Dynamic Security

Similar Messages

• Dynamic security in Cube having many to many relationship

  I have multiple dimensions (around 20) and 4 fact tables in my cube.  I am implementing dynamic security in my cube, so only logged in user will see his information.
   I have a person dimension, which stores user information.
  I have a shipper dimension , which stores shipper information.
  Person dimension is connected to Fact table  A and Shipper is also connected to Fact table A.
  Shipper Dimension is also connected to Fact Table B.
  Now in dimension usage tab i connected Person dimension to FACT table B measure group using many to many relation via Fact Table A measure group.
  I wrote below code block in Shipper dimension to implement security , under Dimension data tab -
  exists ({[Shipper].[SHR Number].members},  strtoset("[Person].[Person number].[" + username() +"]"), "Fact Table A")
  Its is working fine when  run it as mdx query, using select command. I can see all measures (both from fact A and fact B) based on my ID permisisons.
  But the issue is when I browse cube, I can see only Fact Table A measures and NOT FACT B measure.
  FACT B measures comes as NULL.
  I referred below link -
  http://bifuture.blogspot.com.au/2011/09/ssas-setup-dynamic-security-in-analysis.html
  PLEASE HELP

  I got the issue, it is related to dimension security. Its working fine

• Dynamic Security Tabular Model : No filters are applied

  Hi,  I am surprise because when I open my PowerPivot report on my Bi portal on Sharepoint 2013, no filter are applied, Dynamic Security not work,
  unless I do a refresh of my report. When I refresh my report, with an other windows account, all the filter determined in the tabular data model, at the level of Role.
  I use the User Authentification option at the level of my report PowerPivot.
  Can you help to understand this bug and help me to resolve it.
  Thanks for advance.

  Hi,
  I am not quite sure about your scenario. Are you using Power Pivot or SSAS Tabular?
  Power Pivot itself does not have any security features so I guess you are talking about SSAS Tabular right?
  Or are you moving data from SSAS Tabular into Power Pivot?
  In this case if you you refresh the workbook a Service Account will be used and of course the securtiy settings will be derived from the credentials of this service which may be allowed to see all data
  hth,
  gerhard
  Gerhard Brueckl
  blogging @ http://blog.gbrueckl.at
  working @ http://www.pmOne.com

• Problem Dynamic Security : No filter applied without Refresh

  Hi,  I am surprise because when I open my PowerPivot report on my Bi portal on Sharepoint 2013, no filter are applied, Dynamic Security not work, unless I do a refresh of my report. When I refresh my report, with an other windows account, all
  the filter determined in the tabular data model, at the level of Role.
  I use the User Authentification option at the level of my report PowerPivot.
  Can you help to understand this bug and help me to resolve it.
  Thanks for advance.

  Hi,
  I am not quite sure about your scenario. Are you using Power Pivot or SSAS Tabular?
  Power Pivot itself does not have any security features so I guess you are talking about SSAS Tabular right?
  Or are you moving data from SSAS Tabular into Power Pivot?
  In this case if you you refresh the workbook a Service Account will be used and of course the securtiy settings will be derived from the credentials of this service which may be allowed to see all data
  hth,
  gerhard
  Gerhard Brueckl
  blogging @ http://blog.gbrueckl.at
  working @ http://www.pmOne.com

• Dynamic Security username () problems

  Hi,
  I need some help with the following situation. I am trying to put into place asome sort of dynamic Security in my cube. With some help , I manage to get something working:
  select [Measures].[Sales Net Amount] on columns,
   NONEMPTY(
      [Dim Restaurants].[Restaurant].[Restaurant].members,
      ([Measures].[count],
      StrToMember("[Dim User].[User].&[2]")))
      on rows
   from [XYZ]
  my  problem is the minute I replace StrToMember("[Dim User].[User].&[2]"))) with
  StrToMember("[Dim User].[User].&["+ username() +"]"))) I get no result at all , look like this function is non existant but everey blog/post I looked they keep using this function. 
  Something is missing qand I do not see it , I am using SSAS 2012 and quite new to all of this

  The username function returns a string in the form of "domain\user" so I highly doubt that you will ever get a value of "2" coming back.
  If you run the following query you can see what this function returns in your environment 
  with member measures.UsrName as username()
  select { measures.[UsrName] } on 0 
  FROM [XYZ]
  You need to base your dynamic security on an attribute that has data in the same format that the username() function returns.
  http://darren.gosbell.com - please mark correct answers

• Dynamic Security - Power View Cabable of ?

