Denying access to an entire level with dimension security
Most of the time when you’re using dimension security with SSAS, you’re slicing a hierarchy vertically: for example, on a Geography dimension you only want members of a given role to see just one Country on your Country hierarchy. Occasionally, though, you may want to slice a hierarchy vertically: on a Time hierarchy, you may want to allow members of a role to drill down from Year to Month, but not see Date level data. This is also possible; a customer recently asked me how to do it so I thought I’d write up the explanation since it’s very easy to do.
Let’s take the Calendar hierarchy on the Date dimension in Adventure Works as an example. When you browse it in the cube browser in BIDS, you’ll see a hierarchy that goes down from Year at the top to Date at the bottom:
Now, let’s create a role that stops users from drilling down beyond Month. Create a new role and go to the Dimension Data tab, and select the Date dimension on the Adventure Works cube (note not the Date dimension further up the list – that’s the Database dimension, we want the Cube dimension, the instance of the Date dimension inside the cube):
Then select the Date attribute hierarchy (the Date attribute hierarchy is used as the bottom level of the Calendar user hierarchy, so by securing it you’re also securing all user hierarchies that it appears in) and select the Deselect All Members radio button.
You can then deploy the project with this new role, and go to the Cube Browser tab, click the Change User button and select the new role in the Security Context dialog to test it:
You will then be able to see that you can no longer drill down below the Month level in either the metadata pane or the pivot table:
Nice Article Chris! Thanks
Could this not be achieved by using an MDX statement in the “Denied member set” section of the “Advanced” tab? Something like {[Time].[Date].Members} ?
Cheers
Craig
Craig Bryden
June 23, 2011 at 12:23 am
Absolutely – it’s just easier to use the UI in this case. You need to use an empty set {} in the Allowed Member Set.
Chris Webb
June 23, 2011 at 11:50 am
Good tip – thanks.
Tim Mitchell
June 23, 2011 at 3:37 pm
[...] Chris Webb says that most of the time when you’re using dimension security with SSAS, you’re slicing a hierarchy vertically. [...]
Log Buffer #226, A Carnival of the Vanities for DBAs | The Pythian Blog
June 24, 2011 at 9:17 am
[...] to control level access to information in a cube (by roles in the BI server). All the blog is [...]
Complete Pentaho Installationon Ubuntu, Part 8 | Interesting IT Tip's
July 30, 2011 at 6:40 pm
Nice article Chris!
I have implemented a security base on organisations groups (ie different companies) and role groups (sales, purchase, etc) in a single cube with different perspectives. The organisation groups have a ‘deselect all members’ for all dimensions, except for their company. The role groups have limiteded the set of specific dimensions to the available companies. This is almost working … at least the general concept works as expected. But …
It takes at least 10 minutes to connect to the cube, as if the cube runs all possible queries for the combined roles first. I’m not very sure where to search for the cause, as the admin account has no trouble connecting.
In Excel 2010, I can’t drill down certain dimensions when I put them in the filter section, allthough I can when I use them as a row or column label. For example the date dimension, I now have to show it as a column label, select the period I need and then drag it back to the filter section ..
I’m sure it’s something I will figure out in the end, but I was curious if you have had any experience with security issues like these.
Regards, Martijn
Martijn Sandbergen
October 6, 2011 at 9:33 am
Are you finding that your connection is slow only in Excel 2010? If so, then it could be the problem described here: http://support.microsoft.com/kb/2535767
Chris Webb
October 6, 2011 at 9:50 am
Can we implement this for intermediate levels? if yes, will it affect all levels below the level for which I have removed the access?
Prakash
April 2, 2013 at 5:50 pm
I’m not sure (I haven’t tested it) but I suspect it won’t work for intermediate levels
Chris Webb
April 2, 2013 at 6:42 pm