Parameters

MDX query parameterization in Mondrian offers a robust and secure approach to handling dynamic queries. Unlike SQL, where parameter handling requires careful sanitization to prevent injection attacks, MDX parameters can be used freely anywhere in the query structure. This flexibility extends to allowing parameters to represent either portions of a query or entire queries themselves, without compromising security.

The security model in Mondrian operates at a fundamental level - it evaluates permissions before returning any data. This means that even if a user attempts to craft a query to access unauthorized data, Mondrian's security layer will automatically filter out any results they don't have permission to view. This makes it inherently more secure than traditional SQL approaches.

The MDX query is configured with a parameter named "markets" (default value: "Territory")

The query structure retrieves:

• Quantity measures on the COLUMNS axis

• Market members based on the parameter value on the ROWS axis

• Data is sourced from the "SteelWheelsSales" cube

The parameterization is particularly powerful because the "markets" parameter can be dynamically set to different geographic levels (Territory, Country, State, Province, or City), allowing the same query to provide different levels of detail without requiring separate query definitions.

This makes it especially useful for building flexible business intelligence dashboards and reports where users need to drill down through different levels of data.

The query system uses parameters to control data aggregation levels. By default, it shows sales quantities by Territory, but you can change this parameter to view data by Country, State, Province, or City instead.

Parameters are flexible and can be placed anywhere within a query, or the entire query itself can be parameterized.

The example shows how to create a parameterized MDX query that retrieves sales data from the SteelWheelsSales database, with the query structure defined in a parameter called "myQuery."

When working with Kettle queries in CDA (Community Data Access), you don't need to define a query explicitly for CDA, though you may need one within the transformation itself. Instead, you can pass parameters directly to the Kettle transformation.

The key feature is parameter mapping between CDA and Kettle transformations. When parameter names differ between CDA and the Kettle transformation, you must map them using the datarow-name and variable-name attributes in the connection definition. If parameter names are identical in both CDA and Kettle, no mapping is needed - CDA will pass these parameters directly to the transformation.

For example, if a Kettle transformation uses a parameter named myZip but your CDA component refers to it as ZipCode, you would map them in the XML configuration using:

<variables datarow-name="ZipCode" variable-name="myZip"/>.

Both parameter definitions must also be included in the DataAccess section of the CDA descriptor.

Private parameters in SQL queries are server-side values that cannot be overridden by client-side inputs. This is particularly useful for security purposes, especially when handling sensitive data like user identities. For example, when using

${[security:principalName]}

as a private parameter, the system will automatically use the logged-in user's username, regardless of any attempts to modify this value from the client side.

This prevents potential security breaches where a user might try to impersonate another user by manipulating parameter values. The parameter is defined with

access="private"

in the XML configuration, ensuring that only the server-side value is used in the SQL query.