I have a dimension which contains our business warehouse IDs and also I made users in Active Directory with the same name(1001, 1002, 1003, 1004, …) as you see in below.
DimWarehouse
ID
1001
1002
1003
1004
.
.
.
My question is that how it is possible each "username" just access to it's Warehouse ID?
There are two ways how you can restrict user access to certain parts of the cube:
You define "static security": You define one role in the cube for each set of permissions (if I understand your requirements correctly, that would mean one role per user), and then you map the Active Directory users or user groups to those roles. If you have many users and many permission roles, that can get more or less unmanageable. However, sometimes it is good that you also can use AD user groups for this purpose, and that can reduce effort a lot. I Implemented a solution like this where we needed to restrict access user access based on their country, and only had around 50 countries, and AD user groups were already existing for the countries.
You can use "dynamic security". This means you only use a single role and write an MDX expression that most likely makes use of the Username() MDX function, and which returns a valid MDX set which is either a set of allowed or a set of forbidden members. As your MDX statement could even call an AS Stored procedure implemented in .net, you are even more flexible, as this .net Stored procedure could e. g. contact your AD to check for further properties of the user.
In both cases, you would administer the settings in "dimension security" of the cube design in "SQL Server Data Tools - Business Intelligence" or in SQL Server Management Studio, and would need to design your cube accordingly to have the correct relations from the dimension that you restrict to your data.
A detailed (if a bit old) blog post describing an approach for setting security using dynamic security can be found at http://bharathonsqlserver.blogspot.com/2016/07/dynamic-security-in-ssas-in-detail.html.
The permissions are driven by roles.
You may need to create multiple roles and assign users to each of the roles.
Then for each role, you define which dimension attributes are accessible to that role.
Related
I am new to HANA Database. I am just trying to create new User in HANA DB through Eclipse systems editor. I have selected only below role as part of user creation.
sap.hana.xs.lm.roles::Developer
But, it is showing below roles as a result of executing query select role_name from "PUBLIC"."EFFECTIVE_ROLES" where USER_NAME = 'TEST_USER';
ROLE_NAME
PUBLIC
sap.hana.xs.lm.roles::Developer
sap.hana.uis.db::SITE_USER
sap.hana.xs.lm.roles::Display
sap.hana.xs.lm.pe.roles::PE_Display
Why being added other roles to user even not selected?
Roles in SAP HANA are collections of privileges and other roles.
This can lead to a situation where a role contains several other roles, each of which can contain other roles and privileges. That way you have a hierarchy of direct and indirect role- and privileges assignments to a user account.
The system view you query is EFFECTIVE_PRIVILEGES. It’s single most important function is to unroll all roles that have been assigned directly and indirectly (effectively going through the roles-privileges-hierarchy) and to return all those assignments.
This “unrolling” of hierarchical structures is not easy/efficient to do in plain SQL, so this system view provides this special feature as a built-in functionality.
The pre-defined role sap.hana.xs.lm.roles::Developer contains several other roles (as your query result shows).
To double-check you can even review the role definition in the HANA XS repository by navigating to thesap.hana.xs.lm.roles package, as this role is delivered as a design-time artefact.
If you actually only want to see the direct assignments of roles/privileges to a user (or to roles), using system views GRANTED_ROLES or GRANTED_PRIVILEGES will get you that.
I am working in a Yii project with 4 or 5 roles. Where each role has access to similar forms and views but do not see all fields. Also there are reports which are only for management level roles.
In the past I have managed permissions based on per field control to avoid repeating code, but this get into a nightmare.
My question is, what is the best approach you have used to handle permissions? per field or per view?
I was thinking in create different views and the admin can select which ones to assign to each role.
Any ideas you can bring will help me.
Use RBAC module http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
Once you have defined you role and permission you can use the function provided by Yii2 for show /hide the field you need or for lead the code behavior
I'm trying to create users in MarkLogic that have permissions to given databases. I read Security Guide from MarkLogic docs page and found that you can set permissions on given URIs, Collections or functions.
Permissions on collections can help me with marking given collections from database as readable only for given set of users, but still other users can create and modify documents in different collections (or create documents without collections).
For e.g.
I have two databases:
Test
Test2
And two users:
UserTest
UserTest2
How can I set permissions that UserTest will have permissions read/update/insert/execute on database Test and can't modify or read anything database Test2?
Each database can be associated with a dedicated security database. The way you describe your use case ("UserTest will have permissions read/update/insert/execute on database Test and can't modify or read anything database Test2"), you might want to consider dedicated security databases for the Test and Test2 databases.
The other way would be to use different document permissions for roles for the two databases. You can set read/update/insert/execute permissions at document level for a given role at insert time, or change them with xdmp:document-add-permissions() (retains previous permissions) or xdmp:document-set-permissions() (overrides previous permissions) after insert. For instance, you could have a role Test-Reader for database Test and a role Test2-Reader for database Test2, and ensure that (1) your UserTest user has the Test-Reader role (but not the Test2-Reader role), and (2) that all documents inserted into the Test database pair the read capability with the Test-Reader role (but not the Test2-Reader role) etc. (Same for the other capabilities.)
If controlling this explicitly sounds like a lot of work, note that default document permissions can be declared to apply implicitly both at the user and at the role level.
Finally, if you set no permissions at all during document insert (and if no implicit/default permissions are defined at user or role level), only users with the admin role can read/update/insert/execute.
Here's the relevant section for document permissions from the Understanding and Using Security Guide: https://docs.marklogic.com/guide/security/permissions#id_85471
There is no user-level specifications for a database. But keep in mind, a database is not accessible on its own - it is accessible by way of an application(s) which is linked to particular database. Unless you allow people to run eval and allow them to eval against another database, then you application will keep people within the specified database. (Note: ML8 Advanced HTTP server changes this a bit because you can switch database on-the-fly per request- but the rules about being stuck to a single database still stands).
The only other item I think is useful to you is the ability to define which URI prefixes a user can write to, but that does not negate the fact that the application level decided which DB is being accessed.
I just wanna know if it's possbile to have a parameter or variable in Pentaho CE 5.0.1 when users log , so in that case each user will have his own report and cube in function of that parameter.
Thank you ,
If I understood you, you want to restrict data based on user name.
Example: User A can see Cube filtered to to Products from A department.
I used these 3 pages to implement such settings.
Try here, here and here.
The best way to do it is by assigning roles to different types of users and enabling cube security. You may grant role A the right to view a cube/schema/dimension/member and deny it to another.
As for content itself (reports, dashboards), you manage that from within Pentaho User Console by adding permissions either to a role or to a user.
We are storing multiple tenants in one instance of SQL Azure. I have been doing some research, but I cannot determine if SQL Azure Reporting can support a multi-tenant model discretely.
For example, we want to run reports for a user based on their "tenancy", but we want their tenant ID to be completely opaque to them- not contained in a query string, or anything view-able by the user.
Has anyone encountered this problem before? What was your solution?
If you had the restriction that a User can only belong to a single tenant, you can hop from a User to the corresponding tenant without them having to know their tenant Id. So any of your Tenant related queries could automatically be filtered by the logged-in user.