Securing Your Data in Analysis Services - Professional SQL Server Analysis Services 2005 with MDX

Databases Reference

In-Depth Information

Securing Your Dimension Data

Often in business you have to restrict data access from certain sets of users.

You might have to restrict whole members of a dimension or just cell values.

Restricting access to members of a dimension to users is called dimension se-

curity. Restricting access to cell values from users is called cell security. You

learn more about securing dimension members in this section, followed by re-

stricting access to cell values in the following section with the help of a busi-

ness scenario.

Dimension security helps you to restrict access to members of a dimension for

your Analysis Services database users based on your business needs. For ex-

ample, you can have a dimension account that could have members such as

accounts payable, accounts receivable, and materials inventory for your com-

pany. You might want to restrict user access such that certain users can see

only the account types that they are authorized to work with. For example, the

personnel working in the accounts payable department should only be able to

see the members under accounts payable and should not be able to see all

the accounts under accounts receivable or materials inventory. Here is another

example: If your company is selling products in various cities, you might want

to restrict access to sales employees so that they can only see the data for

which they are responsible on a city-by-city basis.

Analysis Services provides security restrictions on objects using an object

called "role" as seen in Chapter 9 . You can define roles in your database and

then restrict permissions to certain members or cells based on those roles.

There are several techniques to model security based on the user, and you

learn those techniques in this section. A user or a group of users is typically

part of a specific role, and all the users in a role will have the same level of se-

curity. A user can be part of one or more roles. An Analysis Services instance

identifies a user based on the Windows login credentials. When a user con-

nects to an Analysis Services instance, the server iterates through various

roles within the server to determine the roles the user is part of. Based on the

list of roles a user belongs to, Analysis Services establishes appropriate secur-

ity restrictions specified in those roles. If a user is part of multiple roles, Analys-

is Services provides access to a union of all the roles the user is part of. The

important thing to know about this union is that if two roles give contradicting

indications for user access of some object, access will be allowed. So, this is

not a process that tends to upset users. If you have a group of users whose

Search WWH ::

Custom Search

Home