Visual totals in mdx and role Security

Source: Internet
Author: User

From: http://blogs.microsoft.co.il/blogs/barbaro/archive/2008/02/06/visual-totals-in-mdx-and-role-security.aspx

Visual totals in mdx and role Security

Well I thought today we 'd go over visual totals in mdx and also see how they may have an impact on how you assign role based security in you SSAs project.

Visual totals in mdx are there to give you just what they describe-a sum on the children in a certain set. child members which are not in the specified set will be ignored during the calculation. for instance, if I have a set that consists of: USA, New York, Washington and California, when I look at the total for USA, I will only see it's sum being consisted of that which belongs to New York, Washington and California. all the other states, such as Texas, Florida, Louisiana etc will not go into the calculation being run for the total for USA.

The basic syntax for visual totals wocould be: visualtotals (set_expression)

In which case the "set_expression" wocould be the set you wowould like your calculations to run on.

I admit that though I had known of visual totals in mdx before I did not have a chance to use them until I added a new kind of role to my cube.

I had built a cube which shows all the matters regarding HR: The positions in the Organization, the workers that hold them, the budget for the different units, the salaries being paid and the amount of money written down for them in bookkeeping.

All of my users thus far cocould see all of the information. some of them may not have been granted to look at salaries, and so they cocould not look at salaries at all. this demanded only that I uncheck the boxes next to the measures of the workers salaries.

Now, I was asked to add a new sort of user. my new user was head of HR for the municipality's IT department and shoshould only see data regarding the IT department. in the scope of the IT department, my new user shocould be able to look at all the available data.

At first what I did was to assign a new role for that user and in his "Dimension Data" tab, I chose the radio button for "deselect all members" allowing the role to view in my organization only the relevant unit.

As my organization is a parent child dimension, this also struck a V sign next to the entire Organization and all the children of that unit.

If To be frank, I thought that was all I had to do. But I was wrong... I was looking at my cube through the Cube's "Browser" tab and using the "security context" of the new role I defined.

When I dragged the organizational structure dimension all was good-I cocould open it only to the unit I defined and when looking at the entire municipality, I cocould only see amounts for the various measures stemming just from the organizational unit I selected. but when I brought over the position (a dimension all of its own), I cocould see all of the positions in the municipality and to each It's ow N measure. Not good...

So I went back to the definitions of my role. in the "Dimension Data" tab I again selected the organizational unit dimension. I clicked the "advanced" tab and checked the box next to "enable visual totals ".

Though visual totals may slow down the performance of the cube, they are the only way I had left to ensure that my new role won't be able to look at anything which was not connected to the unit he's allowed to look. I deployed my new definitions and went back to the Cube "Browser" tab, again simulating my new user. this time when I dragged the position dimension I cocould only see the relevant positions and their measures. same went for all the other dimensions.

Just goes to show that marking a little check box can go a long way...

Posted: Feb 06 2008, by ella maschiach | with 7 comment (s)

Filed under: Analysis Services, MDX, SSAs, cube, security definitions, roles, security, parent child, visual totals

Commentsricardo said:

Hi,

Great article in SSAs.

I was trying to use the same idea but on my SSAs project, when I go to the role designer-> dimension data, in the Attribute Hierarchy dropdown, only the atributes are there. not the atribute hierachy defined in the dimension.

Problem: I'm unable to see multi-level hierarchies.

Any idea on how can I enable it to display the hierarchies there?

PS: it happens with all my dimesions. Regular, time, Accounts (parent dimension), etc

Thanks

# February 15,200 PM Ella maschiach said:

Hi Ricardo,

Well first of Al, I'm happy you found the post interesting.

Secondly, did you mean to say that what you see in your "data dimension" is only your attribute hierarchies and not your user hierarchies? The attribute hierarchies are the attributes in your dimension (in aw the Product Dimension has: product name, category, subcategory ), whereas the user hierarchies are the grouping \ ordering of those attributes (Category> subcategory> product name) as user hierarchies are only a certain grouping \ ordering on the existing attributes in the dimension, you wowould need to define your restrictions on the attributes themselves for them to apply on your user hierarchies. you have, in this case, to uncheck the relevant members in all the attributes that are available in the path of the user hierarchy that you want to hide.

If this hasn't answered your question, please feel free to contact me through the "Contact" at the top menu bar of this post.

All the best,

Ella

# February 17,200 am Ricardo said:

I will, thanks for your help.

Ricardo

# February 18,200 PM Stuart said:

Great article

I have an interesting addition to the above scenario that I have been unable to resolve. I have set up one role with security based on Dimension Data and another using security based on cell data. individually each of the roles does what I am expecting. however, I thought that if I added a user to both roles at the same time the most retrictive result wocould be returned. however, the opposite is tru E and the restriction of either role is refreshing tively lost. What do I do to make sure that the restrictions of both (or more) roles are applied to a user?

Thanks in advance

# February 18,200 PM Ella maschiach said:

Hi Stuart,

Gglad you enjoyed the post.

Well as far as I undestood it, if a user belongs to two roles and each role enables him to view members in different levels in the same dimension, the actual result will be that user will see the intersection of permissions between those two roles.

If on the other hand, a user belongs to two roles and each role enables him to view different dimensions, the actual result will be a union of the permissions granted in both roles.

I found a technet article that even refers to the second description under the paragraph of "multiple roles and permissions ".

In any case, what I wowould recommend to you is to create a new role in your cube which provided des the MDX script of both roles (assuming that the definitions don't clash) and add your user to that role and to that role only.

In general, as far as I know, it is recommended that each user will belong only to one role so as to avoid these sorts of complications.

Hope this helps.

All the best,

Ella

# February 19,200 PM Lia said:

I 've already using role in my SSAs, but why I can't see implement of the role in my tables Table ..

Thanks

# February 6, 2009 am Ella maschiach said:

Hi Lia,

I believe the third photo in this post shows you how to test your role when you browse the cube (either in SSMs or in the bids environment ). after you define the role and it works correctly, assign users (or user groups) to it from the Active Directory. if authentication is with Windows credentials, the user browsing your cube will automatically have the role assigned to him as you have defined in your cube.

Hope that helped,

Ella

# February 6, 2009 pm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.