Strange behaviour on security

[s_celati]

Hi,
I have a strange behaviour when publishing Mondrian Schema with Workbench.

My scenario: I want my users to see only some of the published cubes based on their ACLs.

After a while I found that if I set permission on folders and publish (using the classical "joe" user) Mondrian schemas to those folders, when a users selects "New Analysis" from PUC he only gets the schemas that reside on the folders that his role can see.

The side effect, that came out without setting other then folder security, is that if I run this query in the hibernate DB, I see that now there's also an explicit permission set on the .xml file... And it now belongs only to "joe" and "Admin" (as a role).

SELECT F.fullpath, F.filename, A.recipient
FROM pro_files F, pro_acls_list A
WHERE F.file_id = A.acl_id
AND F.filename like '%xml%';

As far as a I can remember, I didn't change anything in the configuration files, I didn't set anything inside Workbench nor Administration Console etc..

Is there anyone that could explain me what happened?
I'm using version 3.0.0 stable.

Thanks
Ste

[campi]

Any news on this topic ?

[s_celati]

No news. We gave up and reinstalled from scratch.
Did you run in the same issue?

[campi]

No news. We gave up and reinstalled from scratch.
Did you run in the same issue?

I haven't try the 3.0.0 version but since the 3.5.2 version when I publish a cube everybody can access to the schema (before only user with Admin role and publisher can access to the published schema in version 2.0.0) and it's really annoying (I haven't yet search for a solution - I will pray that the 3.6 version resolve this issue).

[sramazzina]

Ciao Stefano

It appears it behaves the same as when you save a modified analysis or report. In that case it gives rights only to the user/role it is saving the new analisys/report. I suppose that the publishing process makes the same assumption giving rights only to the publisher (joe/Admin). I don't know if this is a bug or it is a desired behavior. I've never had this kind of problem because I prefer to code the file by myself but I suppose it could be. I'll try it on 3.6.0 GA.

For some particular cases I made some little extensions because as it the security wasn't so good for me. You can do the same. ;-)

Ciao
S.

[s_celati]

Ciao Sergio,
thank you for your reply.

If it's a desired behaviour it should give you the possibility to decide, while publishing, to which user or group you wish to give the access or it should at least inherit it from the folder you're publishing in.

I also logged a case on jira but they told me they couldn't reproduce the case, so it was closed...

The strange is that it seems that no one has ever faced this kind of issue, and once we reinstalled without using that approach everything worked as usual.

Stefano