Hello,

I have a question about implementing a UDF for dynamic dimension
authorization on an AS cube. Mosha's OLAP pages have been a great
resource so far, leading me to the UDF method, which mentions being
used in an ASP.NET forms authentication scenario.

However, the code examples given show the UDF being passed the current
Windows username, which would be a generic account when the connections
come from an ASP.NET application. How can AS know the identity of the
forms authenticated user to pass to the UDF?

I understand that a list of roles can be passed on the connection
string to the cube. I do not think this will be useful to me, as
authorization will be per-user. E.g., store managers only see their
store, regional managers only see their region. A "store manager" role
without an associated store attached will not be useful.

The security fact table is perfect for holding this information; I just
need to know how to get the forms authenticated username to the cube on
the UDF call. It must be possible, if Mosha and Dave Wickert say it's
so.

Thanks,
Tom McLeod

Looking more closely at all materials I have found, no one ever said
per-user dynamic dimension authorization was possible without Windows
accounts backing them. However, this is what I'm looking for.

Does anyone know of any solution, home-brewed or 3rd party, where this
is done? Could the username be passed in on the list of roles and
picked out somehow? 3rd party spec sheets seem to skimp on security
features from the ones I have tried to research (such as ReportPortal),
making it difficult to know their capabilities.

Thanks,
Tom McLeod

Read the security administration section in the AS Operations Guide.
http://www.microsoft.com/technet/pro.../anservog.mspx
Ultimately *everything* in AS has to come down to some NT account.
What kind of access do you require? Just general access to the cube; or
controlled access using dimension security down to specific members?
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Tom McLeod" <tmcleod3 (AT) gmail (DOT) com> wrote

Controlled access using dimension security at the member level is
required. In Foodmart terms, my scenario is "store and district
managers accessing the Sales cube."

There will only be internet-facing access to the cube, and having
individual NT accounts for each store will not be possible (user
administration must also be web-based).

The DW is a 20 GB SQL Server DB. The reporting needs are ad-hoc, so
MSAS seems best suited for the OLAP need; I just wanted to handle
dimension security dynamically if possible, since there are several
hundred stores.

My current take is to skip the dynamic aspect, and create a MSAS role
for each store and district, assigning Everyone (or the generic
connecting account) to all of them, and specifying which role to use in
the connection string, per user. I've been able to test this, and will
probably implement it this way barring any further insights or
cautionary suggestions here.

Thanks,
Tom McLeod