Hitachi Vantara Pentaho Community Forums
Results 1 to 3 of 3

Thread: Dynamic role for Mondrian connection

  1. #1
    Join Date
    Feb 2008

    Default Dynamic role for Mondrian connection

    i'm tying to implement dynamic role rof mondrian, extending DelegatingRole and setting correponding instance to connection. My code is as follows:
    package mondrian.olap;
    import java.util.Arrays;
    import mondrian.olap.RoleImpl.DelegatingHierarchyAccess;
    import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
    import org.pentaho.platform.engine.core.system.PentahoSystem;
    import org.pentaho.platform.util.logging.Logger;
    public class ConnectionRole extends DelegatingRole {
    	  public ConnectionRole(Role role) {
              Logger.error(PentahoSystem.class, "Created Dynamic Mondrian Role : "+Arrays.toString(getPlatformRolesFromSession()));
      public static class HierarchyAccessExample extends DelegatingHierarchyAccess{
            public HierarchyAccessExample(HierarchyAccess hierarchyAccess) {
                      Logger.error(PentahoSystem.class, "HierarchyAccessExample constructor");
      public Access getAccess(Schema schema) {
              Logger.error(PentahoSystem.class, "schemas override");
              return role.getAccess(schema);
      public Access getAccess(Cube cube) {
              Logger.error(PentahoSystem.class, "cubes override");
              return role.getAccess(cube);
      public Access getAccess(Dimension dimension) {
              Logger.error(PentahoSystem.class, "dimensions override");
              return role.getAccess(dimension);
      public Access getAccess(Hierarchy hierarchy) {
              Logger.error(PentahoSystem.class, "hierarchies override");
              return role.getAccess(hierarchy);
      public HierarchyAccess getAccessDetails(Hierarchy hierarchy) {
              Logger.error(PentahoSystem.class, "hierarchy access override");
              return new HierarchyAccessExample(role.getAccessDetails(hierarchy));
      public Access getAccess(Member member) {
              Logger.error(PentahoSystem.class, "members override: "+member.getLevel().getUniqueName());
              Access access = role.getAccess(member);
              return getAccess(member, access);
      // no one see's information that is in a department they do not have access too
      protected Access getAccess(Member member, Access access) {
        //final String storeNamelevel = "[Store].[Store Country].[Store State].[Store City].[Store Name]";
            final String departmentLevel = "[Department]";
            Logger.error(PentahoSystem.class, "members override: "+member.getLevel().getUniqueName());
        if (member.getLevel().getUniqueName().equals(departmentLevel)) {
          Object o = member.getPropertyValue("ldap_role");
          Boolean isAdmin = Arrays.binarySearch(getPlatformRolesFromSession(), "Admin") > 0 ? true : false;
          Boolean hasRole = Arrays.binarySearch(getPlatformRolesFromSession(), o) > 0;
          return (o != null && (hasRole || isAdmin)) ? access : Access.NONE;
        } else {
          return access;
      protected String[] getPlatformRolesFromSession() {
                // Get the Spring Security authentication object
                Authentication auth = SecurityHelper.getAuthentication(PentahoSessionHolder.getSession(), false);
                String[] rtn = null;
                // Get the authorities
                GrantedAuthority[] gAuths = auth.getAuthorities();
                if ((gAuths != null) && (gAuths.length > 0) ) {
                  // Copy role names out of the Authentication
                  rtn = new String[gAuths.length];
                  for (int i=0; i<gAuths.length; i++) {
                    rtn[i] = gAuths[i].getAuthority();
                  // Sort the returned list of roles
                return rtn;
    and in MDXConnection i have
         if (nativeConnection == null) {
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null")); //$NON-NLS-1$ //$NON-NLS-2$
        } catch (Throwable t) {
          if (logger != null) {
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null"), t); //$NON-NLS-1$ //$NON-NLS-2$
          } else {
            Logger.error(this.getClass().getName(), Messages.getErrorString(
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null"), t); //$NON-NLS-1$ //$NON-NLS-2$
        ConnectionRole crxRole = new ConnectionRole(nativeConnection.getRole());
    I tried to create new Analysis View and in debugger i found, that role method, controlling member access (getAccess(Member member, Access access)), is never called (but method controlling hierarchy access was called, so, role was set correctly).
    Why does this happen? As i understood, in such case member access controller has to be called for every member, in other case such construction is useless... could anybody please advice? I use 3.6.0 pentaho and 3.2.0 mondrian.

  2. #2



    can i get a sample implementation ?
    Atul Darne.

  3. #3
    Join Date
    Apr 2016


    For my case the problem was the initial role without any MemberGrant configuration.
    From Pentaho documentation:

    There are a couple of important considerations.

    • A member grant must exist. If there is no member grant on a hierarchy, Mondrian will not check to see if the user has access.
    • The member has to exist in the data. For example, the member could not be [Location].[State].[NoWhere] unless 'NoWhere' is a legitimate member. It is an option to have fake members in the dimension table with no facts and use that as the default.
    • If a dimension needs to be restricted, you must restrict it separately. Restricting a hierarchy does not restrict other hierarchies, so if there is not a measure or restricted member, Analyzer will show you all members of the dimension.

    Last edited by gascani; 06-21-2016 at 09:42 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.