Previous Page | Next Page

OLAP Member-Level Permissions

Example: Using Member-Level Permissions


Introduction

This example demonstrates how you can use member-level permissions. These are the security goals in this example:

The following figure depicts the relevant parts of a company's organization structure and of the OLAP cube against which the company runs executive reports. Notice that the levels in the cube's Geography dimension closely correspond to the depicted organizational structure.

[untitled graphic]


Implementation Process

  1. Set these permissions on the cube:

    • Give the PUBLIC group explicit [white check box] denials of the Read and ReadMetadata permissions for the entire cube. The data in the cube is used for executive reports only.

    • Give the company president explicit [white check box] grants of the Read and ReadMetadata permissions for the entire cube. This user sees all of the data.

    • Give the SAS System Services group an explicit [white check box] grant of the ReadMetadata permission. You must always preserve the SAS Trusted User's access to cubes and schemas.

    • In most cases, some members of the information technology staff will also need access to the data for administrative purposes. Make sure that any such groups or users have explicit [white check box] grants of the Read and ReadMetadata permissions.

  2. To assign the permission conditions:

    1. Right-click the cube's Geography dimension [icon].

      Note:   In SAS Management Console, you can access the dimensions on the Plug-ins tab under Authorization Manager [arrow] Resource Management [arrow] By Location [arrow] <your application server> [arrow] <your OLAP schema> [arrow] <your cube> [arrow] Dimensions. In SAS OLAP Cube Studio, navigate to the dimension on the Inventory tab.  [cautionend]

    2. On the Authorization tab, select (or add) the Vice President Americas user.

    3. In the permissions list, add an explicit [white check box] grant of the Read permission for the Vice President Americas user. This enables the Add Authorization button.

    4. Click the Add Authorization button,

    5. In the Add Authorization dialog box, select the Create an advanced MDX expression radio button and click Build Formula.

    6. In the Build Formula dialog box, paste or build a filter for the Vice President Americas user and click OK.

    7. On the Authorization tab, click OK to save this permission condition and then return to step 2b to repeat the process for the next executive.

For example, this table contains MDX expressions that you could use to subset the data based on each executive's area of responsibility.

Example: MDX Expressions
User MDX Expression Notes
Vice President Americas {[Geography].[All Geography], Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)}
Vice President International Except({[Geography].Members}, {Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)}) Use Except to exclude North America.
Director North America {[Geography].[All Geography],[Geography].[All Geography].[North America],[Geography].[All Geography].[North America].Children} Use .Children to include countries.
{[Geography].[All Geography],[Geography].[All Geography].[North America],descendants([Geography].[All Geography].[North America])} Alternative: use Descendants to include countries and cities.
{[Geography].[All Geography].[North America], [Geography].[All Geography].[North America].Children} Alternative: exclude the All level.
Director Africa {[Geography].[All Geography].[Africa], [Geography].[All Geography].[Africa].Children}
Director Asia {[Geography].[All Geography].[Asia],[Geography].[All Geography].[Asia].Children}
Director Australia/Pacific {[Geography].[All Geography].[Australia/Pacific], [Geography].[All Geography]. [Australia/Pacific].Children}
Director Europe {[Geography].[All Geography].[Europe], [Geography].[All Geography].[Europe].Children}
Manager Germany {[Geography].[All Geography].[Europe].[Germany], descendants([Geography].[All Geography].[Europe].[Germany])} Exclude Europe.*
Manager USA {[Geography].[All Geography].[North America].[USA], descendants([Geography].[All Geography].[North America].[USA])} Exclude North America.*
* Because this expression excludes a parent level, you should also deny this user the ReadMetadata permission for the level that you are hiding. This is a requirement when OLAP data is accessed through an information map.

Previous Page | Next Page | Top of Page