Cube Building and Modifying Examples

Setting Identity Driven Security

It is sometimes necessary to subsitute identity values in a permission condition to further refine member-level security. Identity-specific values are dynamically derived according to the user ID with which a client is authenticated. Those values are then used to filter the target data. The identity-specific values are derived from identity-driven properties that are stored in the metadata repository for each user and group. You can set an identity driven authorization using the Member Authorization expression builder.

Select the Authorization Manager By Type Dimension and drill down to a dimension.
Right-click the dimension and select Properties.
In the dimension's Properties dialog box, select the Authorization tab, as shown in the following display. Select (or add) the user or group whose Read access you want to limit. In this example, the PUBLIC group is restricted.
In the Effective Permissions list, add an explicit grant of the Read permission for that user or group. If the selected user or group does not already have a permission condition defined, the Add Authorization button is now enabled.
Click Add Authorization to open the Add Authorization dialog box.

[untitled graphic]

In the Add Authorization dialog box, select the option Create an advanced MDX expression using the expression builder option. You can then click Build Formula. This opens the Build Formula dialog box.

[untitled graphic]

In the Build Formula dialog box, you can create an MDX filter and observe the MDX expression as you build it. Use the logical operators to specify multiple clauses in your MDX expression in the Expression Text list. Use the Functions tab to add MDX functions to your expression. Use the Insert button to add your selections to the Expression Text list.

[untitled graphic]

Use the Data Sources tab to browse through the dimensions and hierarchies in your cube and select the members that require access control. Use the Add to Expression button to add your selections to the Expression Text text field. You can also check the accuracy of the expression you are building by selecting the Validate Expression button.

[untitled graphic]

To add identity values to the expression, click the Identity Values folder on the Data Sources tab. Select an identity value from the list. Use the Add to Expression button to add your selections to the Expression Text text field.

[untitled graphic]

Here is a list of possible identity values:

SAS.ExternalIdentity: This property translates to optional, site-specific values such as Employee ID. Those values are not automatically stored in the metadata repository and need to be loaded and maintained.
SAS.IdentityGroupName: This property resolves to the name of the requesting group identity (for example, Portal Admins Group).
SAS.PersonName: This property resolves to the name of the requesting user identity (for example, SAS Demo User).
SAS.IdentityName: This property returns the name of either the requesting group identity or the requesting user identity, depending on whether the user ID is a group login or a personal login.
SAS.Userid: This property translates to the authenticated user ID, normalized to one of the uppercase formats USERID or USERID@DOMAIN (for example, SASDEMO@LXXXXX).
SAS.IdentityGroups: This property resolves to the names of the groups of which a user is a member.

When you are finished, select OK. You will return to the Add Authorizationdialog box. Select OK again to save the permission condition and return to the Properties dialog box.

See the topics Cube Security and specifically Identity Driven Security for further information.

Top of Page