Security Model for Analysis Services - Microsoft SQL Server 2008 Analysis Services

Databases Reference

In-Depth Information

TABLE 35.1 Permission Object Properties

Name

Description

The ID of the permission object.

ID

Points to a database role object.

RoleID

Usually means that the user can browse the object from a client appli-

cation. This property can take two values: None and Allowed .

Read

If set to True , members of the Database role can process the object

and its child objects. This property can take two values: True and

False .

Process

Defines whether users can see the DDL definition of the object. The

idea is that the DDL definition of the object might be the intellectual

property of the object designer. (For example, a cube designer might not

be willing to share his cube's calculation script.) In addition, the way a

cube maps to the relational database might represent a security risk. (A

cube designer might not be willing to allow users to see the names of

the relational tables and columns.) This property can be set to None ,

Basic , or Allowed .

If this property is set to Allowed , role members can retrieve the

object's entire DDL definition using a DISCOVER_XML_METADATA call.

When you create linked objects or local cubes, you might need just a

portion of the object's DDL definition. In that case, you can specify the

Basic value for the ReadDefinition property to allow partial discovery

of the object's DDL. If ReadDefinition is set to Basic , Analysis

Services does not reveal mappings to the relational database.

ReadDefinition

If this property is set to None , the client cannot retrieve

the object's DDL.

When this property is set to Allowed , it grants permission to modify

the content of the object. This property applies only to Dimension ,

Cube , and Mining Model objects. The possible values are None and

Allowed .

Write

A few rules define the way security applies to permission objects:

.

Inheritance —If one of the permission properties is set on an object at a higher level,

the properties also apply to the lower-level objects. For example, if you have allowed

a Process permission on your database, you can also process all the cubes and

dimensions in your database. An exception applies to this rule: A Read permission

on the database means that users can see the database name, but don't have Read

access to all the database cubes. To grant Read access to all the cubes in your data-

base, you need to go through every cube and create a CubePermission object to

explicitly grant access to each cube.

Microsoft SQL Server 2008 Analysis Services

Search WWH ::

Custom Search

Home