When applying permissions
to a cube, you might need to address permissions for different combinations
of users, groups, SAS OLAP Servers, schemas, and cubes, as well as
different elements of the cube, including the dimensions, hierarchies,
levels, and measures. For example, you might need to grant ReadMetadata
and Read access to the group that contains specific cube users. Or
you might need to restrict Read access for different components of
a cube (dimension, hierarchy, level, or measure) using MDX conditions
for each cube component, per user, consumer, or group. These various
combined permission settings can be easily created and managed with
batch security that is applied through permission tables.
Starting in the third
maintenance release for SAS 9.2, you can specify batch security in
SAS OLAP Cube Studio and SAS Data Integration Studio with the Manage
Permission Tables function. The Manage Permission Tables function
enables you to create a special SAS data set known as a permission
table that contains cube access controls for submitting in bulk. A
permission table is a table of access control information that can
later be applied to a cube with batch SAS code. The Manage Permission
Tables dialog box enables you to create and modify permission tables
as well as import access controls (permissions) from a cube or an
OLAP schema. You can also execute the code interactively or export
the code to a file for use in a stored process or deployed job flow.
When a cube is created,
security for that cube is determined by the permission settings that
are found in the cube metadata. In SAS OLAP Cube Studio, permission
tables will appear in the metadata tree as a table. You must have
WriteMetadata access to create and modify permission tables. To access
the Manage Permission Tables function in SAS OLAP Cube Studio, select
ToolsManage Permission Tables. The Manage Permission Tables dialog box appears.
Permissions tables have
the following columns.
Columns in Permissions Tables
|
|
|
|
|
|
|
The OMR identity (person
or group).
|
|
|
|
The name of the OLAP
schema for the cube.
|
|
|
|
|
|
|
|
The dimension name or
a blank balue if an ACE on measures is required.
|
|
|
|
A list of names of hierarchies,
levels, or measures, separated by blank spaces.
|
|
|
|
The access permission,
such as Read and ReadMetadata.
|
|
|
|
The code that identifies
the type of the ace. See the following table for type definitions.
|
|
|
|
The MDX string that
contains the condition. This value is blank if no condition must be
provided, or if a previous MDX condition has to be removed.
|
|
|
|
A flag that specifies
if the ACE is to be added or simly to be removed from the OMR.
|
Codes in the PERM_TYPE Column of Permissions Tables
|
|
|
|
|
Denies ReadMetadata'
permission on the specified cube. Other columns are ignored.
|
|
|
Grants ReadMetadata
permission on the specified cube. Other columns are ignored.
|
|
|
Denies ReadMetadata
permission on the specified dimension. Dimension field must be specified.
Other columns are ignored.
|
|
|
Grants ReadMetadata
permission on the specified dimension. Dimension field must be specified.
Other columns are ignored.
|
|
|
Denies ReadMetadata
permission on the specified hierarchy. Dimension field must be specified.
ITEMS column must contain the name of the hierarchy. Other columns
are ignored.
|
|
|
Grants ReadMetadata
permission on the specified hierarchy. Dimension field must be specified.
ITEMS column must contain the name of the hierarchy. Other columns
are ignored.
|
|
|
Denies ReadmetaData
permission on the specified measure. Dimension field must contain Measures value. ITEMS column must contain the name
of the measure to deny.
|
|
|
Grants ReadmetaData
permission on the specified measure. Dimension field must contain Measures value. ITEMS column must contain the name
of the measure to deny.
|
|
|
Denies ReadMetadata
permission on the specified levels. Dimension field must be specified.
ITEMS column must contain the name of the levels to deny. If more
than one, then they must be separated by a blank. If an MDX condition
is specified, then it sets a corresponding ACI for the dimension.
|
|
|
Grants ReadMetadata
permission on the specified levels. Dimension field must be specified.
ITEMS column must contain the name of the levels to deny. If more
than one, then they must be separated by a blank. If an MDX condition
is specified, then it sets a corresponding ACI for the dimension.
|
|
|
Sets the ACI with the
provided MDX condition If the MDX condition is empty, then it removes
the condition (but not the ACE) for that dimension.
|