Hitachi Vantara Pentaho Community Wiki
Skip to end of metadata
Go to start of metadata

Pentaho metadata provides a Security Information property that allows you to define table or column level security that the Pentaho BI Server can make use of. Before you can use this property, you need to tell the Pentaho Metadata Editor about your Pentaho BI Server, so that the program can retrieve the list of Users, Roles and Access Control Lists needed.

Setting Up the Security Service

The security information used in the business model needs to be retrieved from a Pentaho BI Server, so make sure you have the following information available before you attempt to configure security:

  • The base URL to the Pentaho BI Server, as well as the name of the service to execute security information retrieval. In the demo server, the base URL is http://localhost:8080/pentaho, and the default name for the service is ServiceAction. Ask your server administrator if changes were made to this service.
  • An admin set of credentials for the server.

Security Service Settings

  1. From the main menu, select the Security Service option from the Tools menu.
  2. The Security Service dialog displays.

  3. On the Service tab, enter the Service URL for your server. This is a URL combining the base URL and the service name. The demo server's Service URL is http://localhost:8080/pentaho/ServiceAction .
  4. Next, select the level of detailed security information you want: All, Users or Roles. If you have hundreds of users in your system, you probably only want to return the roles, and use roles for security information properties. The access control lists are returned with all three options.
  5. In the username field, provide an admin level username to authenticate with the server.
  6. And last, enter the password for the user specified above.

You can click the Test button to be sure the settings are correct, and your server is accessible. You should see a message similar to the following:

Working Offline

You will at times want to work on your model, and may not have access to your Pentaho BI Server. You can save your security information in a file, and the Pentaho Metadata Editor will be just as happy to retrieve your settings from that file instead of making a trip to the server every time you open this domain.

  1. Follow the steps above to configure your security settings.
  2. Click the Test button, to show the security information from the server.
  3. Copy all of the XML between the <content></content> tags, including content the tags themselves.
  4. Paste the XML into your favorite text editor, and save the file as metadata_security.xml, in a location of your choosing.
  5. Switch to the File tab in the Security Service dialog.
  6. Browse to the file that you just saved.
  7. Click OK when you are done.

Modifying Security Constraints

To add security constraints to a specific business table or column, first bring up the properties dialog, and then click the add property button:

Select the Security Information property and click OK

With the security property available, now add the individual role or user permissions to the business model, table, or column.  These permissions will then be enforced within Pentaho's BI Platform after publishing the new metadata model.

Configuring the Pentaho BI Server

(This section is obsolete, as of 3.7 or earlier. SecurityAwareCwmSchemaFactory was deprecated according to Javadoc. Does anybody know the new config required?)

By default, the Pentaho BI Server's Metadata configuration is not security aware. To enable security aware metadata on the Pentaho BI Server, modify the pentaho-solutions/system/pentaho.xml:

replace this line:

<ICwmSchemaFactory scope="session">org.pentaho.pms.factory.CwmSchemaFactory</ICwmSchemaFactory>

with this:

<ICwmSchemaFactory scope="session">org.pentaho.repository.cwm.SecurityAwareCwmSchemaFactory</ICwmSchemaFactory>
  • Note that permissions must be explicitly defined in metadata when using the SecurityAwareCwmSchemaFactory. Existing metadata model files that do not specify security constraints will not appear until configured correctly.



    1. handler


      Priority HIGH
      Jul 25, 2011
  • No labels


  1. Anonymous

    metadata.xml file tags are not explained properly. As in actual senario a user will be associated to some role and that role will have some privlages. But here we are having the users , roles and acls tags seperately. So how can we associate which user is having which role. And I did't got wahat do we mean by mask tag, we are giving some number to it, what this number mean ?.

  2. user-8c6f0

    I beleive that the associations between users and roles are not at this level. The only important thing here is to map certain users or groups to given tables or columns or models. Those associations will then be verified by the BI platform.

  3. user-c4e92

    Can someone explain the difference in the 2 repositories? What impacts if any are there of enabling the security aware one? Why isnt that enabled by default, why have 2 implementations?

  4. user-d2ca3

    As per above documentation, permission assiged to business model in metadata editor will be enforced in pentaho's BI envi after publishing the model to BI server.

    But , I don't see any option to edit or delete the business model in Pentaho's BI platform.

    CAn anybody help me on this.?

    I Also checked by creating a ad hoc report using this business model which had create and execute permissions, but the user could also delete the report.

    Please somebody help.

  5. user-b7d3c

    There is a way to delete Business Models in 3.7.0, just right click on a model and choose 'Delete'.