Chapter 6. Securing data
| Business analysts | |
 |
Data architects |
|
Enterprise architects |
| Application developers |
A key consideration in any organization is limiting access to sensitive data, and Adventure Works is no exception. They want to be able to restrict sensitive sales information to only the sales managers who need it. They also want to make sure that only HR has access to human resource information about employees.
There are a number of ways to limit data access, such as by user ID, roles, or a user’s attributes. Mondrian uses an approach called role-based access control (RBAC). In an RBAC data approach, users are assigned roles, and data is restricted by the role assigned to the user. Using RBAC means you don’t need to manage permissions for each individual user.
This chapter will show you how to restrict access to specific data items, dimensions, and even the entire schema.
The first things to understand are what a role is and how it can be used by Mondrian to restrict access to data. After reading this section, you’ll understand what roles are, how they’re generally applied to restrict data, and how they’re provided via external settings. You’ll also see how to set the default role in the schema. Finally, we’ll touch on the concept of joint roles, which let you combine multiple roles together to create entirely new roles.