Skip to Main Content
Jedox Ideas

Let us know how we can make Jedox even better!

Status Future Consideration
Workspace Jedox Platform
Categories Other
Created by Guest
Created on Jul 2, 2019

Independent rights on database level

Abstract: User rights on OLAP objects in a database should not be influenced by user groups that are disabled for this database.

Case: As you probably know one can limit user rights to certain databases via cube System/#_GROUP_DATABASE_DATA. A user with a restricted group is then only able to access data from this particular database. Additionally one can combine this database permission with e.g. dimension restrictions (via #_GROUP_DIMENSION_DATA_*) so that the user can only see specific elements e.g. reports by making use also of #_CONFIGURATION option HideElements set to "Y".
The problem: Let's further assume that you have two databases A and B and most users are restricted to either database A or B by dedicated groups. For users which can access A and B, the HideElements option is not working properly anymore. The user can now see ALL elements in the dimensions on both databases. The group which is restricted to database A overrides restrictions in database B and the group restricted to database B overrides restrictions in database A. The data on the other hand is luckily locked and data restrictions seem to work as expected by now. Conclusion: If a group is set to "N" for a database it should be completely ignored (as if not existent) for all OLAP objects contained in this database. The current behavior makes it very difficult to maintain rights for users with a lot of groups/databases. The same counts for roles like editor/viewer.