Friday, February 24, 2012

AMO Security Scripting Problem

Hi!

I have a little program that creates roles for a catalog and cubes. The roles is created fine and all the read permissions on the different cubes as well. Also adding different users to the roles is no problem.

Then when i look in BIDS( open analysis services database) everything looks exactly as it should. However, the different roles does not work for the users that are added through the script. But, if i manually add a user to one of the created roles, it works for that user. Anybody who knows what is going on?

The roles both have users and user groups in them.

You say "However, the different roles does not work for the users that are added through the script."

What script you are talking about? How do you generate the script? What doesnt work exactly?

Edward.
--
This posting is provided "AS IS" with no warranties, and confers no rights.

|||If you 'script' a role, the script just contains the names of the role members, NOT the permissions. Those permissions are stored in the cubes and dimensions themselves. So be carefull by changing permissions with scripts. It was not clear from your description if you just wanted o add users, or you created new roles as well. In the latter case, this can be an explanation, in the former case, you must have bumped onto another problem as well.|||

Hi!

This is basically what i do.

Role role = _oDb.Roles.Add(_sRoleID);

role.Members.Add(new RoleMember("domain\user");

role.Update();

Cube cube = _oDb.Cubes.FindByName(sCube);

if (cube != null)
{
CubePermission cubeperm = cube.CubePermissions.Add(_sRoleID);
cubeperm.Read = ReadAccess.Allowed;
cubeperm.ReadSourceData = ReadSourceDataAccess.Allowed;
cubeperm.Update();
}


So it′s not any advanced type of security, just read or not read a cube. If i then look at this role, by opening it with BIDS(opening the cube online, not a project), it looks fine. All the users are there and the read permissions and so on. But the users can′t access the cubes. If i then delete a user from a created role, and then add it again by hand, they can access the cube. So the role works, but it is like it does not like the programmatically added user names, even though they are exactly the same as when i add it by hand. And i don′t think it is all that different from this bol entry

http://msdn2.microsoft.com/en-us/library/ms345081.aspx

However, i just saw something in that entry that i missed. And it was the DatabasePermission which i don′t do anything with. It might be that, i will check. But that has Role as input so the deleting and adding a user by hand on a role should not affect that or BIDS does that under the covers or something?

|||

Full of shame and have a appointment whith the eye doctor.

It was the databasepermission that was missing. Thanks!

No comments:

Post a Comment