前言:之前有一篇专门描述Saiku如何利用schema中的角色控制来达到行级权限控制操作。
https://blog.csdn.net/Joe192/article/details/100043346
在这篇主要更深入的描述Mondrian中是如何利用schema中的角色结合saiku来实现行级权限操作。
首先得了解schema行级权限,角色涉及的标签属性
Role--》角色标签
SchemaGrant--》schema授权标签 SchemaGrant access: all, none, and all_dimensions
CubeGrant--》cube授权标签 cube grant access: all or none
HierarchyGrant--》Hierarchy授权标签 access: all, none, and custom
MemberGrant--》Member授权标签 access: all and none.
DimensionGrant--》Dimension标签授权 access: all or none
<Schema metamodelVersion='4.0' name='t_tests' quoteSql='false'>
<PhysicalSchema>
<Table name='t_tests'/>
</PhysicalSchema>
<Cube caption='t_tests' name='t_tests'>
<Dimensions>
<Dimension caption='t_tests' key='id' name='t_tests' table='t_tests'>
<Attributes>
<Attribute caption='area' datatype='String' hasHierarchy='true' keyColumn='area' name='area' table='t_tests' visible='true'/>
<Attribute caption='country' datatype='String' hasHierarchy='true' keyColumn='country' name='country' table='t_tests' visible='true'/>
<Attribute caption='province' datatype='String' hasHierarchy='true' keyColumn='province' name='province' table='t_tests' visible='true'/>
<Attribute caption='city' datatype='String' hasHierarchy='true' keyColumn='city' name='city' table='t_tests' visible='true'/>
<Attribute caption='street' datatype='String' hasHierarchy='true' keyColumn='street' name='street' table='t_tests' visible='true'/>
<Attribute caption='name' datatype='String' hasHierarchy='true' keyColumn='name' name='name' table='t_tests' visible='true'/>
<Attribute caption='id' datatype='String' hasHierarchy='true' keyColumn='id' name='id' table='t_tests' visible='false'/>
</Attributes>
<!--<Hierarchies>
<Hierarchy name='ts' allMemberName='All t_test'>
<Level attribute='country'/>
<Level attribute='province'/>
<Level attribute='city'/>
<Level attribute='street'/>
</Hierarchy>
</Hierarchies>-->
</Dimension>
</Dimensions>
<MeasureGroups>
<MeasureGroup name='t_tests' table='t_tests'>
<DimensionLinks>
<FactLink dimension='t_tests'/>
</DimensionLinks>
<Measures>
<Measure aggregator='sum' caption='age' column='age' datatype='Numeric' formatString='#,###.000' name='age' table='t_tests'/>
</Measures>
</MeasureGroup>
</MeasureGroups>
</Cube>
<Role name='ROLE_SA'>
<SchemaGrant access='none'>
<CubeGrant cube='t_tests' access='all'>
<!--<HierarchyGrant hierarchy='[ts]' access='custom' topLevel='[ts].[country]' bottomLevel="[ts].[city]">
<MemberGrant member='[t_tests].[ts].[中国].[陕西省]' access='all'/>
<MemberGrant member='[ts].[country].[中国].[陕西省].[西安市]' access='all'/>
<MemberGrant member='[ts].[country].[中国].[广东省].[广州市]' access='all'/>
<MemberGrant member='[ts].[country].[美国].[加州].[加州市]' access='all'/>
</HierarchyGrant>-->
<!--<DimensionGrant dimension="[t_tests].[country].[中国]" access="all"/>-->
<!--<HierarchyGrant hierarchy='[Measures]' access='custom'>
<MemberGrant member='[Measures].[age]' access='none'/>
</HierarchyGrant>-->
<HierarchyGrant hierarchy='[t_tests].[city]' access='custom'>
<MemberGrant member='[t_tests].[city].[西安市]' access='all'/>
<MemberGrant member='[t_tests].[city].[广州市]' access='all'/>
</HierarchyGrant>
</CubeGrant>
</SchemaGrant>
</Role>
</Schema>
A、通过行级权限控制维度值
<HierarchyGrant hierarchy='[ts]' access='custom' topLevel='[ts].[country]' bottomLevel="[ts].[city]">
这行代码,hierarchy='[ts]'指层级name='ts'的,access='custom'自定义,topLevel='[ts].[country]' bottomLevel="[ts].[city]"
范围访问的维度。
使用层级授权必须创建层级才能达到行级权限控制,否则不起作用。
B、如果不想使用层级却想达到和层级一样控制维度咋办了,只要通过两步设置就能搞定。
第一步:Attribute的hasHierarchy属性必须为true
第二步:直接使用维表的name,t_tests.city,city为Attribute的name属性,范围属性topLeve和bottomLevel就不起作用了
<HierarchyGrant hierarchy='[t_tests].[city]' access='custom'>
<MemberGrant member='[t_tests].[city].[西安市]' access='all'/>
<MemberGrant member='[t_tests].[city].[广州市]' access='all'/>
</HierarchyGrant>
C、通过行级权限控制度量,如何实现
<HierarchyGrant hierarchy='[Measures]' access='custom'>
<MemberGrant member='[Measures].[age]' access='none'/>
</HierarchyGrant>
这块直接就不显该度量。
D、如果控制整个维度的行级权限,直接使用DimensionGrant
<DimensionGrant dimension="[t_tests]" access="all"/>
其中dimension="[t_tests]",t_tests就是维表的name属性。