Securing Cubes

About OLAP Member-Level Permissions

OLAP member-level permissions enable you to limit access to SAS OLAP data using filters. Each filter consists of an MDX expression that subsets the data in a dimension as appropriate for a particular user or group. The filters are stored in the metadata as permission conditions. This feature relies on the SAS OLAP Server for enforcement. At query time, the server performs the filtering to determine which dimension members should be returned to the user that submitted the query. This ensures that the filters are applied every time the data is accessed.
When you use OLAP member-level permissions, it is essential to understand these points:
  • With OLAP data, permission conditions can be specified only on dimension objects.
  • The SECURITY_SUBSET option can affect results. See About the SECURITY_SUBSET Option.
  • The members that are returned by the MDX expression must all belong to the dimension on which the permission condition is defined. The returned set of members cannot be a union of members from other dimensions.
  • A permission condition that filters a non-default hierarchy must include at least one member of the default hierarchy. If a requesting user does not have access to any members in the default hierarchy, then the query fails with a permissions error.

Assign OLAP Member-Level Permissions

Follow these steps to assign a permission condition to one or more members in a given dimension, for a selected user or group.
Tip
If you want to use the same dimension in multiple cubes, create a shared dimension. See Developing and Managing Shared Dimensions.
  1. In SAS Management Console or SAS OLAP Cube Studio, right-click the dimension for which you are defining a member-level permission and select Properties,
  2. In the Properties dialog box, click the Authorization tab.
  3. In the Authorization tab, select (or add) the user or group whose access you want to limit.
  4. Use the permissions list to select permissions for the user or group.
  5. Click the Add Authorization button.
    Note: If the Edit Authorization button is displayed, a condition already exists for the selected user or group.
  6. Click the Edit Authorization button to create an MDX filter.
  7. Use the Build Formula dialog box to create the MDX filter. To subset users, add identity-driven properties to your filter, as described in the next topic.Identity-driven properties are available on the Data Sources tab.
See also the example Setting Member–Level Permissions.

Identity-Driven Properties

Use the following identity-driven properties in your MDX filters to subset the users that receive member-level permissions.
SAS.ExternalIdentity
This property translates to optional, site-specific values such as Employee ID. Those values are not automatically stored in the metadata repository and need to be loaded and maintained.
SAS.IdentityGroupName
This property resolves to the name of the requesting group identity (for example, Portal Admins Group).
SAS.PersonName
This property resolves to the name of the requesting user identity (for example, SAS Demo User).
SAS.IdentityName
This property returns the name of either the requesting group identity or the requesting user identity, depending on whether the user ID is a group login or a personal login.
SAS.Userid
This property translates to the authenticated user ID, normalized to one of the uppercase formats USERID or USERID@DOMAIN (for example, SASDEMO@LXXXXX).
SAS.IdentityGroups
This property resolves to the names of the groups of which a user is a member.
See also the example Setting Identity-Driven Security.

About the SECURITY_SUBSET Option

After you have set the necessary permission conditions for dimension members, you must indicate whether the OLAP server includes these permission conditions when processing cube queries. In order for a cube to control the roll-up values for designated members, the SECURITY_SUBSET PROC OLAP option must be set to YES when the cube is built. The SECURITY_SUBSET option is used in conjunction with permission conditions to specify whether the roll-up values include only the members in the permission condition or all of the members in the cube. If you set SECURITY_SUBSET=YES, then the cell values are recalculated at query time based on the security subset defined by the active permission conditions for the given user. If you set SECURITY_SUBSET=NO, then the OLAP server does not recalculate the cell values. The default value (NO) includes all members within a total.
Note: For more information, see the SECURITY_SUBSET PROC OLAP option and the topic "SAS OLAP Security Totals and Permission Conditions" in the SAS OLAP Server: MDX Guide.