  Hi there,
  i am currently trying to create some Dashboard Reports using Power View for all Employees.
  But i can't allow for any Users being able to see the Data of the other.
  Is Power View capable of Determining which user is logged on and give that to my Tabular Project, so it can filter the data through the Dynamic Security implemented in the Tabular Model?

  Yes, Power View will work with the tabular model dynamic security.  Power View does not do anything special, security is applied by the model.
  http://msdn.microsoft.com/en-us/library/jj127437.aspx
  Brad Syputa, Microsoft Reporting Services This posting is provided "AS IS" with no warranties.

• SSAS Dynamic security not working after upgrade

  Hi,
  I am able to apply the dynamic security on a 2008 R2 instance of SSAS, using the Users Dimension and a bridge table, and specifying the EXISTS(...) MDX expression in the Dimension data on the Role.  
  But when I copy the cube solution to a 2014 SSAS instance, the cube report ignores the security, and brings back all the data.  I also tried clearing the cache, but that didn't change anything.
  As far as I can tell, there are no differences in the data, and I did not change anything in the working cube solution either.  
  I'm out of ideas, and I have not found any clues on the internet yet.
  Any help would be appreciated.
  Edit: I forgot to clarify that I am using CustomData() and not Username().

  I think this setting can be used in conjunction with  Charlie
  Liao's suggestion. Thanks!

• Dynamic security using Security table in SSAS Tabular model

  Hi, 
  Platform : SSAS Tabular model (VS 2010)
  I need to apply Dynamic security using Security table(manually created) in Tabular model, Need to apply filter for 2 tables. I am able to
  create roles in Tabular model using USERNAME() and LOOKUP() function it worked fine. But the problem is when i am trying to give full access for a particular column and limit the access in other column, it is not working properly.
  Please find below table and guide me where i am falling short. In the Security table wherever you find ALL it means full access.
  Security table
  Login Name
  Dim_Country
  Dim_Customer
  DOMAIN\User1
  ALL
  2
  User1 should see all countries but Only 2,4 Customers
  DOMAIN\User1
  ALL
  4
  DOMAIN\User2
  2
  ALL
  User2 should see all customers but Only 2,3 countries
  DOMAIN\User2
  3
  ALL
  DOMAIN\User3
  ALL
  ALL
  User3 should see all Customers and Countries
  DOMAIN\User4
  1
  3
  User4 should see 1 Country and 3 Customer
  ALL - means NO restriction
  Numeric values indicate the Dimension IDs
  Do let me know if further explanations required.
  Thanks,
  Sundar

  Hi Sundar,
  According to your description, you want to implement dynamic security using Security table in SQL Server Analysis Services Tabular model, right?
  It is very common to have data security implementation in BI projects either at databases or Cubes and sometimes this security implementation and maintenance goes out of control due to the dynamic flow of business information. Here are some links which describe
  dynamic security implementation at SSAS tabular model using an external security table, please see:
  http://bipassion.wordpress.com/2012/10/01/ssas-tabular-dynamic-security/
  http://www.bidn.com/blogs/ChrisSchmidt/ssas/4332/dynamic-security-in-tabular
  Regards,
  Charlie Liao
  TechNet Community Support

• Dynamic Security in a denormalized Parent-Child dimension Table

  Hi guys, I need your priceless help again:
  I have a parent child relationship in a table with a fixed depth, let´s say Region-->Area-->Country
  I denormalized the table to have something like this
  Then, to implement dynamic security, I think in a bridge table with the userId
  and the CountryId, then with a measure group and a measure which count the combination of user/country I can proof the security using the non empty function.
  My question is how can I also set security for the levels above the leaf members, let´s say, I want to assign an user to the Area level or Region Level. I don't know exactly which key could I include in the bridge table.
  I may want to keep the id´s of the original table in the different levels.
  Any comment will be appreciated.
  Kind Regards,

  Hi Paul,
  According to your description, you want to apply dynamic security on parent-child hierarchy. Right?
  In Analysis Services, when a dimension contains a parent-child hierarchy, we can't set up security directly on the key attribute. Because it will not appear on the dropdown list of Dimension Data Security in Role editor.
  In this scenario, we need to filter on key attribute and not the parent-child hierarchy. Then use Linkmember() to find the equivalent members on the parent-child hierarchy. Please refer to the expression below based on a employee dimension with parent-child
  hierarchy.
  Generate(
   NonEmpty(
    [Employee].[Employee].[Employee].Members,
     [Measures].[Employee Count],
     StrToMember('[User].[User].[' + UserName() + ']')
               LinkMember(
                   [Employee].[Employee].CurrentMember,
                   [Employee].[Employees]
  Also I suggest an excellent book:
  Expert Cube Development with Microsoft SQL Server 2008 Analysis Services. It talks about this scenario in chap 9.
  Reference:
  SSAS
  Dynamic security - Bridge table (factless) between User dimension and Parent-Child (PC) dimension
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou
  TechNet Community Support

