Jet Reports Homepage |  Community Forum |  Downloads |  Submit A Ticket |  Jet Express Support
Feedback

Configuring OLAP Security


Overview

Users must be granted rights before they can access the cubes. These rights can be configured using the Jet Data Manager.

This article will cover the following topics:

If you are an administrator on Analysis Services or Active Directory you do not need to explicitly define user rights for yourself. You will already have access to the cubes.

Process

Creating and Adding Users to a Role

1. Open your project and navigate to the Cubes tab → Right click on your OLAP Database → Advanced OLAP Server User Rights → The OLAP Access Control dialog opens.

 

If OLAP Server User Rights are grayed out you will need to save the project.
2. From the dialog click Add Role , the Role Setup window will open.

3. In the Name field specify a title and then click Add...

4. Add the name of the user(s) or user groups you wish to add and click Check Names to ensure proper entry. Once the correct users are added click OK . Repeat this process as needed.

5. You will now notice that the user has been added to the role setup dialog. Click OK.

Click the Deploy Rights button to grant the user(s) access.

Users will be able to see every object in the OLAP database until permissions are denied.
 
Once users have been granted rights they will need to connect to the cubes from Excel. To do this see: Connecting to the Cube

Database Dimension VS Cube Dimension

Every cube will contain dimensions and the same dimensions can be shared across more than one cube. Notice how our Sales cube has its own Dimensions node. These are referred to as cube dimensions. The Dimensions node at the bottom are referred to as Database dimensions. This enables us to define rights for a single cube, or for every cube that contains the associated dimension.

Configuring User Rights for a Specific Cube

Setting Rights for the Entire Cube

In this example we have a role for our sales team. We want to restrict their access to only see information from the Sales cube.

1. Click on the cube(s) that you wish to restrict access to.

2. Click the drop down for the role you wish to changes permissions for.

The three most common settings are:

  • None: The role will not be able to access or see the cube.
  • Read: The role can pull information from the cube, but can not perform drill-through action.
  • Read with Drill-through: The role can pull information from the cube and can also perform dill-through action.

3. Select your desired permission and click Deploy Rights to save your changes.

Setting Rights on Measures

In this example our sales team shouldn't have access to the Cost Amount measure.

1. Click on the measure(s) you want to restrict access to. In this example we selected Cost Amount .

2. Deselect the check box.

3. Click Deploy Rights to save your changes.

Setting Rights on Cube Dimensions

In this example our sales team shouldn't have access to any locations in New York.

1. Select the cube dimension(s) you want to restrict access to. In this example we selected of our Location dimension.


2. Set the dimension to No Inheritance

  • Inherited: The cube dimension will follow the permissions defined at the database dimension level
  • No Inheritance: The cube dimension will not follow the permissions defined at the database dimension level
  • Combined: The cube dimension will follow the permissions defined at the database dimension level unless restricted further

 


3. Select the level of your dimension that you would like to restrict access to. In this example there is only one level Location .

4. Select your Rule Set. The default is Deny .

  • Deny: New members added to the top level will be allowed. This means the box will be ticked for newly added members.
    • For example: if we add a new member (location) to our dimension, our role will be able to see it. We do not need to grant it access manually.
  • Allow: New members added to the top level will be denied. This means the box will be un-ticked for newly added members.
    • For example: if we add a new member (location) to our dimension, our role will not be able to see it until we grant it access manually.
5. Deselect any members that you wish to hide from the role. For example if we want to make sure our role can not access the New York members we would select the Deny rule set, tick the box for select All Location (the ALL MEMBER), and tick only those members we wish to see.
When using the deny rule set you must ensure that the All Member is enabled. This will be the first member of any dimension.


Configuring User Rights for Multiple Cubes

User rights can be defined at the database dimension level. This allows you to set a global permission that will be inherited by any cube that has inherited, or combined enabled.

Changes made at the database dimension level will be inherited at the cube dimension level, unless No Inheritance is enabled.
Changes made at this level are similar to those made at the cube dimension level, except they are further reaching. For example let's say we want to further restrict access to our sales team role by only allowing them to see transactions with a Global Dimension code of CORPORATE.

1. Click on the Dimension level(s) you wish to restrict access to.

2. Select your Rule Set. The default is Deny .

  • Deny: New members added to the top level will be allowed. This means the box will be ticked for newly added members.
    • For example: if we add a new member (location) to our dimension, our role will be able to see it. We do not need to grant it access manually.
  • Allow: New members added to the top level will be denied. This means the box will be un-ticked for newly added members.
    • For example: if we add a new member (location) to our dimension, our role will not be able to see it until we grant it access manually.

3. Deselect any members that you wish to hide from the role. For example if we want to make sure our role can only access the CORPORATE member then we would select the Deny rule set, tick the box for select All Global Dimension 1 (the ALL MEMBER), and tick only those members we wish to see. In this example we ticked the All Global Dimension 1 and our CORPORATE member.

When using the deny rule set you must ensure that the All Member is enabled. This will be the first member of any dimension.

Configuring User Rights for Named Dimensions

In Analysis Services, inherited dimension security can only be used when the dimension name in the cube matches the dimension name of the database dimension.

Notice how the database dimension "Customer" is renamed as Sell-to Customer and Bill-to Customer in the Sales cube. This means security must be defined on the cube dimension itself using the combined option. To do this see the section below labeled " Configuring User Rights for Combined Security "

Setting Rights on Cube Dimensions

Configuring User Rights for Combined Security

A combined permission set allows the cube dimension to inherit permissions from the database dimension plus allows you to further define permissions on the cube dimension.

For example: We have a role called Sales Region A. In our Sales Cube we only want the users associated with the role to have access to our Atlanta Warehouses, but in our Inventory cube these same users will need to see all of our locations. To handle this situations we can configure combined security.

1. Our database dimension will have access to all of our locations.

2. Click on the cube dimension(s) and select Combined .

  • Inherited: The cube dimension will follow the permissions defined at the database dimension level
  • No Inheritance: The cube dimension will not follow the permissions defined at the database dimension level
  • Combined: The cube dimension will follow the permissions defined at the database dimension level unless restricted further
 

3. Click on the cube dimension level(s) you wish to further restrict access to. In this example we have changed the permissions for Sales Region A to only see our Atlanta Warehouses.

4. Click the Deploy Rights button to save your changes.

Note that these permissions were only set on the sales cube. If we look at the Inventory cube we can see that our Location dimension is still set to Inherited. This means the location dimension within our Inventory cube will follow the permission set at the database dimension level.

MDX Based OLAP Security

Instead of using the graphical user interface to configure OLAP Security you can use MDX (Multi-dimensional expressions).

1. Navigate to OLAP Server User Rights:



2. Add or Edit the Role, navigate to the dimension member node where you want to define an MDX based allowed or denied member set.

3. Select either Allow or Deny rule set, and click NoMdx button in the grid.

4. Enter your MDX query.

The NoMdx button will change to Mdx .

If a member set is defined, any check marks in the individual members on the dimension are ignored. Only the MDX part is deployed to Analysis Services.

 

 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments