DOWNLOAD THE CODE:
Download the Code 96763.zip

As expected, the report shows data only for Stephen Jiang and the AdventureWorks employees who report to him. For example, Amy Alberts isn't shown on the report because she's at the same level as Stephen in the Employees hierarchy. You might be surprised to see that the report shows Stephen's managers (Brian Welcker and Ken Sanchez). This is because enabling a member in a parent-child hierarchy automatically grants access to the member's ancestors. Consider enabling Visual Total on the Advanced tab (Dimension Data tab in the Cube Browser) if you want the ancestors' totals to be contributed only by the allowed descendants.

As you can see, MDX expressions and the Username function give you a lot of flexibility to secure UDM data. Now let's discuss two more advanced scenarios for dynamic dimension security.

Importing Security Policies into a Factless Fact Table
Suppose that the AdventureWorks online transaction processing (OLTP) application has complex authorization rules that dictate which resellers an employee is authorized to see. Your task is to propagate the same rules to UDM. One option is to replicate the security infrastructure from the source application. However, doing so will result in duplication of the management effort necessary to maintain the security policies in two places. Instead, consider importing only the authorized members into a fact table that acts as a security filter. This would require importing a dataset that contains the authorized resellers per employee. The necessary steps to use this approach include implementing the fact table, implementing the measure group, implementing the database role, and testing the database role.

Implementing the fact table. A new fact table
(FactSecurityFilter) is required to store the authorized resellers for each employee, as Figure 2 shows. Its schema is simple. The table has two columns that store the identifiers (primary keys) of employees and authorized resellers. For example, if Stephen Jiang has a primary key of 272 in the source database and he is authorized to see resellers Associated Bikes (primary key 7) and Finer Mart (primary key 38), the fact table will have the following rows.

EmployeeKey ResellerKey
272 7
272 38

The FactSecurityFilter fact table doesn't have any numeric facts (hence the term "factless" fact table). Note also that FactSecurityFilter doesn't keep an historical record of the security policies (i.e., it doesn't join the DimDate table). The assumption is that the last security policy prevails. For example, if Stephen is authorized to see a reseller in the current period, he will be granted access to that reseller even though he might not have been authorized in the previous period.

The SQL script FactlessFactTable.sql lets you create and populate the FactSecurityFilter fact table. An extraction, transformation, and loading (ETL) task could refresh the FactSecurityFilter fact table on a regular basis (e.g., as part of the data import process).

Implementing the measure group. Next, you need to map the Fact-SecurityFilter table to a UDM measure group as you would any other fact table, by following these general steps:

  1. In BIDS, add the fact table to the data source view (DSV).
  2. Create a new Security Filter measure group that uses FactSecurityFilter as a source, as Figure 3 shows.
  3. A measure group must have at least one measure; therefore, leave the system-generated Security Filter Count measure. Don't set the Visible property of the measure to False in an attempt to hide the Security Filter measure group from the end user. If you do so, the MDX expression for the allowed set won't work (reported as a bug).
  4. Select the Dimension Usage tab in the Cube Designer to verify the dimension relationships to the Security Filter measure group.

At this point, the Cube Designer should have created two dimension relationships (Reseller and Employee) to the Security Filter measure group. (More detailed instructions for working with DSVs and measure groups in BIDS can be found in the SQL Server Books Online - BOL - SQL Server 2005 Analysis Services Tutorial, at http://msdn2.microsoft.com/en-us/library/ms170208.aspx.) Implementing the database role. With the Security Filter measure group in place, you're ready to set up a database role.

  1. Right-click the Roles folder in the Solution Explorer window in BIDS and select New Role.
  2. In the Solution Explorer window, rename the new role in place to Factless.
  3. In the Role Designer, switch to the Cubes tab and grant the Factless role read access to the Adventure Works cube.
  4. In the Dimension Data tab, select the Reseller cube dimension and the Reseller Name attribute.
  5. Enter the MDX expression for the allowed member set, as Figure 4 shows. This expression uses the Exists function to select the associated resellers for the interactive users over the Security Filter measure group. Note that you don't have to use the attribute hierarchies that map to the keys in the fact table. For example, I use the Login ID attribute hierarchy in the expression instead of Employee Name.

