[Mondrian] Question regarding programmatic roles

Yim, Andrew (Truven Health) andrew.yim at truvenhealth.com
Fri Nov 22 12:20:28 EST 2013


I implemented dynamic Mondrian roles and I seem to be getting mixed results.  I was hoping by creating a role with limited access, that the underlying query would return filtered data in the same way my query would run if I were to add to the WHERE clause.

Here is my role definition (I parse XML passed by the client with specific members to dimensions in which they have access to):

OlapConnection conn = ConnectionManager.getOlapConnection();
        SecureFilterRole role = new SecureFilterRole();
        role.grantCustomCubeAccess(conn, "Advantage");
        role.grantCustomDimensionAccess(conn, "Measures");
        role.grantCustomHierarchyAccess(conn, "Plan Group", "ALL");
        role.grantCustomHierarchyAccess(conn, "Age Group Medstat", "ALL");

        Document doc = DocumentHelper.parseText(secureFilterXml);
        Element root = doc.getRootElement();
        for(Iterator iterator = root.elementIterator(); iterator.hasNext();) {
            Element secureFilter = (Element) iterator.next();
            String dimension = secureFilter.element("name").getText();
            Iterator valueIterator = secureFilter.element("values").elementIterator();
            boolean hierarchyGranted = false;
            while(valueIterator.hasNext()) {
                Element value = (Element) valueIterator.next();
                String member = value.getText();
                // Order of grants is important and we must grant access to the hierarchy before the member
                // We need to check if the client has sent the all access value for this dimension
                if(member.toUpperCase().equals("ALL")) {
                    role.grantCustomHierarchyAccess(conn, dimension, member);
                    hierarchyGranted = true;
                } else if(!hierarchyGranted){
                    role.grantCustomHierarchyAccess(conn, dimension, "CUSTOM");
                    hierarchyGranted = true;
                // now set the member access
                if(!member.toUpperCase().equals("ALL")) {
                    role.grantCustomMemberAccess(dimension, member);


        LockBox.Entry roleToken =

Queries like this are returning limited members based of the dynamic role applied to the connection:

        Cube cube = conn.getOlapSchema().getCubes().get("Cube");
        Query myQuery = new Query("DimValues", cube);
        QueryDimension qDim = myQuery.getDimension(dimName);

However, my query which uses an OlapPreparedStatement is returning the full data set.  Only if I were to append a WHERE clause would I see different results.

Any thoughts?

Andrew Yim   |   Truven Health Analytics   |   O: 734.913.3174   |    M: 734.347.8669

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Luc Boudreau
Sent: Wednesday, November 20, 2013 10:25 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Question regarding programmatic roles


The Role API is mondrian specific, so it takes mondrian objects as parameters. To get access to the mondrian connection from an olap4j connection, you can do:


The same applies to metadata objects. You can do:


Let me know if that's what you needed.


On Wed, Nov 20, 2013 at 9:32 AM, Yim, Andrew (Truven Health) <andrew.yim at truvenhealth.com<mailto:andrew.yim at truvenhealth.com>> wrote:
I’m in the process of implementing programmatic roles in our adhoc reporting tool.  We’re currently running Mondrian stand alone against our OLAP schema and we would like to dynamically create roles for each user.

The problem I’m having right now is with the granting of access to specific objects in the schema (schema, cubes, dimensions, hierarchies, & members).  Is there a way to convert a olap4j metadata object (Schema, Cube, Dimension, etc) back to a legacy Mondrian olap object?

The reason I ask is the grant method on the RoleImpl class only accepts the legacy Mondrian.olap.* objects.  Should I use a legacy Mondrian.olap.connection to lookup the objects that I want to grant access to?

Thanks in advance for your help.

Andrew Yim
Software Engineer

Truven Health Analytics
O: 734.913.3174<tel:734.913.3174>
M: 734.347.8669<tel:734.347.8669>
andrew.yim at truvenhealth.com<mailto:andrew.yim at truvenhealth.com>

Mondrian mailing list
Mondrian at pentaho.org<mailto:Mondrian at pentaho.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131122/5c812884/attachment-0001.html 

More information about the Mondrian mailing list