Databases Reference
In-Depth Information
TABLE 35.1
Permission
Object Properties
Name
Description
The ID of the permission object.
ID
Points to a database role object.
RoleID
Usually means that the user can browse the object from a client appli-
cation. This property can take two values:
None
and
Allowed
.
Read
If set to
True
, members of the
Database
role can process the object
and its child objects. This property can take two values:
True
and
False
.
Process
Defines whether users can see the DDL definition of the object. The
idea is that the DDL definition of the object might be the intellectual
property of the object designer. (For example, a cube designer might not
be willing to share his cube's calculation script.) In addition, the way a
cube maps to the relational database might represent a security risk. (A
cube designer might not be willing to allow users to see the names of
the relational tables and columns.) This property can be set to
None
,
Basic
, or
Allowed
.
If this property is set to
Allowed
, role members can retrieve the
object's entire DDL definition using a
DISCOVER_XML_METADATA
call.
When you create linked objects or local cubes, you might need just a
portion of the object's DDL definition. In that case, you can specify the
Basic
value for the
ReadDefinition
property to allow partial discovery
of the object's DDL. If
ReadDefinition
is set to
Basic
, Analysis
Services does not reveal mappings to the relational database.
ReadDefinition
If this property is set to
None
, the client cannot retrieve
the object's DDL.
When this property is set to
Allowed
, it grants permission to modify
the content of the object. This property applies only to
Dimension
,
Cube
, and
Mining Model
objects. The possible values are
None
and
Allowed
.
Write
A few rules define the way security applies to permission objects:
.
Inheritance
—If one of the permission properties is set on an object at a higher level,
the properties also apply to the lower-level objects. For example, if you have allowed
a
Process
permission on your database, you can also process all the cubes and
dimensions in your database. An exception applies to this rule: A
Read
permission
on the database means that users can see the database name, but don't have
Read
access to all the database cubes. To grant
Read
access to all the cubes in your data-
base, you need to go through every cube and create a
CubePermission
object to
explicitly grant access to each cube.
Search WWH ::
Custom Search