In our AS2005 project we use two roles for two different group of users. First group included key account manager - each manager can see only his account sales. Second group - sales region managers - each sales region manager can see only sales in his region. We use custom clr callback method and everything works fine. Solution is based on dimension members and visual totals are enabled for both groups.
But now new requirement arrived: one manager is both key account AND sales region at the same time and therefore he should be able to see UNION of key account sales and region sales. Can this be accomplished somehow? I'm able to get the intersection, but never union. One solution is to turn visual totals off, but then other dimensions show all cube data, which is not acceptable.
Any help is appreciated.
Radim
I think you will need a third role for this person.
Basically I am guessing that your account security produces a set that looks something like:
Descendants([Account].[Account].[Account 1])
And that your Region security produces a set that looks something like:
Descendants([Region].[Region].[Region1])
This will result for an effective permission set of:
Descendants([Account].[Account].[Account 1]) * Descendants([Region].[Region].[Region1])
Which is effectively an intersection of the selected account with the selected region. Whereas, for the situation you describe, you would want an effective final set of:
{ {[Region].[Region].[All Region]} * Descendants([Account].[Account].[Account 1]) }
* { Descendants([Region].[Region].[Region1]) * { [Account].[Account].[All Account] } }
Which, instead of giving you a logical AND between the two sets (where members must be descendants of the Regions AND Account) will give you a logical OR (which will return members which are descendants of either the Account OR Region)
Hope this helps
|||Hi Darren!That's good description of desired solution. But how could I implement such set? Right now callback function simply returns allowed members to role, but this solution doesn't seem to be that straitforward. New role should restrict cell data, instead of dimension members?
Radim|||
Hi Radim,
Since these users (given their dual role) should be able to see all members of both Account and Region, I think that the solution would have to restrict at the cell, rather than dimension, level. However, I'm not aware of a "Visual Totals" option for Cell Security, which is one of your requirements. Visual Totals behavior could conceivably be simulated via the MDX script, if that's a viable option for you. But this would entail introducing security-related logic into the cube script.
sql
No comments:
Post a Comment