[Mondrian] Question regarding programmatic roles

Yim, Andrew (Truven Health) andrew.yim at truvenhealth.com
Fri Nov 22 14:27:40 EST 2013


Here is how I'm granting access to a hierarchy:

this.grant(MondrianUtil.unwrapOLAP4jHierarchy(hierarchy), Access.CUSTOM, null, null, RollupPolicy.PARTIAL);

After this grant, I'm then granting access to specific members in this hierarchy with access FULL.

Is it ok to leave the TopLevel and BottomLevel parameters null?


Andrew Yim   |   Truven Health Analytics   |   O: 734.913.3174   |    M: 734.347.8669

From: Matt Campbell [mailto:mcampbell at pentaho.com]
Sent: Friday, November 22, 2013 1:24 PM
To: Mondrian developer mailing list
Cc: Yim, Andrew (Truven Health)
Subject: Re: [Mondrian] Question regarding programmatic roles


Hi Andy,
It's not clear to me from your snippet below, but are you setting the rollup policy?  Keep in mind that the default "Full" policy will not limit the total values shown when rolling up a restricted hierarchy.

On 11/22/2013 12:20 PM, Yim, Andrew (Truven Health) wrote:
Luc,

I implemented dynamic Mondrian roles and I seem to be getting mixed results.  I was hoping by creating a role with limited access, that the underlying query would return filtered data in the same way my query would run if I were to add to the WHERE clause.

Here is my role definition (I parse XML passed by the client with specific members to dimensions in which they have access to):

OlapConnection conn = ConnectionManager.getOlapConnection();
        SecureFilterRole role = new SecureFilterRole();
        role.grantCustomCubeAccess(conn, "Advantage");
        role.grantCustomDimensionAccess(conn, "Measures");
        role.grantCustomHierarchyAccess(conn, "Plan Group", "ALL");
        role.grantCustomHierarchyAccess(conn, "Age Group Medstat", "ALL");

        Document doc = DocumentHelper.parseText(secureFilterXml);
        Element root = doc.getRootElement();
        for(Iterator iterator = root.elementIterator(); iterator.hasNext();) {
            Element secureFilter = (Element) iterator.next();
            String dimension = secureFilter.element("name").getText();
            Iterator valueIterator = secureFilter.element("values").elementIterator();
            boolean hierarchyGranted = false;
            while(valueIterator.hasNext()) {
                Element value = (Element) valueIterator.next();
                String member = value.getText();
                // Order of grants is important and we must grant access to the hierarchy before the member
                // We need to check if the client has sent the all access value for this dimension
                if(member.toUpperCase().equals("ALL")) {
                    role.grantCustomHierarchyAccess(conn, dimension, member);
                    hierarchyGranted = true;
                } else if(!hierarchyGranted){
                    role.grantCustomHierarchyAccess(conn, dimension, "CUSTOM");
                    hierarchyGranted = true;
                }
                // now set the member access
                if(!member.toUpperCase().equals("ALL")) {
                    role.grantCustomMemberAccess(dimension, member);
                }

            }
        }
        conn.close();

        LockBox.Entry roleToken =
                getMondrianServer().getLockBox().register(role);
        setRoleMoniker(roleToken.getMoniker());

Queries like this are returning limited members based of the dynamic role applied to the connection:

        Cube cube = conn.getOlapSchema().getCubes().get("Cube");
        Query myQuery = new Query("DimValues", cube);
        QueryDimension qDim = myQuery.getDimension(dimName);

However, my query which uses an OlapPreparedStatement is returning the full data set.  Only if I were to append a WHERE clause would I see different results.

Any thoughts?



Andrew Yim   |   Truven Health Analytics   |   O: 734.913.3174   |    M: 734.347.8669

From: mondrian-bounces at pentaho.org<mailto:mondrian-bounces at pentaho.org> [mailto:mondrian-bounces at pentaho.org] On Behalf Of Luc Boudreau
Sent: Wednesday, November 20, 2013 10:25 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Question regarding programmatic roles


Andrew,

The Role API is mondrian specific, so it takes mondrian objects as parameters. To get access to the mondrian connection from an olap4j connection, you can do:

    java.sql.Connection.unwrap(RolapConnection.class)

The same applies to metadata objects. You can do:

    org.olap4j.metadata.Cube.unwrap(mondrian.olap.Cube.class)

Let me know if that's what you needed.

Luc

On Wed, Nov 20, 2013 at 9:32 AM, Yim, Andrew (Truven Health) <andrew.yim at truvenhealth.com<mailto:andrew.yim at truvenhealth.com>> wrote:
I'm in the process of implementing programmatic roles in our adhoc reporting tool.  We're currently running Mondrian stand alone against our OLAP schema and we would like to dynamically create roles for each user.

The problem I'm having right now is with the granting of access to specific objects in the schema (schema, cubes, dimensions, hierarchies, & members).  Is there a way to convert a olap4j metadata object (Schema, Cube, Dimension, etc) back to a legacy Mondrian olap object?

The reason I ask is the grant method on the RoleImpl class only accepts the legacy Mondrian.olap.* objects.  Should I use a legacy Mondrian.olap.connection to lookup the objects that I want to grant access to?

Thanks in advance for your help.


Andrew Yim
Software Engineer

Truven Health Analytics
O: 734.913.3174<tel:734.913.3174>
M: 734.347.8669<tel:734.347.8669>
andrew.yim at truvenhealth.com<mailto:andrew.yim at truvenhealth.com>
truvenhealth.com<http://truvenhealth.com>




_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org<mailto:Mondrian at pentaho.org>
http://lists.pentaho.org/mailman/listinfo/mondrian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131122/824479fb/attachment-0001.html 


More information about the Mondrian mailing list