Dimension security OLAP. Again

Question

There is a fact table. This fact table is viewed by two types of users. Each role has access to different dimension: Role A is allowed to see values for specific set of customers (c1, c2). Role B is allowed to see values for specific set of transaction types (t1, t2). In reality it's dynamic security, but that's irrelevant, it works the same for determined sets.

User u1 belongs to both roles, his permission u1(x,y) So...

Role A: x ∈ {c1, c2} AND y ∈ T
Role B: x ∈ C AND y ∈ {t1, t2}

Because SSAS security is additive (Role A OR Role B), I see everything.

If I use

Role A: x ∈ {c1, c2} AND y ∉ T
Role B: x ∉ C AND y ∈ {t1, t2}

Then I see only

x ∈ {c1, c2} AND y ∈ {t1, t2}

I want

x ∈ {c1, c2} OR y ∈ {t1, t2}

Preferably without assemblies and/or creating a dimension containing all customer-transaction permutations.

Is it possible to solve this using roles(logic) only?

Edit: my set algebra is rusty, to say the least. I don't use math normally at work (tho writing down some logic is much quicker than data loads), please feel free to correct my doodle.

Answer 1

I think you should be able to do this in the Role Cell Data tab. I've tested this with a single member from multiple dimensions.

I ticked "Enable read permissions", and put this in "Allow reading of cube content" box:

([Customer].CurrentMember IS [Customer].c1) OR     
([TransactionType].CurrentMember IS [TransactionType].t1)

you can add further ORs as you like. You'll have to remove or at least think hard about the dimension security and how it will interact with the cell security.

Note that, unlike the Dimension security MDX boxes, in this box the MDX should return a logical (0,1) value to determine security.

Thanks to GregGalloway in another question, I've figured out how to expand the IS to work on a set:

(INTERSECT([Customer].CurrentMember,{[Customer].C1,
[Customer].C2,...}).Count>0)