• Windows Server 2008 DNS command syntax to set All zones to Dynamic Secure updates

  Hello,
  Am I trying to configure all of my 150 dns zones to  dynamic updates from "none" to "secure"
  What is the command I should run to update all my zones. I ran "dnscmd myservername /config ALLZones /AlowUpdate 1"  and I keep on receiving this error message
   "DNS_ERROR_ZONE_DOES_NOT_EXIST"
  What should be the exact command/argument I should run to propagate this on all my zones ?
  is "..allzones" or "allzones"  a valid argument ?
  Thanks
  Robert

  Hi Robert,
  Even add the two dots, I also get the same result.
  Here is the screenshot of my lab,
  As Kumar has mentioned, you need to write a script.
  I have tried to modify the script provided by Kumar. It works on my lab server.
  Here is the script,
  $a = get-dnsServerZone
  foreach ( $zone in $a)
  if ($zone.ZoneType -eq "Primary")
  if ($zone.IsDsIntegrated -eq "True")
  { set-dnsServerPrimaryZone -DynamicUpdate Secure -ZoneName $zone.zonename }
  Best Regards.
  Steven Lee
  TechNet Community Support

• Dynamic security group

  I need to create a security group that contains all the enabled users in AD.
  This group needs to be dynamic so that when a user is disabled it is automatically removed from it
  Thanks

  I need to create a security group that contains all the enabled users in AD.
  This group needs to be dynamic so that when a user is disabled it is automatically removed from it
  Thanks
  We do have the concept of dynamic objects in Active Directory but that is not what you are looking for. Dynamic objects in Active Directory have specific TTL and when their TTL expires they are directly deleted and they will not be considered in Garbage
  Collection.
  What you need I believe is a script which 'Removes the disabled users from the group' and run it for like every 15 minutes on your domain controller. I ill update this thread as soon as I get my hands on a PowerShell.
  Update: Run this as schedule task:
  Get-ADGroupMember GroupTest | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled,samaccountname | ?{$_.Enabled -eq $false} | ?{Remove-ADGroupMember -Identity GroupTest -Members $_.samaccountname -Confirm:$false}}
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.

• Dynamic Security Audit Log filesize

  Hello,
  We have the following parameters set
  rsau/max_diskspace/local 20M
  rsau/max_diskspace/per_day 0
  rsau/max_diskspace/per_file 0
  If I look in the DynamicConfiguration tab, it shows
  Maximum File Size 100,000 MB
  This seems a little crazy. Does anyone have any idea how the Max File Size got to be displayed so large?
  Kind regards,
  Peter

  Refer to SAP Note : 909734 - SecAudit: Parameter rsau/max_diskspace/local too small
  As of kernel patch 2113 (4.6D) or 88 (6.40), the system requires a minimum size of 1 megabyte (1048576) for 4.6D, and a minimum size of 10 megabytes (10485760) for 6.40. As of kernel patch 134 (6.40), rsau/max_diskspace/local requires a minimum of 100 megabyte.

• Dynamic Dimension Security Error

  Hi Everyone,
  I created a dynamic security in SASS and I use the following MDX in the Allowed Member set:
  EXISTS([Sales Territory].[Sales Territory Group].Members,
  Strtoset("[Users].[User Name].&[" +Username+ "]"),  "User Dim Member Permissions").
  On trying to check the MDX Query I got the following error message:
  Check MDX script syntax failed because of the following error:
  An error occurred in the MDX script for the dimension attribute permission's allowed member set: The dimension '[Users]' was not found in the cube when the string, [Users].[User Name].&[TEST\Bi_svcSetup], was parsed.
  Please can someone assist me with this.
  Thanks
  me

  Hi Lilutchay,
  According to your description, you are trying to implement dynamic security without success, right?
  Based on my research, the issue can be caused by that you implement custom security on database dimension instead of cube dimension. So, in you scenario, please try the same thing on cube dimensions and check if this issue is persists or not.
  Reference.
  http://www.rdacorp.com/2009/01/advanced-dimension-data-security-with-sql-server-2008/
  Hope this helps.
  Regards,
  Charlie Liao
  TechNet Community Support

