Hi,
Could you help me a bit?
I'm trying to implement dynamic security in a cube. It looks working but sometimes shows wrong results.
After processing employee A may see result set of employee B. But it is not a rule, incorrect behaviour is about 10% of all test cases.
At the same time dedicated TestUser does not experiencing this issue if it belongs to any other role than others or has admin rights.
There are two SSAS servers - one is processing server, second is a query server. Afert cube is processed on Processing server database is synchronized with Query server. Both backup/restore and native database synchronization methods has the same results.
I've investigated that last session on query server before synchronization is finished belongs to employee B.
XMLA Clear Cache command does not solve the issue. There is only way to manage this - synchronize database again, maybe twice.
All employees are members of an only Role (except of dedicated test user, mentioned above). Cube has [Viewer] dimension. For each SSAS cube user this dimension has exactly one corresponding member.
Default member of an only non aggregatable hierarhy [Viewer].[Employee] is set to current authenticated user via custom .NET assembly. Default Member expression uses USERNAME() function to determine which member should be used as default. It looks like this:
App.MSAS.Extensions.GetViewerByLogin(USERNAME)
All secured measures related to [Viewer] dimension by cascaded m2m relation.
Each secured dimension has allowed set expression like this: NONEMPTY([Secured Dimension].[Granularity Attribute].MEMBERS, [Measures].[Securable Object Count]). Visual totals are applied.
[Securable Object Count] measure is related with [Viewer] by m2m and with [Secured Dimension] using regular relationship.
Is it cache related issue? Should SSAS share cached execution results between employees? Slice by [Viewer] is not specified obviously, but it specified as default member expression.
P.S. I has rewrite allowed member set specifying the [Viewer].[Employee] obviously:
NONEMPTY(
[Secured Dimension].[Granularity Attribute].MEMBERS,
([Measures].[Securable Object Count],App.MSAS.Extensions.GetViewerByLogin(USERNAME))
)
GetViewerByLogin procedure is a place to override default member for some employees (for test reasons, or to delegate rights to vice). It uses relational SQL database to handle this, and called multiple times. So fixing (I'm not sure if is it fixed now)
bug by this way leads to slower cube initialization. Performance is critical.
Thank you!