We have a cube where we implemented the dimension data level security based on ROLE. This security is working fine where we are restricting the user to see his records only. Now the Customer dimension has another Employee attribute. Based on the value of this field we want to restrict other dimension attributes. Like in the below example Manager_Id is the attribute that should be masked. We want to mask the attribute value of this field with "Employee” so that the restricted user only sees a masked attributes value.
Note: Both the attribute from the same dimension
User is allowed to see employee data
Name Manager_ID
Jon 123456
If the User is not allowed to see then the attribute value needs to be masked with Employee
Eg:
Name Manage_ID
Jon xxxxx
Thanks
Jay
If I'm interpreting your question correctly you're trying to disable a value in a dimension based on the user querying the dimension/cube. Unless you've build your own version of excel where you would add those overrides you should use different roles for the different types of users that use your application.
While I don't know how and if you can mask a value, you can use attribute security to disable the role from viewing the contents of a certain attribute of a dimension.
To do this from SQL Server Management Studio you can open the properties of a role, go to the dimension data tab and select the cube and dimensions you want to filter.
Warning: you can't disable values in a dimension, then the user will still be able to query them, you'll need to scroll down to the cubes and edit the dimension there.
(it's a long list of first your dimensions and then your cubes which can be extended to show the cubedimensions, which are the only thing relevant to us right now)
When you have the correct dimension you can select an attribute Manager_ID in your case and disable all values a user shouldn't be able to see. You can do this by unchecking all restricted values or deselect all members and then click the ones that should be available. That all depends on your useCase.
The result of this will be that when opening the dimension from excel or powerBI the disabled values won't show.
I hope this helps and good luck.
Related
RSA Archer Is there a way (custom code?) to assign a user to a user/group field dynamically?
Like:
2 Groups
apple - is assigned to usera
orange - is assigned to usero
sendnote - user/group field
if I choose apple - assign usera to sendnote
if I choose orange - assign usero to sendnote
User/group list can't be calculated, but record permission field can be. The logic you described can be implemented if you use Record Permission field and make it Automatic type. This will allow you to add calculation rules and populate it as required. Side affect of this approach is that calculated fields can't accept user input.
If you want to accept user input and automate behavior of the given field at the same time, then you have to write a Custom Object. Code for Custom Object will vary a lot based on the behavior you want, so it is probably a topic for another question.
Good luck!
The cube (sql Server 2016) contains dimensions [Unit].[Unit].&[1] and [Unit].[Unit].&[2]. I’ve created a calculated dimension:
CREATE MEMBER CURRENTCUBE.[Unit].[Unit].[All].[1/2] AS [Unit].[Unit].&[1]/[Unit].[Unit].&[2]
To restrict access to the dimension of [Unit].[Unit].[All].[1/2] I’ve created the Role.
But I can not select [Unit].[Unit].[All].[1/2] in DimensionData-Basic tab, because this attribute does not appear in the list of attributes.
If I specify the attribute [Unit].[Unit].[All].[1/2] in DimensionData-Advanced tab in the MDX-script Denied member set: {[Unit].[Unit].[All].[1/2]}, the user sees this attribute.
How do I restrict access to the calculated dimension?
If you change your DimUnit SQL table to include a "1/2" row then replace your CREATE MEMBER statement with the following it should work the same and you should be able to see this member in dimension data security after you deploy and process the cube:
([Unit].[Unit].[1/2])
= DIVIDE([Unit].[Unit].&[1], [Unit].[Unit].&[2]);
Then after you have created a role that makes the 1/2 member disappear you will get an error when browsing the cube with that user. Change the above line to the following:
(IIf(IsError(StrToMember("[Unit].[Unit].[1/2]",CONSTRAINED)),Head([Unit].[Unit].Members,0),StrToMember("[Unit].[Unit].[1/2]",CONSTRAINED))
= DIVIDE([Unit].[Unit].&[1], [Unit].[Unit].&[2]);
BTW, DIVIDE does safe divide so divide by zero won't cause problems.
Off the top of my head I can't recall if StrToMember is necessary vs. just a member reference so I played it safe. Feel free to try it without StrToMember.
To be clear the whole script should say:
CALCULATE;
(IIf(IsError(StrToMember("[Unit].[Unit].[1/2]",CONSTRAINED)),Head([Unit].[Unit].Members,0),StrToMember("[Unit].[Unit].[1/2]",CONSTRAINED))
= DIVIDE([Unit].[Unit].&[1], [Unit].[Unit].&[2]);
How to hide measure or a scope if user choose certain dimension or go to certain dimension hierarchy level?
Thanks.
