 |
|
| OLAP Member-Level Permissions |
Example: Using Member-Level Permissions
| Introduction |
This example demonstrates how you can use member-level permissions. These are the security goals in this example:
-
enable company executives to access data based on their areas of responsibility
-
prevent other employees from accessing data in the cube that is used to generate executive reports
The following figure depicts the relevant parts of a company's organization structure and of the OLAP cube against which the company runs executive reports. Notice that the levels in the cube's Geography dimension closely correspond to the depicted organizational structure.
![[untitled graphic]](images/mlsexample.gif)
| Implementation Process |
-
Set these permissions on the cube:
-
Give the PUBLIC group explicit
![[white check box]](images/am-white.gif)
denials
of the Read and ReadMetadata permissions for the entire cube. The data in
the cube is used for executive reports only. -
Give the company president explicit
grants of the Read and ReadMetadata permissions for the entire cube.
This user sees all of the data. -
Give the SAS System Services group an explicit
grant of the ReadMetadata permission. You must always preserve the
SAS Trusted User's access to cubes and schemas. -
In most cases, some members of the information technology staff will also need access to the data for administrative purposes. Make sure that any such groups or users have explicit
grants
of the Read and ReadMetadata permissions.
-
-
To assign the permission conditions:
-
Right-click the cube's Geography dimension
![[icon]](images/small-dimension.gif)
.Note: In SAS Management Console, you can access the dimensions on the Plug-ins tab under Authorization Manager
![[arrow]](../../../../common/63294/HTML/default/images/arrow.gif)
Resource
Management By Location <your
application server> <your OLAP schema> <your cube> Dimensions. In SAS OLAP Cube
Studio, navigate to the dimension on the Inventory tab. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
-
On the Authorization tab, select (or add) the Vice President Americas user.
-
In the permissions list, add an explicit
grant of the Read permission for the Vice President Americas user.
This enables the Add Authorization
button. -
Click the Add Authorization button,
-
In the Add Authorization dialog box, select the Create an advanced MDX expression radio button and click Build Formula.
-
In the Build Formula dialog box, paste or build a filter for the Vice President Americas user and click OK.
-
On the Authorization tab, click OK to save this permission condition and then return to step 2b to repeat the process for the next executive.
-
For example, this table contains MDX expressions that you could use to subset the data based on each executive's area of responsibility.
| User | MDX Expression | Notes |
|---|---|---|
| Vice President Americas | {[Geography].[All Geography], Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)} |
|
| Vice President International | Except({[Geography].Members}, {Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)}) | Use Except to exclude North America. |
| Director North America | {[Geography].[All Geography],[Geography].[All Geography].[North America],[Geography].[All Geography].[North America].Children} | Use .Children to include countries. |
| {[Geography].[All Geography],[Geography].[All Geography].[North America],descendants([Geography].[All Geography].[North America])} | Alternative: use Descendants to include countries and cities. | |
| {[Geography].[All Geography].[North America], [Geography].[All Geography].[North America].Children} | Alternative: exclude the All level. | |
| Director Africa | {[Geography].[All Geography].[Africa], [Geography].[All Geography].[Africa].Children} |
|
| Director Asia | {[Geography].[All Geography].[Asia],[Geography].[All Geography].[Asia].Children} |
|
| Director Australia/Pacific | {[Geography].[All Geography].[Australia/Pacific], [Geography].[All Geography]. [Australia/Pacific].Children} |
|
| Director Europe | {[Geography].[All Geography].[Europe], [Geography].[All Geography].[Europe].Children} |
|
| Manager Germany | {[Geography].[All Geography].[Europe].[Germany], descendants([Geography].[All Geography].[Europe].[Germany])} | Exclude Europe.* |
| Manager USA | {[Geography].[All Geography].[North America].[USA], descendants([Geography].[All Geography].[North America].[USA])} | Exclude North America.* |
| * Because this expression excludes a parent level, you should also deny this user the ReadMetadata permission for the level that you are hiding. This is a requirement when OLAP data is accessed through an information map. | ||
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.