Hi everybody,
I have a problem:
- if I assign to a role the general "Read Definition" rights (on the database), I am not able to reduce the visibility on the dimensions, since they are all with "Read Definition" rights and at least "Read" access.
- on the contrary, if I dont'assign to a role the general "Read Definition" rights, and then set "Read Definition" rights on some dimensions (and the "Read" access, too), the users of this role are not allowed to connect to the OLAP database!
This way, it's not possible to assign selective visibility to the dimensions, and it seems you are forced to always set the general "Read Definition" rights in order to access a database (so this flag would be quite unuseful). Can someone suggest me what I am doing not correct?
Thank you very much,
ReadDefinition permission allows a user bit more than access to dimensions , It allows user to retreive metadata for dimension.
What you probably looking for is to grant specific role Read access to one of your cubes. For instance grant Read access to your Sales cube.
If you would like to deny users seeing data in one of dimensions, you can click on the Dimension Data node in the Edit Role dialog.
In this page you should be able to deny acess to individual attributes in your dimension by selecting "Deselect All members" option. Go through all attributes in your dimension and Role users will not be able to see dimension data.
You can test security the Role you create by going into the Cube browser and clicking on the "Change User" (first icon on the upper left corner of the browser).
Edward.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Thank you very much for your kind answer.
From what you say, I understand there is no way to limit access to OLAP database metadata to users in roles with general Read Definition rights, correct? Therefore, all the users are allowed to see the definition and properties of all the dimensions, cubes, etc and the roles themselves and we can limit only the "data" (members, cells and so on). Is it?
Another question, in the BIDS environment I couldn't find the "ApplyDenied" property for the Dimension Data, can it be used only programmatically or maybe I didn't search in the right place?
Thank you very much!
|||To clarify my post above;
To grant Read access to your cube and dimension you don't need to grant your users ReadDefinition rights to your database. It is just enough to grant them Read rights to your cubes and configure access to dimensions.
ReadDefinition is "stronger" compared to the Read permission. You would grant ReadDefinition right to allow your users to peroform advanced tasks: like creating local cubes...
As for the properties of the objects avaliable to you through AMO. Try and browse your database using AmoBrowser sample application. If you installed samples, you should find it under %Drive%:\Program Files\Microsoft SQL Server\90\Samples\Analysis Services\Programmability\AMO. Using AmoBrowser you should be able to see all properties exposed for any AS object.
Edward.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
No comments:
Post a Comment