I have two cubes under one SSAS database that I am building. Essentially, they're the same except one cube contains a dimension with confidential data and one does not contain that dimension.
What I'm looking to do is restrict access to the cube containing confidential data to a limited set of users, but it seems that SSAS roles are only at the database level and not the cube level?
Is there a way I can set up security at the cube level in SSAS, so some users can see both cubes when they open it in Excel, and other users can only see one cube?
Greg meant to grant it here:
Just leave "None" access level for certain cube.
Related
I am building a OLAP Cube in SSAS for an organization which has many different companies under its umbrella.
i have built a principal cube which consists of all the measure groups and dimensions, which has the data of all the companies in this organization.
Now this cube is ok for the top level management, but i need to limit the access of users from each of the companies, only to the data of its own company.
Is there a way to do that in the principal cube, without duplicating it to many sub cubes, each consists of only the relevant company?
Thank you in advance,
Tal
You can use role based security in combination cell-based security. below link can be useful:
https://learn.microsoft.com/en-us/sql/analysis-services/multidimensional-models/grant-custom-access-to-cell-data-analysis-services
We solved the problem through the automatic modification of MDX queries, restricting data through nested cubes (subcube) for each organization. Not only data, but also cube metadata were limited. The mechanism of roles to the customer is not suitable, as organizations and users are constantly added.The Ranet UI Pivot table was used in the Saas solution. The library allows you to parse and modify MDX query, as well as filter the metadata of the cube.
I am new to SSAS technologies for developing analytical models. I have to build several tabular models for a huge application in which security is quite relevant. What I would like to do is to re-use the row level security existing in the sources of the cube and apply it to the cube itself.
For example, if I build a tabular model from two tables of a schema, and these two table have RLS enabled, I would like the cube to take this security into account, so that when I access reports and log in as user, I will only see aggregated data according to the permissions I have.
Searching through the web I found ways of implementing RLS within the cube, but none about inheriting it from the sources. But again, I am new to the technology, so I preferred to ask here.
Thanks
The most obvious solution to your request is running SSAS Tabular in thin mode (called DirectQuery mode). As long as in the Existing Connections dialog in Visual Studio you set ImpersonateCurrentUser, when a user queries the SSAS model, SSAS will in turn send one or more SQL queries to the database under the end user's credentials. RLS in the SQL database will come into play here.
One caveat is that I would only recommend DirectQuery in SSAS 2016 not prior. Another caveat is that performance will be slow compared to a cached model in SSAS. So if performance isn't acceptable then turn off DirectQuery and reimplement RLS inside SSAS. Also DirectQuery uses zero caching of results currently so the load against SQL will not be offloaded to SSAS at all. Finally, if you use DirectQuery and ImpersonateCurrentUser you may have to setup Kerberos if your SQL server isn't on the same server as SSAS so that user credentials can double hop.
I hope this is a quick yes or no question and I believe the answer is yes, but wanted to confirm with someone more knowledgeable than I.
First the background story: We've just started using OLAP cubes where I work and have one setup each for financial, staffing, and project data (3 cubes) in our new ERP system. We have several offices where this data is needed, but we don't want for them to have access to the other office's data. There are only a few individuals in the organization that have access rights to these 3 online cubes.
For distributing the appropriate set of data for the individual offices, the solution I've currently come up with is to create offline cubes that are connected to pre-configured excel files (using Excel 2013 Standard or Plus). Each offline cube is created via the "CREATE GLOBAL CUBE" MDX command and then is filtered via one of the dimensions (see below).
This solution has not been very effective as these offline cubes use absolute paths in the excel connection files. We've been remotely connecting to the users desktops to reconnect the offline cube that gets distributed to them. This process is not very effective as it seems excel sometimes doesn't want to reconnect to the offline cube and in some instances simply won't work.
The question: Is there a way to create an online cube that has been pre-filtered on a particular dimension so that I can allow access to their online cube for only their data rather than using offline cubes?
I've listed the commands I'm using to create the offline cube below as an example of what I'm looking for.
Cheers
CREATE GLOBAL CUBE
[Offline Cube Name]
STORAGE
'C:\SomeFile.cub'
FROM [Online Cube Name] (
MEASURE [Online Cube Name].[Some Measure 1],
MEASURE [Online Cube Name].[Some Measure 2],
DIMENSION [Online Cube Name].[Dimension].[Office Name]
(
LEVEL [Organization],
MEMBER [Organization].&[Office Name]
)
);
If you have been completely successful with local cubes count yourself lucky as they are tricky. But I would recommend you avoid them.
Instead setup role-based security in the cube and let users connect live. If you have a list of Active Directory users or groups per office and want to create one role in SSAS per office follow this approach. If you prefer to add a few hidden tables to the cube that drive security then use the dynamic security approach.
I have the following situation. User1 is authorized to see
UK (London and Northampton) .
DimBrach is a parent-child hierarchy. When User1 wants to access the report I want him to see only the leafs (London and Northampton) and the first parent and not the entire hierarchy.
How can I reach this in a Pivot Table or in SSAS (MDX) ?
You can do this very simply like this, in the SSAS project in Visual Studio:
Create a Role for the user
In the Role designer's Dimension Data tab, deselect/select dimension members as needed
You can check this is working by processing the cube, browsing it through VS and using the "Change User" button. (No need to enter the user's password).
ADDITION:
To make role security less hard-coded you can use MDX statements in the Advanced tab of the Role Dimension Data tab, and populate a fact table controlling access. You're already doing this, judging by your past question.
As far as I know Excel pivot-tables are far less flexible than raw MDX in showing particular levels of a hierarchy. The end user can view their pivot-table, right-click on a field and select the Show/Hide fields option, so they can control what they see. But as far as I know there's no way for the developer to prevent them from seeing a particular level at all.
I am quite new to SSAS, so please forgive me if there is an obvious answer to my question - I have done a lot of research today and cannot find the answer myself.
I am trying to apply Dimension Data security (in a SSAS DB role that I have created) to my SSAS 2012 cube. Essentially, what I am trying to do is that users assigned to the role that I have created, should not be able to see any data for a specific dimension member.
So, when I edit the cube in SSDT (SQL Server Data Tools or Visual Studio with BI add-on), I go to Roles --> open the role --> go to Dimension Data tab --> select the dimension in the drop-down --> Un-tick the dimension member(s) that the users in the role should not be allowed to see).
Once this is set up, I test the role by deploying the cube, then in SSDT I open the cube --> go to the 'Browser' tab --> click on 'Change User' --> select the role that I have created.
The result of my test is this:
If I select the dimension which I have restricted, and any of the measures, the data is displayed correctly, i.e. only the dimension members which I allowed are displayed with the values for the measure(s) displayed correctly for each dimension member.
However, if I do not select the restricted dimension (e.g. select only one of the measures on its own), the total for the measure is incorrect, i.e. it does not appear to be excluding the dimension member(s) hidden for the role.
What am I missing here?
I have seen some posts / blogs online talking about 'Dynamic SSAS security' which seems to involve mapping individual Windows logons to the fact rows that they are allowed to see (which involves creating additional, hidden tables in the data source), but I can't get my head around why I would need to do that if the SSAS role should do that as well? I do not need to define security at the user level - users are grouped into active directory groups and so I want to map a role to the relevant AD group and that should work too, shouldn't it?
You have to check 'enable visual totals' checkbox in the advanced tab. Take a look at the whole tutorial about this (and other SSAS authentication matters) on our website:
http://easyroles.com/2014/02/visual-totals-in-ssas-security/