• Dimension security is not working if user have two roles in SSAS while connecting from Excel

  Hello Genius,
  I am facing the issue when user trying to connect the cube from excel if user have more than one role in ssas db.
  Role 1: Countryuser, I have implemented the dimension security with country
  dimension and  countrycode attribute.
  Role 2: CityUser,   I have implemented the dimension security with
  city dimension and  citycode attribute.
  If user is mapped to any one of above role dimension security is working perfectly according to the logic but mapped to both role, cube is exposing all the data in this case dimension security is not working.
  Please give me the solution to fix this issue or incase I am wrong kindly advice.
  Thanks
  Ganesh

  This is the expected behaviour as allowed sets in roles are unioned together.
  This is not a problem when your roles are restricting across a single attribute.
  eg.
  US_role = {[Geography].[Country].[USA]
  France_role = {[Geography].[Country].[France] }
  as someone in both roles ends up seeing {[Geography].[Country].[USA], [Geography].[Country].[France] }
  But when you have different attributes:
  NY_role = {[Geography].[City].[New York] }
  France_role = {[Geography].[Country].[France] }
  The first role is unrestricted on countries and the second is unrestriced on cities which is effectively:
  NY_role = {[Geography].[Country].AllMembers , [Geography].[City].[New York]  }
  France_role = {[Geography].[Country].[France], [Geography].[City].AllMembers }
  And when you union those two sets together you end up with:
  {[Geography].[Country].AllMembers , [Geography].[City].AllMembers }
  Which means that someone in both roles can see everything.
  So if you want to restrict someone to City = New York and Country = France you have to create a
  single role where both attributes are restricted. So if you have a lot of these combinations you will either have to create a lot of "combination" roles or look at dynamic security.
  The other thing that might work is make sure that you only give some users access to certain cities and others access to certain countries. It's the mixing of the two for a single person that causes the issues.
  http://darren.gosbell.com - please mark correct answers

• Urgent help needed in Cube Security implementation

  I have a need in implementing security in one of the dimensions(Performance Rating) and users under different roles should be able to browse the cube as below.
  The tables information is as below
  Dimension Table
  Description
  Dim_Employee
  Employee details-ID,Name,Gender,Age
  Dim_PerformanceRating
  Performance code,Descriptioin
  Dim_Role_User
  Role and users available under each role 
  Fact Table
  PerfID,EmplyeeiD,HeadCount as measure
  If the User under HR Role browses the cube he should be able to view the details as below:
  All Employee Details , counts but performance ratings to be restricted only for the employees under his (HR) role.
  Dim-Employee
  Dim-Employee
  Dim_Perfrating
  Dim_Role_user
  Measure
  Emp ID
  Name
  Perf Rating
  Employee Type
  Emp Count
  1
  A
  VP
  1
  2
  B
  Other
  1
  3
  C
  SM
  HR
  1
  4
  D
  VP
  1
  5
  E
  HR
  1
  6
  F
  HR
  1
  7
  G
  FE
  HR
  1
  8
  H
  CE
  HR
  1
  9
  I
  DNM
  HR
  1
  10
  J
  NR
  HR
  1
  If the VP  browses  the cube he should be able to view all the details as below
  All Employee Details, counts and all the performance ratings of all the employees under him
  Dim-Employee
  Dim-Employee
  Dim_Perfrating
  Dim_Role_user
  Measure
  Emp #
  Name
  Perf Rating
  Employee Type
  Emp Count
  1
  A
  SM
  VP
  1
  2
  B
  FE
  HR
  1
  3
  C
  SM
  Other
  1
  4
  D
  CE
  VP
  1
  5
  E
  SM
  HR
  1
  6
  F
  SM
  HR
  1
  7
  G
  FE
  Other
  1
  8
  H
  CE
  Other
  1
  9
  I
  DNM
  Other
  1
  10
  J
  NR
  Other
  1

  Hi,
  You need to Implement a dynamic security. Implement a factless fact table which includes information which user is allowed to see which nodes. Create a Measuregroup for this Table "FactSecurity"
  Create a UserDimension which includes Domain\Usernames.
  Map the User Dimension and the Perfrating Dimension to the FactSecurity Measuregroup
  In the Role implement the security like this:
  EXISTS([Dim_Perfrating].[PerformanceCode].[PerformanceCode].Members, STRTOMEMBER("[Users].[DOMAIN].["+UserName+"]"), "FactSecurity")
  If needed check Visual Totals.
  Kr Jü+rgen