locked
PPS Role Issue RRS feed

  • Question

  • I have two roles in my AS Db. Role1 defines a security over a dimension named "Segment" and another role "Role2" defines security on Region.
    For some people Role1 security should apply and for some Role2 security should apply. Both have distinct set of users i.e. no common person.
    In PPS datasource, in the role field i type in Role1,Role2 but it results in no security.
    If I apply only one role i.e. Role1 or Role2 it works perfectly.

    I have implemented the factless fact approach with two factlessfacts one for segment (which has columns userid and segmentid) and the other factless fact for region(having columns userid and regionid) with customdata.

    Tuesday, April 13, 2010 4:45 AM

Answers

  • Ok...so after so many days I have finally found the answer to this question. First -for these role related things, one should always use the Profiler, which I didn't use earlier.

    Actually, the app pool account for PPS Web service in my case was set to an account which had admin rights on the server.

    Hence,whenever I left the Roles section blank, it used to take in all roles i.e *,role1, role2.

    * here indicates the fact that it is an admin and thus has access to all records.

    It thus fooled me into believing that one must fill up roles section of the PPS datasource. Actually one need not. SSAS automatically determines the role by determining which role does the app pool user belongs to (pl note that per user connection setting is false which is by default since everything was on one box and I used Customdata method).

    I thus created an app pool account which didn't have admin rights on the server and added that to say role2.

    I kept the datasource Role "blank", and found that SSAS automatically determined that it should use Role2 (since the new app pool account was not an admin and thus didn't have access to other roles).

    I have thus been able to use both roles (without the union issue) by keeping the Roles section in PPS datasource blank and making the app pool account a non admin account.

    Please note that I had everything in one box so there was no need to configure kerberos.

    Hope this helps others.

    Monday, May 31, 2010 11:09 AM

All replies

  • If you are using CustomData and enable the Bpm.UseAsCustomData in the web.config.  You probably want to look at consolidating the Roles in SSAS to a single PPSCustomData Role.  Take a look at Nick Barclay's blog posting here - PPS Data Connection Security with CustomData.  You will need to define the custom MDX in the security which then references the CUSTOMDATA() function and Nick provides an example of the code that is needed.

    If this does not work for you then you most likely want to look at using the PerUser security where you will be passing the context of the logged in user.  In a single server environment you currently do not need to use Kerberos.  If you are in a multi-server environment though you would need to (and also in PPS 2010).

     


    Dan English's BI Blog
    Tuesday, April 13, 2010 7:39 PM
  • Hi Dan,

    I had implemented the custom data security only. My problem was, I had two roles Role 1 and Role2 and even though I had given Role1,Role2 in PPS datasource it wasn't applying it correctly.

    Actually I found out that it was doing a UNION of securities in Role1 and Role2 automatically. 

    Since Role1 had security defined on Segment dimension and no security defined on Region dimension

    AND

    Role2 had security defined on Region but no security on Segment.

     

    So doing a UNION results in full access with no restriction on both region dimension and segment dimension

    So what I did was consolidated it as a single role like you said above.

    I am just wondering if defining multiple roles always does this UNION and if there is way to overcome this behaviour.

    Wednesday, April 14, 2010 12:32 PM
  • Ok...so after so many days I have finally found the answer to this question. First -for these role related things, one should always use the Profiler, which I didn't use earlier.

    Actually, the app pool account for PPS Web service in my case was set to an account which had admin rights on the server.

    Hence,whenever I left the Roles section blank, it used to take in all roles i.e *,role1, role2.

    * here indicates the fact that it is an admin and thus has access to all records.

    It thus fooled me into believing that one must fill up roles section of the PPS datasource. Actually one need not. SSAS automatically determines the role by determining which role does the app pool user belongs to (pl note that per user connection setting is false which is by default since everything was on one box and I used Customdata method).

    I thus created an app pool account which didn't have admin rights on the server and added that to say role2.

    I kept the datasource Role "blank", and found that SSAS automatically determined that it should use Role2 (since the new app pool account was not an admin and thus didn't have access to other roles).

    I have thus been able to use both roles (without the union issue) by keeping the Roles section in PPS datasource blank and making the app pool account a non admin account.

    Please note that I had everything in one box so there was no need to configure kerberos.

    Hope this helps others.

    Monday, May 31, 2010 11:09 AM