Example: Using Member-Level Permissions

This example demonstrates how you can use member-level permissions. These are the security goals in this example:
  • enable company executives to access data based on their areas of responsibility
  • prevent other employees from accessing data in the cube that is used to generate executive reports
The following figure depicts the relevant parts of a company's organization structure and of the OLAP cube against which the company runs executive reports. Notice that the levels in the cube's Geography dimension closely correspond to the depicted organizational structure.
example structure
Here are the implementation steps for this example:
  1. In SAS Management Console or SAS OLAP Cube Studio, set the following permissions on the cube:
    • Give the PUBLIC group explicit denials of the Read and ReadMetadata permissions for the entire cube. The data in the cube is used for executive reports only.
    • Give the company president explicit grants of the Read and ReadMetadata permissions for the entire cube. This user sees all of the data.
    • Give the SAS System Services group an explicit grant of the ReadMetadata permission. You must always preserve the SAS Trusted User's access to cubes and schemas.
    • In most cases, some members of the information technology staff will also need access to the data for administrative purposes. Make sure that any such groups or users have explicit grants of the Read and ReadMetadata permissions.
  2. To assign the permission conditions:
    1. Right-click the cube's Geography dimension, and select Properties.
    2. On the Authorization tab, select (or add) the Vice President Americas user.
    3. In the permissions list, add an explicit grant of the Read permission for the Vice President Americas user. This enables the Add Authorization button.
    4. Click the Add Authorization button.
    5. In the Add Authorization dialog box, select the Create an advanced MDX expression radio button and click Build Formula.
    6. In the Build Formula dialog box, paste or build a filter for the Vice President Americas user and click OK.
    7. On the Authorization tab, click OK to save this permission condition and then return to step 2b to repeat the process for the next executive.
For example, the following table contains MDX expressions that you could use to subset the data based on each executive's area of responsibility.
Example: MDX Expressions
User
MDX Expression
Notes
Vice President Americas
{[Geography].[All Geography], Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)}
Vice President International
Except({[Geography].Members}, {Descendants([Geography].[All Geography].[North America],[Geography].[Continent],SELF_AND_AFTER)})
Use Except to exclude North America.
Director North America
{[Geography].[All Geography],[Geography].[All Geography].[North America],[Geography].[All Geography].[North America].Children}
Use .Children to include countries.
{[Geography].[All Geography],[Geography].[All Geography].[North America],descendants([Geography].[All Geography].[North America])}
Alternative: use Descendants to include countries and cities.
{[Geography].[All Geography].[North America], [Geography].[All Geography].[North America].Children}
Alternative: exclude the All level.
Director Africa
{[Geography].[All Geography].[Africa], [Geography].[All Geography].[Africa].Children}
Director Asia
{[Geography].[All Geography].[Asia],[Geography].[All Geography].[Asia].Children}
Director Australia/Pacific
{[Geography].[All Geography].[Australia/Pacific], [Geography].[All Geography]. [Australia/Pacific].Children}
Director Europe
{[Geography].[All Geography].[Europe], [Geography].[All Geography].[Europe].Children}
Manager Germany
{[Geography].[All Geography].[Europe].[Germany], descendants([Geography].[All Geography].[Europe].[Germany])}
Exclude Europe.1
Manager USA
{[Geography].[All Geography].[North America].[USA], descendants([Geography].[All Geography].[North America].[USA])}
Exclude North America.1
1Because this expression excludes a parent level, you should also deny this user the ReadMetadata permission for the level that you are hiding. This is a requirement when OLAP data is accessed through an information map.

Integrated Windows Authentication and Single Sign-On

Single Sign-On (SSO) to SAS IOM Bridge servers

Single sign-on (SSO) is an authentication model that enables users to access a variety of computing resources without being repeatedly prompted for their user IDs and passwords. This functionality enables a client application to connect to a SAS IOM Bridge Server as the currently logged-on user. For example, single sign-on can enable a user to access SAS servers that run on different platforms without interactively providing the user's ID and password for each platform. Single sign-on can also enable someone who is using one application to launch other applications based on the authentication that was performed when the user was initially logged on to the system.

SSO and SAS OLAP Cube Studio

When you have logged on to a metadata server in SAS OLAP Cube Studio, you can perform a variety of functions, including building a cube and saving the metadata for that cube, editing cube metadata, and viewing cube properties. Some functions within SAS OLAP Cube Studio also require a workspace server or an OLAP server in addition to the metadata server. These functions include Build Physical Cube, Incremental Cube Update, Calculated Members, and Cube View. Single sign-on enables you to seamlessly access these servers without having to provide your login credentials. Two technologies are available in SAS 9.2 to accomplish this:
  1. Integrated Windows authentication is available when the client and server are both running on Windows.
  2. a trusted peer connection is available otherwise.
Note: Before using single sign-on, you must have a user defined in the metadata repository for any user ID that you want to connect to the metadata server with.

