I have a requirement that I'm not sure If I should use perspective or roles or a combination of both.
Basically there is a table on my tabular cube that certain users cannot see so I created two perspectives, one with that table and one that hides the table. That is great but nothing stops users from selecting the perspective that has access to the table I want to hide.
So I created a role and on the "dax filter", I added "=FALSE()" (according to this post https://msdn.microsoft.com/en-us/library/hh213165.aspx?f=255&MSPPError=-2147217396), which prevents values from being displayed but the problem is that the table is available to be selected.
What's the best way to solve this requirement?
Thanks
Unfortunately, there is no way to hide table name for a specific user in SSAS Tabular.
As you know perspective is not a security solution and The best way is prevent displaying value by creating Roles as u did.
Regards,
Arman
Related
I am creating a PowerBI report with all data coming from a SQL Server. My global audience are from different area names (US, Western Europe, China...). I also included an Area Filter in the report.
However, what is the best way to restrict user's view based on their area? For example, viewer from US can only see US sales/revenue but cannot see China sales/revenue?
So far, I created different versions of the report (already filtered for Area Name) and give access to each different group of users. But is there any other way to have just one report but give user access to their only area?
But is there any other way to have just one report but give user access to their only area?
One way to do that is to use Power BI's Row-level security (RLS) and then use USERNAME() to filter the data based on the current user. For more detailed explanation, see Using Username() in DAX with Row-Level Security.
I am working in a Yii project with 4 or 5 roles. Where each role has access to similar forms and views but do not see all fields. Also there are reports which are only for management level roles.
In the past I have managed permissions based on per field control to avoid repeating code, but this get into a nightmare.
My question is, what is the best approach you have used to handle permissions? per field or per view?
I was thinking in create different views and the admin can select which ones to assign to each role.
Any ideas you can bring will help me.
Use RBAC module http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
Once you have defined you role and permission you can use the function provided by Yii2 for show /hide the field you need or for lead the code behavior
I have the following situation. User1 is authorized to see
UK (London and Northampton) .
DimBrach is a parent-child hierarchy. When User1 wants to access the report I want him to see only the leafs (London and Northampton) and the first parent and not the entire hierarchy.
How can I reach this in a Pivot Table or in SSAS (MDX) ?
You can do this very simply like this, in the SSAS project in Visual Studio:
Create a Role for the user
In the Role designer's Dimension Data tab, deselect/select dimension members as needed
You can check this is working by processing the cube, browsing it through VS and using the "Change User" button. (No need to enter the user's password).
ADDITION:
To make role security less hard-coded you can use MDX statements in the Advanced tab of the Role Dimension Data tab, and populate a fact table controlling access. You're already doing this, judging by your past question.
As far as I know Excel pivot-tables are far less flexible than raw MDX in showing particular levels of a hierarchy. The end user can view their pivot-table, right-click on a field and select the Show/Hide fields option, so they can control what they see. But as far as I know there's no way for the developer to prevent them from seeing a particular level at all.
I want to set grant/revoke and create roles in oracle apex. However I do not want to do this for users but for data in a table e.g based on the Id in the table I want to revoke their permissions to update any data. Is this possible and what is the best way to do this.
You can't do this for a specific row in your table. You can only issue the GRANT/REVOKE for a table as a whole.
http://docs.oracle.com/javadb/10.8.3.0/ref/rrefsqljgrant.html
You would have to deal with updates to a specific data in your table at the application (PL/SQL) level.
A couple of options:
You could either use Oracle Label Security.
You can create a view on top of the table, which would have a query based on the current user's EMPLOYEE_ID.
A few notes, having done things like this in the past on PostgreSQL.
It is possible to create views on top of data for this sort of thing.
Row level security is what you usually want to do. See http://www.dba-oracle.com/concepts/restricting_access.htm for a tutorial.
The first approach has all the issues with the second approach and then some. The reason is that you have to write a policy engine into your view. In the second approach you get a policy engine you can just apply policies to.
A few notes from experience:
You really want to avoid looking up permission data from other rows in a table if you are ever going to review things many rows at a time.
Think through the performance implications of permission checking carefully before you implement it.
This sort of thing is usually a performance headache that takes some time to resolve. Be prepared for a long period of optimizations as use cases you had not thought of become important.
I've got a nice SSAS tabular model with users processing away. Certain users need access to certain information, such as confidential info (e.g., SS numbers), that should not be visible to everyone. How should I handle this?
This indicates that there is no way to use roles to remove columns, only rows. Is my only option to make a copy of the model and maintain both? This can't be such an edge case...
I guess I can jury-rig something with a scm fork and code-generation, but I'd rather not go down that road.
Alternatively, is there any way to hide the columns (per user/role), so that at least they don't show up in client tools?
One method that requires very little additional development is to use the method described in the following blog post. http://blog.westmonroepartners.com/a-workaround-for-column-security-in-the-sql-server-analysis-services-bism-tabular-model/
The blog contains a link to an SSIS package which will replicate an existing cube, with the exception of the sensitive data columns. The users who cannot view the sensitive data columns can be given access to the second cube that does not contain sensitive data columns.
One way to achieve this is to create Perspectives. You can create different perspectives for different group of users. And end users can connect to their specific model.