Chris Webb's BI Blog

Analysis Services, MDX, PowerPivot, DAX and anything BI-related

Dynamic Security white paper

with 5 comments

From Richard Tkachuk’s site, a new paper on setting up simple dynamic security in AS2005:
…although it doesn’t mention any of the more complex ways of implementing dynamic security, such as calling a sproc to return the allowed member set or persisting the permissions inside a measure group. Incidentally there was an interesting thread on the MSDN Forum recently that had some interesting comparisons between how these two approaches performed:
To be honest I’ve gone off the idea of dynamic security because of the performance implications – it stops you making full use of caching. It would be interesting to see a comparison of query performance in complex security scenarios between dynamic security and creating individual roles.

Written by Chris Webb

March 14, 2007 at 10:53 pm

Posted in Analysis Services

5 Responses

Subscribe to comments with RSS.

  1. > I\’ve gone off the idea of dynamic security because of the performance implications – it stops you making full use of caching
    This is interesting statement. I wonder why you singled out dynamic security, because any security stops you making full use of caching. Dynamic aspect of security is for the ease-of-management.


    March 15, 2007 at 4:22 pm

  2. Yes, but isn\’t it true that since dynamic security uses the UserName() function it stops the sharing of formula engine caches between users, unlike regular security roles?


    March 15, 2007 at 5:10 pm

  3. There is nothing magic about UserName function (no parethesis). The caches are not shared, because different roles have different data. Therefore whether you create multiple roles, or just one using UserName function – the FE caches won\’t be shared between roles/users in either case.


    March 15, 2007 at 8:41 pm

  4. Sorry, I\’ve been really bad at explaining myself… What I\’ve been meaning to say all along but not got round to saying is that in any large scale security implementation there are going to be multiple users who share the same access rights. In this case, using dynamic security, users who had the same rights would not be able to share FE caches whereas if they had been members of the same non-dynamic role they would have been able to. Isn\’t that right?


    March 16, 2007 at 9:09 pm

  5. I agree – it would be nice if someone stepped up to a "formal study" on various security options like:
    – Dynamic Security
    – Dynamic security with sproc
    – "Regular" dimensional role security
    – also HTTP access overhead


    March 16, 2007 at 10:40 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 4,002 other followers

%d bloggers like this: