Hi All,
Running SQL 2008
Our application connects to ssas using a service account. When a user logs in his login name is embedded in the connection string as CustomData . The login is the used in a CLR stored proc to connect to a legacy database and retrieve a list of members of that dimension that the user has access to. Something like strtoset(DynamicCubeSecurity.CheckSecurity(CUSTOMDATA(), "Line","[Scope].[Line]"))
This works fine.
We also have the measure groups partitioned along the same dimension.
If a user connects to the application and the app issues a query that explicitly specifies a list of dimension members, only the corresponding partitions are loaded which is what I expect.
But if a user with limited permissions connects to the application and issues a query without explicitly specifying a slicer, I would expect that only partitions that ha can see are loaded, but this doesn’t seem to be the case. It looks like the security is applied after the query is evaluated.
Is this the expected behaviour? Is there any workaround this?
Much appreciated