Integrated Windows Authentication

A client and server engaged in Integrated Windows authentication use Microsoft's Security Support Provider Interface (SSPI) to choose the best security package for their configuration. When you first open SAS OLAP Cube Studio, you are prompted to log on to a metadata server with a connection profile that you have previously created. This connection profile contains information about the metadata server, including the machine ID, port ID, user ID, and password. There is also a check box labeled Use Integrated Windows authentication (single sign-on). If this check box is selected, then you will use Integrated Windows authentication (IWA) to connect to the servers (metadata server, workspace server, and OLAP server). You will not need to provide a user ID or password when you open SAS OLAP Cube Studio. The user ID and password of your current Windows session will be used. By default this option is not selected when you create a connection profile in SAS OLAP Cube Studio.
Note: For more information about Integrated Windows authentication see "Integrated Windows Authentication" in the SAS Intelligence Platform: Security Administration Guide.

Trusted Peer Connection

The other authentication technology is a trusted peer connection. This method depends heavily on the integrity of the client environment. The IOM Bridge protocol client obtains the identity of the user of the client application from the system environment. When a trusted peer connection is being used, you are prompted during an initial login for your user ID and password when connecting to a metadata server. This is the behavior of previous versions of SAS OLAP Cube Studio. However, when a connection to a workspace server (submitting procedure code) or a connection to an OLAP server (cube viewer) is made in SAS 9.2 OLAP Cube Studio, you are no longer prompted to log on. The connection is created using the metadata server login credentials.
Note: For more information about trusted peer connections, see “Trusted Peer” in the SAS Intelligence Platform: Security Administration Guide.

Exporting Code

In SAS OLAP Cube Studio, you can export PROC OLAP code that you have created while using various functions and wizards, including Cube Designer, Aggregations Tuning, and Incremental Update. The Export Code function enables you to save PROC OLAP code to a designated file. When using the Export Code function, some of the metadata connection profile information is saved to the file. The host and port information for the metadata server is saved to the exported file. In addition, the information is displayed on the Finish page of the different wizards. However, the user ID and password are not saved to the exported file or displayed on the Finish page. This is because single sign-on authentication removes the need to display or save the user ID and password.

Security for Drill-through Tables

Different users of cube data might have different security and access restrictions that must be complied with and applied when querying the underlying data for a cube. When selecting a data table for drill-through, you might need to define user restrictions for certain data in the drill-through table. The SAS Metadata LIBNAME engine is used to assign the drill-through table library on a per-session basis. This allows client credentials to be used when determining which columns the user can see. Columns which have ReadMetadata permissions denied on the drill-through table will not be visible to the user. If access is denied for a column on the drill-through table, that level must also be denied Read access in the cube. Conversely, if a level is denied Read access in the cube, that column in the drill-through table must have ReadMetadata access denied. For more information about the SAS Metadata LIBNAME engine see the topic “Pre-assigning Libraries” in the SAS Intelligence Platform: System Administration Guide.
Because of this enforcement, the following changes could affect your site:
  • User-defined formats will not work if the FORMATS catalog is accessed by the same libref as the data. You must specify a different libref for the FORMATS catalog or move the user-defined formats into a different location and assign a new library.
  • If SAS Trusted User does not have ReadMetatdata permissions on the library definition, then the drill-down functionality fails. You can grant ReadMetadata permission to the SAS Trusted User by using SAS Management Console.
  • You cannot drill down in an OLAP cube if there are discrepancies between the physical table and the metadata that is defined for the table. You can update the metadata for the table by using the Update Metadata function in SAS Management Console or SAS Data Integration Studio. If the table is part of a job in SAS Data Integration Studio, then check the code for the job to verify that there are no LENGTH statements that would cause a mismatch to occur.
Note: For further information about drill-through tables, see Defining Drill-Through Tables .

