Uploaded image for project: 'Pentaho Analysis - Mondrian'
  1. Pentaho Analysis - Mondrian
  2. MONDRIAN-694

Incorrect handling of child/parent relationship with hierarchy grants

    Details

    • Type: Bug
    • Status: Closed
    • Severity: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.5.0 Suite Release
    • Component/s: None
    • Labels:
      None
    • Environment:
      Database mySQL
      Schema: Foodmart
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      (1) Copy the FoodMart.xml, security_example_food_mart.analysisview.xaction and
      security_example_food_mart_expanded.analysisview.xaction files attached to a Pentaho BI server.
      (2) Modify the xactions to point to the correct schema and use role REG1.
      (3) Open the security_example_food_mart analysis view.

      The MDX Query Editor shows this:

      select NON EMPTY

      {[Measures].[Org Salary]} ON COLUMNS,
      NON EMPTY {([Department].[All Departments].[Store Information Systems], [Employees].[All Employees])} ON ROWS
      from [HR]

      And the output shows this:

      Department Employees Org Salary
      Store Information Systems All Employees $97.20

      (4) Now open the security_example_food_mart_expanded analysis view. Click on the All Employees cell to condense the output to one line.

      The MDX Query Editor shows the same query as we saw before:

      select NON EMPTY {[Measures].[Org Salary]}

      ON COLUMNS,
      NON EMPTY

      {([Department].[All Departments].[Store Information Systems], [Employees].[All Employees])}

      ON ROWS
      from [HR]

      but the output has a different value for Org Salary:

      Department Employees Org Salary
      Store Information Systems All Employees $874.80

      So the 'exact same MDX query' (according to the PUC) produces 'different results' for the 'exact same user'. This can't be right.

      Queries from customer:
      1) The Mondrian schema documentation is ambiguous on this question: If a role restricts access on one Dimension/Hierarchy to certain members, but does not have restrictions on any other dimensions and hierarchies, what does that role see from an MDX query that doesn't include the restricted dimension?

      2) If the role sees full aggregates in such an MDX query, then Mondrian's roles are not useful. Consider a company with two regions, A and B, each with a regional manager. The managers should be restricted to their own regions, but all that Manager A has to do to deduce B's data is look at MDX queries that don't use the dimension with regions.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mlowery Mat Lowery (Inactive)
                Reporter:
                myau Man Shing Yau
              • Votes:
                3 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: