I have a problem with applying roles for KPIs on SSAS Tabular Model, I created some KPIs but I cant set any roles for them so everyone can see them when they connect to the model using excel even apply "Hide From Client Tools" option. How can I manage this?
Related
I have two cubes under one SSAS database that I am building. Essentially, they're the same except one cube contains a dimension with confidential data and one does not contain that dimension.
What I'm looking to do is restrict access to the cube containing confidential data to a limited set of users, but it seems that SSAS roles are only at the database level and not the cube level?
Is there a way I can set up security at the cube level in SSAS, so some users can see both cubes when they open it in Excel, and other users can only see one cube?
Greg meant to grant it here:
Just leave "None" access level for certain cube.
I am new to SSAS technologies for developing analytical models. I have to build several tabular models for a huge application in which security is quite relevant. What I would like to do is to re-use the row level security existing in the sources of the cube and apply it to the cube itself.
For example, if I build a tabular model from two tables of a schema, and these two table have RLS enabled, I would like the cube to take this security into account, so that when I access reports and log in as user, I will only see aggregated data according to the permissions I have.
Searching through the web I found ways of implementing RLS within the cube, but none about inheriting it from the sources. But again, I am new to the technology, so I preferred to ask here.
Thanks
The most obvious solution to your request is running SSAS Tabular in thin mode (called DirectQuery mode). As long as in the Existing Connections dialog in Visual Studio you set ImpersonateCurrentUser, when a user queries the SSAS model, SSAS will in turn send one or more SQL queries to the database under the end user's credentials. RLS in the SQL database will come into play here.
One caveat is that I would only recommend DirectQuery in SSAS 2016 not prior. Another caveat is that performance will be slow compared to a cached model in SSAS. So if performance isn't acceptable then turn off DirectQuery and reimplement RLS inside SSAS. Also DirectQuery uses zero caching of results currently so the load against SQL will not be offloaded to SSAS at all. Finally, if you use DirectQuery and ImpersonateCurrentUser you may have to setup Kerberos if your SQL server isn't on the same server as SSAS so that user credentials can double hop.
I hope this is a quick yes or no question and I believe the answer is yes, but wanted to confirm with someone more knowledgeable than I.
First the background story: We've just started using OLAP cubes where I work and have one setup each for financial, staffing, and project data (3 cubes) in our new ERP system. We have several offices where this data is needed, but we don't want for them to have access to the other office's data. There are only a few individuals in the organization that have access rights to these 3 online cubes.
For distributing the appropriate set of data for the individual offices, the solution I've currently come up with is to create offline cubes that are connected to pre-configured excel files (using Excel 2013 Standard or Plus). Each offline cube is created via the "CREATE GLOBAL CUBE" MDX command and then is filtered via one of the dimensions (see below).
This solution has not been very effective as these offline cubes use absolute paths in the excel connection files. We've been remotely connecting to the users desktops to reconnect the offline cube that gets distributed to them. This process is not very effective as it seems excel sometimes doesn't want to reconnect to the offline cube and in some instances simply won't work.
The question: Is there a way to create an online cube that has been pre-filtered on a particular dimension so that I can allow access to their online cube for only their data rather than using offline cubes?
I've listed the commands I'm using to create the offline cube below as an example of what I'm looking for.
Cheers
CREATE GLOBAL CUBE
[Offline Cube Name]
STORAGE
'C:\SomeFile.cub'
FROM [Online Cube Name] (
MEASURE [Online Cube Name].[Some Measure 1],
MEASURE [Online Cube Name].[Some Measure 2],
DIMENSION [Online Cube Name].[Dimension].[Office Name]
(
LEVEL [Organization],
MEMBER [Organization].&[Office Name]
)
);
If you have been completely successful with local cubes count yourself lucky as they are tricky. But I would recommend you avoid them.
Instead setup role-based security in the cube and let users connect live. If you have a list of Active Directory users or groups per office and want to create one role in SSAS per office follow this approach. If you prefer to add a few hidden tables to the cube that drive security then use the dynamic security approach.
I am developing an SSAS cube for the product I am working on.
I have faced the below problems:
In the product you can build organization unit chart. This organization unit will be used as a dimension in the cube. In my research I found that I can build a cube grammatically using C#. My question is that what is the best approach to build a dynamic dimension.
In the product, we have a role based permission. A user can see data based on his role. How can I implement this feature in the cube? Currently, any body can read all the data from the cube.
Thank you for your help.
Dynamic dimensions are possible in SSAS. You would be able to show the members based on the roles that are desired. This is done using "Dynamic dimension security". You'd be able to write an MDX in the "Dimension data" tab.
http://bidn.com/Blogs/analysis-services-dynamic-security
I am quite new to SSAS, so please forgive me if there is an obvious answer to my question - I have done a lot of research today and cannot find the answer myself.
I am trying to apply Dimension Data security (in a SSAS DB role that I have created) to my SSAS 2012 cube. Essentially, what I am trying to do is that users assigned to the role that I have created, should not be able to see any data for a specific dimension member.
So, when I edit the cube in SSDT (SQL Server Data Tools or Visual Studio with BI add-on), I go to Roles --> open the role --> go to Dimension Data tab --> select the dimension in the drop-down --> Un-tick the dimension member(s) that the users in the role should not be allowed to see).
Once this is set up, I test the role by deploying the cube, then in SSDT I open the cube --> go to the 'Browser' tab --> click on 'Change User' --> select the role that I have created.
The result of my test is this:
If I select the dimension which I have restricted, and any of the measures, the data is displayed correctly, i.e. only the dimension members which I allowed are displayed with the values for the measure(s) displayed correctly for each dimension member.
However, if I do not select the restricted dimension (e.g. select only one of the measures on its own), the total for the measure is incorrect, i.e. it does not appear to be excluding the dimension member(s) hidden for the role.
What am I missing here?
I have seen some posts / blogs online talking about 'Dynamic SSAS security' which seems to involve mapping individual Windows logons to the fact rows that they are allowed to see (which involves creating additional, hidden tables in the data source), but I can't get my head around why I would need to do that if the SSAS role should do that as well? I do not need to define security at the user level - users are grouped into active directory groups and so I want to map a role to the relevant AD group and that should work too, shouldn't it?
You have to check 'enable visual totals' checkbox in the advanced tab. Take a look at the whole tutorial about this (and other SSAS authentication matters) on our website:
http://easyroles.com/2014/02/visual-totals-in-ssas-security/