mondrian] Security issue with roles when using user-session role mapper

Dejan Gambin dejan.gambin at coin.hr
Tue Nov 12 08:11:13 EST 2013 

Yes but my users are not getting mondrian role Authenticated because I am not using one2one role mapper. They currently get only one role I defined in my database table :-(

So, the alternative is to use one2one role mapper, but I thought it was worth to mention the probem when using session based role mapper

thx very much

regards, dejan

On 12. stu. 2013., at 13:54, Ricardo Fradinho wrote:

> In that case, assuming you have also the "Authenticated" in the roles list, you can add:
> 
>         <!-- by default nobody has access -->
>         <Role name="Authenticated">
>           <SchemaGrant access="none">
>           </SchemaGrant>
>         </Role>
> 
> You can find some details here:
> http://forums.pentaho.com/showthread.php?95951-Access-Control-Mondrian-One-To-One-UserRoleMapper
> http://wiki.bizcubed.com.au/xwiki/bin/view/Pentaho+Tutorial/Mondrian+Security+Example+Tried
> 
> On 12/11/2013 12:45 , Dejan Gambin wrote:
>> Oh, I set defaultRole but it doesn't help. Default role is used only if user mondrian role is not set at all. In my case all of my users have mondrian role set but it is not defined in all of the schemas. I can of course define all the roles in all the schemas but that doesn't make sense
>> 
>> On 12. stu. 2013., at 13:39, Ricardo Fradinho wrote:
>> 
>>> Hi dejan,
>>> I guess you are looking to set a default role at the schema level:
>>> <Schema name="my_schema" defaultRole="role_ABC">
>>> [...]
>>> 	<Role name="role_ABC">
>>> 	  <SchemaGrant access="none">
>>> 	  </SchemaGrant>
>>> 	</Role>
>>> 
>>> </Schema>
>>> BR,
>>> Ricardo Fradinho
>>> 
>>> On 12/11/2013 12:30 , Dejan Gambin wrote:
>>>> Hi,
>>>> 
>>>> I am using user-session role mapper to map session attribute taken from database table to mondrian role. The problem is (using Saiku) - if user mondrian role is not defined in schema, this user can see all the cubes in the schema, by default. I have made a test with one2one role mapper and the behaviour is the opposite (and correct I suppose) - the user can't see any cube in schema if his role is not defined in this schema.
>>>> 
>>>> I would just like to know if this is supposed to be so and do I have to make some workarounds - I am thinking about defining the session variable as an array (now it is a string) and give all the users additional role, for example "none" and define something like this in all of my schemas:
>>>> 
>>>> 	<Role name="none">
>>>> 	  <SchemaGrant access="none">
>>>> 	  </SchemaGrant>
>>>> 	</Role>
>>>> 
>>>> I think this is much simpler than defining all the roles in all schemas :-)
>>>> 
>>>> Btw, I am using mondrian from saiku 2.6, I think the version is 3.6
>>>> 
>>>> Thanks very much on any useful information
>>>> 
>>>> regards, dejan
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Mondrian mailing list
>>>> Mondrian at pentaho.org
>>>> http://lists.pentaho.org/mailman/listinfo/mondrian
>>> 
>>> _______________________________________________
>>> Mondrian mailing list
>>> Mondrian at pentaho.org
>>> http://lists.pentaho.org/mailman/listinfo/mondrian
>> 
>> 
>> 
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org
>> http://lists.pentaho.org/mailman/listinfo/mondrian
> 
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131112/823790d3/attachment.html

More information about the Mondrian mailing list