使用 CustomData 的多维数据集级安全性 [英] Cube-level security using CustomData
问题描述
我是 SSAS 的新手,但被要求创建一个包含三个立方体的产品(现在称它们为A"、B"和C").另一个团队正在创建 Web 部件A"、B"和C".访问这些多维数据集,并且有角色A"、B"和C".决定哪些用户可以访问多维数据集.
I'm new to SSAS, but have been asked to create a product with three cubes (call them "A","B", and "C" for now). Another team is creating web parts "A","B", and "C" to access these cubes, and there are roles "A","B", and "C" which determine which users can access the cubes.
不能保证客户的 SSAS 服务器与 SharePoint 服务器在同一台机器上,因此我们遇到了用户登录 SharePoint 的问题,而 SP 没有模拟该用户.我们无法保证客户端会让我们安装 Kerberos 身份验证,或将 SharePoint 设置为受信任的站点,因此我们正在调查使用 CustomData 变量传入当前用户的 ID.
The customer's SSAS server is not guaranteed to be on the same box as the SharePoint server, and so we have had issues with a user logging on to SharePoint, and SP not impersonating that user. We can't guarantee that the client will let us install Kerberos authentication, or set up SharePoint as a trusted site, and so we are investigating using the CustomData variable to pass in the ID of the current user.
然而,这会导致实现多维数据集访问安全的问题.我是吗
However, this leads to the question of implementing cube access security. Do I
- 创建一个SharePoint"角色接受 CustomData 变量,然后(通过维度安全?)授予对多维数据集的访问权限(通过维度的所有成员?)
- 创建一个安全多维数据集",封装谁可以访问什么,并让 Web 部件确定它是否应该"访问.可以访问,
- 不是将安全性以用户/多维数据集形式存储在事实表中,而是将其存储在用户/维度表单的成员中(我不喜欢这样,因为传入的数据是用户/多维数据集形式,并且正在扩展将其输出给维度的成员会创建不必要的"行).
更多背景信息
目前安全性安排在事实表中
More background info
Currently the security is arranged in fact table that is
|用户密钥 |安全项目密钥 |
| UserKey | SecurityItemKey |
其中 Personkey 链接回用户表,SecurityItemKey 当前链接到多维数据集列表(我们有一个安全项目表可用,以便用户可以轻松列出他们的选项并检查他们想要什么).
where Personkey links back to a user table, and SecurityItemKey currently links to a list of cubes (we have a security item table available so that users can easily list their options and check what they want).
我目前正在尝试上面的选项 1.,但是当我沿着
I am currently trying option 1. above, but when I create MDX along the lines of
Exists(
{[Security Item].[Security Item Key].&[235]},
StrToSet("{([User].[User].[User].[" +
CustomData() + "])}"
),
'Fact Security'
)
对于维度安全性,我收到类似'{2}' 维度中的'{1}' 属性生成的维度安全性表达式无效"的错误.我在查询中使用了相同的 MDX,这很好.
for a dimension security, I get errors along the lines of "The '{1}' attribute in the '{2}' dimension has a generated dimension security expression that is not valid". I use the same MDX in a query, and it's just fine.
请注意,MDX 中未引用我添加的维度,我担心这是问题的一部分,但我找不到任何说是"的内容.或否".
Note that the dimension I add this to is not referenced in the MDX, and I worry that this is part of the issue, but I can't find anything yet saying "yes" or "no".
那么,我做错了什么,您建议采取哪些不同的做法?
So, what am I doing wrong, and what do you recommend doing differently?
推荐答案
跟进 - 以下是我们所做的:
Follow up - here's what we did:
我们没有强制维度数据安全保护整个多维数据集,而是创建了一个安全"多维数据集,由 SharePoint 进程查询,然后负责授予或拒绝访问权限.只有 SharePoint 用户有权访问此角色并有权访问所有多维数据集.
Rather than forcing a dimension data security to secure an entire cube, we made a "Security" cube which is queried by the SharePoint process, which is then responsible for granting or denying access. Only the SharePoint user has access to this role with access to all cubes.
普通用户仍然可以通过不同的角色单独访问每个多维数据集.
Normal users are still granted access to each cube individually through separate roles.
因此,安全问题是只有一个角色可以访问所有角色,但我们认为这是可以接受的,并且只需要相信角色的成员分配得当.
So, the security issue is that there is one role with access to all, but we felt that was acceptable, and just have to trust that the role's members are assigned appropriately.
这篇关于使用 CustomData 的多维数据集级安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
