Skip to main content

Pentaho+ documentation has moved!

The new product documentation portal is here. Check it out now at


Hitachi Vantara Lumada and Pentaho Documentation

Restrict Access to Specific Members

Parent article

You can restrict access to parts of a schema by implementing an element to define access to a hierarchy.

Access is restricted to parts of a schema by implementing the <HierarchyGrant> element to define access to a hierarchy, as shown in the following example:

<Role name="California manager">
    <SchemaGrant access="none">
        <CubeGrant cube="Sales" access="all">
            <HierarchyGrant hierarchy="[Store]" access="custom" topLevel="[Store].[Store Country]">
                <MemberGrant member="[Store].[USA].[CA]" access="all"/>
                <MemberGrant member="[Store].[USA].[CA].[Los Angeles]" access="none"/>
            <HierarchyGrant hierarchy="[Customers]" access="custom" topLevel="[Customers].[State Province]" bottomLevel="[Customers].[City]">
                <MemberGrant member="[Customers].[USA].[CA]" access="all"/>
                <MemberGrant member="[Customers].[USA].[CA].[Los Angeles]" access="none"/>
            <HierarchyGrant hierarchy="[Gender]" access="none"/>

The access attribute can be one of the following types:

  • all: all members are visible.
  • none: the hierarchy's very existence is hidden from the user.
  • custom: customized to your own specifications.

With custom access, you can use the topLevel attribute to define the highest visible level (preventing users from seeing too much of the 'big picture,' such as viewing revenues rolled up to the Store or Country level); or use the bottomLevel attribute to define the lowest visible level (preventing users from looking at an individual customer's details); or control which sets of members a user can see by defining nested <MemberGrant> elements.

You can only define a <MemberGrant> element if its enclosing <HierarchyGrant> has access="custom". Member grants give (or remove) access to a given member and all of its children. Here are the rules:

  • Members inherit access from their parents. If you deny access to California, you will not be able to see San Francisco.
  • Grants are order-dependent. If you grant access to USA, then deny access to Oregon, then you will not be able to see Oregon or Portland. But if you were to deny access to Oregon, then grant access to USA, you can effectively see everything.
  • A member is visible if any of its children are visible. Suppose you deny access to USA, then grant access to California. You will be able to see USA, and California, but none of the other states. The totals against USA will still reflect all states, however.
  • Member grants don't override the hierarchy grant's top- and bottom-levels. If you set topLevel="[Store].[Store State]", and grant access to California, you will not be able to see USA.