Try something like this in your MDX script:
FREEZE([Measures].[My Measure], [Product].[Subcategory].[All]);
([Measures].[My Measure], [Product].[Product].Members, [Product].[Subcategory].[Subcategory].Members) = null;
Freeze ensures the next statement won't null out the category level totals. The next statement bulls out that measure for the whole product dimension up to the subcategory totals but not above.
Note this is fine for nulling out meaningless numbers but isn't a security feature. A savvy user could do a drillthrough command to get the product level numbers. Or a savvy user could connect in a special way and clear the whole MDX script for his session so he sees the detailed product data.
For a more secure approach:
If you can null out product data for all measures then setup role based security. In dimension data security only grant access to member Subcategory.All only but uncheck visual totals on the advanced tab so that the subcategory grand total is the real total.
Or setup a second slimmed down Product dimension that only has the top levels not the detailed product levels. Then only tie that dimension to this measure group.
Or create a second measure group that does a group by in SQL and joins to the Product dimension only at the Category level. Thus there is no detailed data only rollups. Then with security control whether a used sees the detailed measures or the summary measures.
On measure properties you can set set visible property to false for the measure you want to hide. Another option is to use perspective and choose again what you want to hide or not.
Just a bit of background info:
I have dimension table which uses SCD2 to track user changes in our company (team changes, job title changes etc) See example below:
I've built an Analysis Services Cube and created all the necessary hierarchy's for the dimensions and it works well when navigating and drilling down through the fact table.
The problem I have is with the filters on the PerformancePoint dashboard. As I'm using the User Dimension table with it's multiple instances of users it's showing duplicates up in the list. I can understand why as the surrogate ID is being referenced on the Dimension. But if I choose the first instance of the A-team I will see all their sales for a particular period and if I choose the second instance I will see all their sales for a different period.
What is the best way to handle this type of behavior? Ideally I'd like to see a distinct list of teams in alphabetical order and when I choose the team name it shows all of their data over time.
I've considered using MDX query filters but I'd like to see if there's anything I haven't thought about.
I realise this isn't an easy and quick question but any help would be appreciated!
The answer was simple after having a trawl through my User Dimension table on the Cube.
Under my user dimension I added 2 duplicate attributes to my attributes list ("Team Filter" is a copy of "Team", "User Filter" a copy of "User Name") these will be used only for filtering the dashboard.
Under the attribute properties for each duplicate I then set AttributeHierarchyOptimizedState to "Not Optimized", I also set their AttributeHierarchyVisible to false as I'd shown the two duplicate attributes in the hierarchy window in the middle.
Deploy your Cube to the server and go in to PerformancePoint. Create a new MDX Filter (this image shows the finished filter)
This is the code I used, it only shows dimension members which have a fact against them (reduces the list a considerable amount) and by using allmembers at the dimension it also gives me the option to show "All" at the top of the list.
Deploy the new filters and now you can see the distinct list of users and teams, works perfectly and selects every instance (regardless of the SCD2 row)
I have about 4 attributes in Race dimension as shown in blow
dimension name is Race
1)Race
2)RACE DESC
3)RACE KEY
4)RACE SHORT NAME
when go to cube browse and right click on Race dimension and select add query
as below
1)when i drag Race dimension to browser data panel it showing default Race Attribute data
2)i want show RACE DESC data only
3) at the same time i drag the RACE DIMENSION in Filter panel
4) i want show RACE DESC Attribute only
5) i don't want set attributehierarchyvisible =false
how do i achieve my above requirement
Thanks for the help
Create your own user's hierarchy and place it on the 1st place in dimension hierarchies part of screen. This will let SSAS to use it.
Here Report Date hierarchy is selected by default.
And Product Categories on the image below:
UPDATE
Here is detailed explanation:
Now you have 5 flat hierarchies and server takes first alphabetical one by default, like this (Count is measure here):
To fix this, you need to disable attributes hierarchy, which you want to be selected by default:
Than rename attribute, to be able to create user's hierarchy with the same name (so for users this will be identical as previous flat attribute hierarchy):
Finally, process this dimension again, and when you drag dimension, it will show your first user's hierarchy, which is State in our case.
Hope this helps.
UPDATE-2 (New example with races)
To achieve this, you need to do the same as described in UPDATE #1:
Rename RACE DESC to some other name (e.g. RACE DESC Attr) and disable it's hierarchy visibility by setting attributehierarchyvisible = false
Create user's hierarchy on this attribute with desirable name: RACE DESC
Process dimension.
That's all. Now default attribute will be RACE DESC. It's hierarchy is not disabled, just it's showing priority is changed to be the 1st one.