I'm trying to create a way to partially automate creation of roles and role permissions in SSAS multidimensional cube.
Due to some restrictions on my side this can only be done with using T-SQL to generate XMLA scripts and sending them to SSAS server.
I have XMLA scripts to create, update and delete roles.
However, I do not have a way to check if a certain user already has a role assigned in the cube.
I have found a way to get a response from SSAS server using discover, for example:
<Discover xmlns="urn:schemas-microsoft-com:xml-analysis">
<RequestType>MDSCHEMA_CUBES</RequestType>
<Restrictions />
<Properties>
<PropertyList>
<Catalog>MyCube</Catalog>
</PropertyList>
</Properties>
</Discover>
which returns a list of existing cube in the catalog.
I've found a list of existing Request types here:
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms126079(v=sql.110)
but I see no type which returns existing roles and/or existing users in the role
Any ideas how this can be done? To get a list of existing roles or existing members in the roles by sending XMLA script to SSAS server?
DISCOVER_XML_METADATA can be used for this purpose, it returns the whole SSAS database structure so some parsing is needed to get the roles and role members specifically.
Related
I have a dimension which contains our business warehouse IDs and also I made users in Active Directory with the same name(1001, 1002, 1003, 1004, …) as you see in below.
DimWarehouse
ID
1001
1002
1003
1004
.
.
.
My question is that how it is possible each "username" just access to it's Warehouse ID?
There are two ways how you can restrict user access to certain parts of the cube:
You define "static security": You define one role in the cube for each set of permissions (if I understand your requirements correctly, that would mean one role per user), and then you map the Active Directory users or user groups to those roles. If you have many users and many permission roles, that can get more or less unmanageable. However, sometimes it is good that you also can use AD user groups for this purpose, and that can reduce effort a lot. I Implemented a solution like this where we needed to restrict access user access based on their country, and only had around 50 countries, and AD user groups were already existing for the countries.
You can use "dynamic security". This means you only use a single role and write an MDX expression that most likely makes use of the Username() MDX function, and which returns a valid MDX set which is either a set of allowed or a set of forbidden members. As your MDX statement could even call an AS Stored procedure implemented in .net, you are even more flexible, as this .net Stored procedure could e. g. contact your AD to check for further properties of the user.
In both cases, you would administer the settings in "dimension security" of the cube design in "SQL Server Data Tools - Business Intelligence" or in SQL Server Management Studio, and would need to design your cube accordingly to have the correct relations from the dimension that you restrict to your data.
A detailed (if a bit old) blog post describing an approach for setting security using dynamic security can be found at http://bharathonsqlserver.blogspot.com/2016/07/dynamic-security-in-ssas-in-detail.html.
The permissions are driven by roles.
You may need to create multiple roles and assign users to each of the roles.
Then for each role, you define which dimension attributes are accessible to that role.
I am not so into SQL Server and I have the following doubt: I have to require the creation of an user that can work on some databases. This user have to create\delete table, insert\delete records in these tables.
What type of permission have to be set for this user on these databases? Is dbowner ok to perform these operations? (in particular is very important that this user can create\delete tables) or am I missing something?
Just to understand first the benefits of using roles :
Roles are a part of the tiered security model:
Login security—Connecting to the server
Database security—Getting access to the database
Database objects—Getting access to individual database objects and
data**
Predefined database roles
You may need to create your own, but you have access to several predefined database roles:
db_owner: Members have full access.
db_accessadmin: Members can manage Windows groups and SQL Server
logins.
db_datareader: Members can read all data.
db_datawriter: Members can add, delete, or modify data in the tables.
db_ddladmin: allows a user to create, drop, or modify any objects within a database, regardless of who owns.
db_securityadmin: Members can modify role membership and manage
permissions.
db_bckupoperator: Members can back up the database.
db_denydatareader: Members can’t view data within the database.
db_denydatawriter: Members can’t change or delete data in tables or
views.
Fixed roles :
The fixed server roles are applied serverwide, and there are several predefined server roles:
SysAdmin: Any member can perform any action on the server.
ServerAdmin: Any member can set configuration options on the server.
SetupAdmin: Any member can manage linked servers and SQL Server
startup options and tasks.
Security Admin: Any member can manage server security.
ProcessAdmin: Any member can kill processes running on SQL Server.
DbCreator: Any member can create, alter, drop, and restore databases.
DiskAdmin: Any member can manage SQL Server disk files.
BulkAdmin: Any member can run the bulk insert command.
From the SQL Documentation:
Members of the db_owner fixed database role can perform all
configuration and maintenance activities on the database, and can also
drop the database in SQL Server.
Are you certain that is the right that you want to grant this user? It seems like a more restricted set of permissions would be more suitable for them.
For example, the roles db_ddladmin, db_datareader, and db_datawriter could be more suitable:
db_ddladmin:
Members of the db_ddladmin fixed database role can run any Data
Definition Language (DDL) command in a database.
db_datareader:
Members of the db_datareader fixed database role can read all data
from all user tables.
db_datawriter:
Members of the db_datawriter fixed database role can add, delete, or
change data in all user tables.
Alternatively, you can grant specific privileges to the user account against that database and it's user objects in order to restrict their access to the functionality subset you want.
once again i'am thankful to the kind attention given as much as i am to user4637357. To be more explicit on the reason of my question i have this cube schema .
<Schema name="Pentaho CE Audit">
my aim here is to rend this schema only accessible by the admin User, so i added
<Role name="admin">
<SchemaGrant access="all">
</SchemaGrant>
</Role>
Before the Schema closing tag. Then i reloaded the file on the system. however after those configuration the cube is not longer accessible neither by the admin or any other users. my question here is to get from you guys the right way forward to set correct criteria on the system in view of restricting access to this cube please.
We are storing multiple tenants in one instance of SQL Azure. I have been doing some research, but I cannot determine if SQL Azure Reporting can support a multi-tenant model discretely.
For example, we want to run reports for a user based on their "tenancy", but we want their tenant ID to be completely opaque to them- not contained in a query string, or anything view-able by the user.
Has anyone encountered this problem before? What was your solution?
If you had the restriction that a User can only belong to a single tenant, you can hop from a User to the corresponding tenant without them having to know their tenant Id. So any of your Tenant related queries could automatically be filtered by the logged-in user.
I am new to schema, roles and user management part in sql server. Till now I used to work with simple dbo schema but now after reading few articles I am intrested in creating schema for managing my tables in a folder fashion.
At present, I want to create a schema where i want to keep my tables that have same kind of functionality. When I tries to create a schema then I faces a problem while using query, permissions etc.
First of all i want to get used to of using schemas then only I want to explore it. But due to initial stages and work pressure as well i m not able to implement it yet.
What can i do to start using schema with default permissions as that of dbo.
Also let me know about creating roles and assigning roles on these schema. I want all this to be accessible by sa user itself at present.
What is the concept behind all these things
Basically
The schema has an owner
Objects in different schemas can access each other with no extra permissions if they have the same owner
Please see my question here: "SQL Server: How to permission schemas?" and RBarryYoung's enlightening answer...