Applying Batch Security with Permission Tables

When applying permissions to a cube, you might need to address permissions for different combinations of users, groups, SAS OLAP Servers, schemas, and cubes, as well as different elements of the cube, including the dimensions, hierarchies, levels, and measures. For example, you might need to grant ReadMetadata and Read access to the group that contains specific cube users. Or you might need to restrict Read access for different components of a cube (dimension, hierarchy, level, or measure) using MDX conditions for each cube component, per user, consumer, or group. These various combined permission settings can be easily created and managed with batch security that is applied through permission tables.
Starting in the third maintenance release for SAS 9.2, you can specify batch security in SAS OLAP Cube Studio and SAS Data Integration Studio with the Manage Permission Tables function. The Manage Permission Tables function enables you to create a special SAS data set known as a permission table that contains cube access controls for submitting in bulk. A permission table is a table of access control information that can later be applied to a cube with batch SAS code. The Manage Permission Tables dialog box enables you to create and modify permission tables as well as import access controls (permissions) from a cube or an OLAP schema. You can also execute the code interactively or export the code to a file for use in a stored process or deployed job flow.
When a cube is created, security for that cube is determined by the permission settings that are found in the cube metadata. In SAS OLAP Cube Studio, permission tables will appear in the metadata tree as a table. You must have WriteMetadata access to create and modify permission tables. To access the Manage Permission Tables function in SAS OLAP Cube Studio, select Toolsthen selectManage Permission Tables. The Manage Permission Tables dialog box appears.
Permissions tables have the following columns.
Columns in Permissions Tables
Variable Name
Type
Length
Description
FULLNAME
Char
32
The OMR identity (person or group).
OLAPSCHEMA
Char
32
The name of the OLAP schema for the cube.
CUBE
Char
32
The name of the cube.
DIMENSION
Char
32
The dimension name or a blank balue if an ACE on measures is required.
ITEMS
Char
32
A list of names of hierarchies, levels, or measures, separated by blank spaces.
PERMISSION
Char
32
The access permission, such as Read and ReadMetadata.
PERM_TYPE
Char
2
The code that identifies the type of the ace. See the following table for type definitions.
MDX_CONDITION
Char
32,000
The MDX string that contains the condition. This value is blank if no condition must be provided, or if a previous MDX condition has to be removed.
REMOVE_ACE
Char
1
A flag that specifies if the ACE is to be added or simly to be removed from the OMR.
Codes in the PERM_TYPE Column of Permissions Tables
PERM_TYPE
Short Description
Description
DC
Deny Cube
Denies ReadMetadata' permission on the specified cube. Other columns are ignored.
GC
Grant Cube
Grants ReadMetadata permission on the specified cube. Other columns are ignored.
DD
Deny Dimension
Denies ReadMetadata permission on the specified dimension. Dimension field must be specified. Other columns are ignored.
GD
Grant Dimension
Grants ReadMetadata permission on the specified dimension. Dimension field must be specified. Other columns are ignored.
DH
Deny Hierarchy
Denies ReadMetadata permission on the specified hierarchy. Dimension field must be specified. ITEMS column must contain the name of the hierarchy. Other columns are ignored.
GH
Grant Hierarchy
Grants ReadMetadata permission on the specified hierarchy. Dimension field must be specified. ITEMS column must contain the name of the hierarchy. Other columns are ignored.
DM
Deny Measures
Denies ReadmetaData permission on the specified measure. Dimension field must contain Measures value. ITEMS column must contain the name of the measure to deny.
GM
Grant Measures
Grants ReadmetaData permission on the specified measure. Dimension field must contain Measures value. ITEMS column must contain the name of the measure to deny.
DL
Deny Levels
Denies ReadMetadata permission on the specified levels. Dimension field must be specified. ITEMS column must contain the name of the levels to deny. If more than one, then they must be separated by a blank. If an MDX condition is specified, then it sets a corresponding ACI for the dimension.
GL
Grant Levels
Grants ReadMetadata permission on the specified levels. Dimension field must be specified. ITEMS column must contain the name of the levels to deny. If more than one, then they must be separated by a blank. If an MDX condition is specified, then it sets a corresponding ACI for the dimension.
<blank>
Sets the ACI with the provided MDX condition If the MDX condition is empty, then it removes the condition (but not the ACE) for that dimension.

Permissions Table Examples

The following display shows the denial of read access to the levels Date and Customer_Age. Note the blank-delimited entry in the Items column.
Permissions Table Shown Denying Access to Two Levels
The following display shows the denial of read access for the measures Quantity and Sum.
Permission Table Denies Access to Two Measures