Database Reference
In-Depth Information
Administrative rights are relatively straightforward and allow users to perform tasks
such as processing a cube. Data security is much more complex and controls what
access a role has to data in the cube; as such, we'll spend much more time discussing
data security and how it can be implemented.
Creating roles
A new role can be created by right-clicking on the
Role
node in the
Solution
Explorer
pane in SQL Server Data Tools. The new role will get a default name, but
can subsequently be renamed. Upon creation, we can define the role's permissions in
each of the following tabs in the Role Editor:
•
General
: This tab lets us to provide a text description what the role does,
and define administrative permissions for the entire Analysis Services
database. These permissions are not usually granted to regular users,
only to administrators.
•
Membership
: This tab lets us add local and domain users and groups to the
role. As stated previously, we will only use domain user groups so as not to
tie the security to specific users. Local users and local groups are useful only
when users need to connect to the cube via HTTP through IIS.
•
Data Source
: This tab lets us to grant access to data sources. This is only
necessary when using the data mining functionality in Analysis Services;
as data mining is outside the scope of this topic, we can ignore this tab.
•
Cubes
: This tab lets us grant the right to access cubes and set various
cube-level administrative permissions.
•
Cell Data
: This tab lets us to define security at the cell level, allowing the role
to access data in individual cells within the cube.
•
Dimensions
: This tab lets us set various administrative permissions on
our dimensions.
•
Dimension Data
: This tab lets us configure dimension security, allowing the
role to access data for specific members on dimension hierarchies.
Membership of multiple roles
It's possible that a user can belong to more than one role, so as a result we need
to understand what happens when a user is a member of multiple roles that have
different permissions.
Search WWH ::
Custom Search