US and Worldwide: +1 (866) 660-7555
Results 1 to 10 of 10

Thread: Roles and dependent dimensions

  1. #1

    Default Roles and dependent dimensions

    Hi,

    we are struggling with the visibility of dependent dimension members and looking for a solution.
    Maybe someone is able to help.
    Assume two dimensions, one containing some regions the other articles. Articles are only available
    in special regions. With roles and grants I am able to restrict access to some regions for a
    special user group - but they still can see the the articles available in the other regions.
    What I would like to have is a grant construction which allows us to restrict the visibility
    of the articles.
    Any ideas ?

    Regards,
    Peter

  2. #2
    Join Date
    Jan 2013
    Posts
    475

    Default

    Unfortunately there's not great choices. You could explicitly add the allowed articles the the role, but I understand that's not ideal when there is a relationship between two dimensions like you describe.

    There's been conversations about allowing MDX sets in role definitions. This could allow defining a filter function on a dimension like Articles based on non-empty members intersected with specific regions. I'm not sure when that feature will be available, though.

  3. #3
    Join Date
    Aug 2013
    Posts
    9

    Default

    Hello,

    I have a similar problem.

    If I take your exemple, in my case I see data for the other activities.

    And you do you see data(values of measures) for the oither activites ?

    regards,

    Carole

  4. #4
    Join Date
    Jan 2013
    Posts
    475

    Default

    Hi Carole,
    Can you restate your question?

  5. #5
    Join Date
    Aug 2013
    Posts
    9

    Default

    Quote Originally Posted by mcampbell View Post
    Hi Carole, Can you restate your question?
    Hello, Sorry because I do not speak English very well.I am going to try to explain my problem.
    My goal is to restrict access to data based on roles on my schema XML with Schema Worbench.
    Example Schema XML :

    '<Role name="D_TEST">
    <SchemaGrant access="all">
    <CubeGrant cube="Suivi" access="all">
    <HierarchyGrant hierarchy="TEST" access="custom">
    <MemberGrant member="[TEST].[toto].[11111]" access="all">
    </MemberGrant>
    </HierarchyGrant>
    </CubeGrant>
    </SchemaGrant>
    '</Role>

    When then user withe role "D_TEST" connect on Saiku Analytics :
    the user sees it when select Hierarchy/dimension "Test" :
    Toto/11111 : Measures =20
    -> Limited data access : OK

    With other dimension :
    Toto/11111/ January 2012 : Measures = 10
    Toto/11111/ January 2013 : Measures = 10
    If I remove the dimension "Test":
    January 2012 : 30
    February 2012 : 50
    March 2012 : 60
    January 2013 : 40

    -> Limited data access : KO

    Do you understand my problem ? Carole
    Last edited by classalle; 08-13-2013 at 05:52 AM.

  6. #6
    Join Date
    Jan 2013
    Posts
    475

    Default

    Hi Carole,
    Yes, I think I understand your problem. You're basically looking for a restriction on one dimension to restrict the access to another (probably related) dimension. A HierarchyGrant on one dimension will not impact what's available in another hierarchy, however.

    Your best option may be to include the other hierarchy restrictions explicitly in the role.

  7. #7
    Join Date
    Aug 2013
    Posts
    9

    Default

    Hello,

    Thank you for your request.

    This solution work for 1 member grant.

    But when :
    '<Role name="D_TEST">
    <SchemaGrant access="all">
    <CubeGrant cube="Suivi" access="all">
    <HierarchyGrant hierarchy="TEST" access="custom">
    <MemberGrant member="[TEST].[toto].[11111]" access="all">
    <MemberGrant member="[TEST].[toto].[22222]" access="all">
    </MemberGrant>
    </HierarchyGrant>
    </CubeGrant>
    </SchemaGrant>
    '</Role>

    I want my user seen only [11111] and [22222] it is possible ?

  8. #8
    Join Date
    Jan 2013
    Posts
    475

    Default

    Yes, you can add multiple member grants in order to allow only access to [11111] and [22222].

    Is this not what you're seeing?

    Here's the doc if you haven't already looked through it: http://mondrian.pentaho.com/document...Defining_roles

  9. #9
    Join Date
    Aug 2013
    Posts
    9

    Default

    I do it, but it does not work correctly.

    User sees only [11111] and [22222] only if I select my hierarchy TEST in my tables (in Saiku Analytics).
    If the user don't select TEST => see all [toto].
    How do I filter all the time is applied ?

    Thank you for your help

  10. #10
    Join Date
    Jan 2013
    Posts
    475

    Default

    Just so I'm clear, you've got a [TEST] hierarchy with members [11111] and [22222], and a [Toto] hierarchy with members [11111] and [22222], is that right?

    If so, nothing about the role restriction on the [Test] hierarchy will impact what's accessible in the [Toto] hierarchy. Mondrian doesn't know that there's a relationship between the two. Your role definition will need to include *both* hierarchies.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •