IBM has decided to revert the change in behavior that is described in this tech bulletin. The change will be made in version 2.0.9.2 and it is expected to be released by the end of July. For more information, please reference IBM’s tech note at https://www.ibm.com/support/
We have an important technical bulletin regarding IBM Planning Analytics and MDX.
Version 2.0.9.1 of Planning Analytics changes the way MDX expressions are generated for dimensions that have security defined. This change may have a significant impact on your existing models.
Details
Prior to 2.0.9.1, when generating a subset list based on an MDX expression, Planning Analytics would execute the dynamic subset and then introduce security. Elements in the subset would be determined at runtime even if the user using the subset did not have READ access to a member that is named in the MDX statement. The list of elements in the subset was determined and then filtered by security. This resulted in the user only seeing the elements that were allowed.
As of 2.0.9.1, the system introduces security and then executes the dynamic subset. Users will need to have (at least) READ access to members that are named in the MDX statement. Just as a user could not determine the descendants of a consolidated element in any other user interface (e.g., the hierarchy or set editor) they will not be able to determine descendants of the member by using MDX. This may result in users not seeing any elements in the resulting expression.
For example:
- A model contains a dimension named “Company”. The dimension has a consolidated element named “Total Company” with child elements “A”, “B”, and “C”.
- There is a dynamic subset which returns the base level descendants of “Total Company” via the following expression:
{ TM1FILTERBYLEVEL ( { TM1DRILLDOWNMEMBER( { [Company].[Total Company] }, ALL, RECURSIVE ) } , 0)} |
- A user only has security access to company A via element security.
- Prior to 2.0.9.1, the result would be that the user sees company A.
- This is because Planning Analytics created the dynamic subset which included all the elements and then applied security to only allow the user to see company A.
- As of 2.0.9.1 the result does not include any elements in the subset.
- This is because Planning Analytics tried to create the subset by starting with Total Company, realized that the user has no access to Total Company, and therefore did not have anything to expand.
- Prior to 2.0.9.1, the result would be that the user sees company A.
Recommended next steps:
Revelwood recommends a review of your system to determine where MDX expressions are used. This includes all dynamic subsets and all dynamic reports/templates (i.e., Active Forms / Dynamic Reports).
Revelwood has created a Turbo Integrator script that will help you assess potential conflicts by analyzing combinations of element security and dynamic subsets. You can download the script for free.
Reviewing your system now will reduce the potential for your end users having problems seeing elements. By being proactive, you have the opportunity to stave off headaches for yourself.
Please contact John Pra Sisto at jprasisto@revelwood.com if you have any questions regarding this bulletin or the Turbo Integrator script.