Testing the database role. To quickly test the new role, replace the Username function with a member. For instance, use the following expression to test the database role for Stephen Jiang:

Exists([Reseller].[Reseller Name].
MEMBERS,
StrToMember("[Employee].[Login
ID].&[adventure-works\stephen0]"),
"Security Filter")

Follow these steps to test the Factless role:

1. Deploy the project.

2. Right-click the Adventure Works cube and select Browse.

3. Click the Change User toolbar button in the Cube Browser and select the Factless role.

4. Create a report that has Reseller Name on rows and Reseller Sales-Sales Amount measure on data.

Figure 5 shows the report results for Stephen Jiang. The report shows only 45 resellers (out of 702 total), because Stephen Jiang is associated with these resellers only in FactSecurityFilter. In SSMS, you can use the following MDX query to verify the expression against the Dimension Security database:

select [Measures].[Reseller Sales-
Sales Amount] on 0,
Exists([Reseller].[Reseller
Name].[Reseller Name].MEMBERS,
[Employee].[Employee Name].&[272],
"Security Filter") on 1
from [Adventure Works]

Continued on page 3

Prev. page     1 [2] 3     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Hi,

i've tried to use the factless fact table as a security method. I made a factless fact table that holds the keys for 2 dimensions, Invoice Office and User. This factless tables filters the Users that are authorized to view data according to the offices that they are allowd to see.

Figure 4 show the MDX expression that is used to accomplish this filter strategy. When i insert my MDX expression (almost the same as the one in the example) the syntax is correct but i get an error using the OLAP cube telling me that the EXIST function does not exist while trying to use the security role. This is expression i am using:

Exist([Invoice Office].[Invoice Office Name].MEMBERS, StrToMember("[User].[User_Name]. & [' + Username + ']"), 'SDM Fact User Office Sec')

I am new to MDX and just can't figure out what i am doing wrong. Can anybody help me?

kgutlich- April 02, 2008

Article Rating 4 out of 5

It looks like a simple typo. Try Exists instead of Exist.

carleb21- April 09, 2008

Article Rating 5 out of 5

Hello, I try to implement your solution on my side, but when I add the condition for a Dimension in role, I have the following error message when I check the Formula (sorry for the translation, but it's in french) : Error in the MDX script. The Function [Extensibility].[GetSecurityFilter] does not exist. (Extensibility.GetSecurityFilter(Username), I keep the same name for the tests) or The Dimension [D_User] is not find in the cube when the string [D_User].[Nom_Utilisateur].[Username] has been analyse. (for the formula : Exists([D Organisation].[Code Interne].MEMBERS, STRTOSET("[D_User].[Nom_Utilisateur].["+Username+"]"), "Fact User Org"))

I don't understand why this error ? Is it come from the SQLS Version I have ? Can anybody help me?

Thanks in advance

MagicRaph- June 02, 2008

Article Rating 5 out of 5

We tested the factless table option described in this _very_ interesting article. The only thing we changed was using a parent-child dimension in the EXISTS clause. Basically we are using a p-c dimension describing our organization to allow one user to see only what refers to his hierarchical position (e.g. one department manager would be allowed to browse every level below his position) Problem is : when applied to a p-c dimension, EXISTS returns not only the levels explicitly mentions, but also every level _above_ And thus every user is allowed to see every hierarchical position on the org tree. Is there any way to implement this factless table security model with p-c dims ? By the way, does the model also works on non p-c hierarchies with more than one level ? Thanks for any clue. Eric

ledoux- July 02, 2008

Article Rating 5 out of 5

ledoux,

I belive this is the standard p-c behavior. Otherwise, you won't be able to get to the children if the parents are disallowed. Try securing another attribute in the p-c dimension instead of the Parent attribute to see if you can get the desired behaviour.

Does it work with user-defined hierarchies? Yes, it would because the cube space is defined by attribute hierarchies. So, if I secure the Product attribute, users will be able to see only the secured products when slicing by Category->Subcategory->Product. HTH

tlachev@hotmail.com- July 07, 2008

Article Rating 5 out of 5

 
 

ADS BY GOOGLE