Hi I am trying to implement dynamic row security within Analysis Services
2000, but am hitting problems and cannot find a solution anywhere that
actually works.

I have a Business dimension that I have to secure at leaf level, so Users
can only see data from a cube, for the Business Units to which they have
access. We have over 500 Business Units and approx 50 Users, so I cannot use
separate roles. I therefore need a solution that matches each User's login
name to the Units they are allowed to see, dynamically, through a single role.

I am trying to follow the article 27305, as published in SQL Server magazine
Jan 2003, but it doesn't appear to be working!

I have created the Security dimension with the list of User's NTLogin names
in domain\login format, which we have to use. I have also created the
Security Fact table and built the Security cube including the Business
Dimension.

When I browse this cube, it is working. I can select different Users from
the security dimension and the only Business dimension members containing a
1, are the ones that lead to the Business Unit leaf members the selected user
is allowed to see. For my login name it correctly displays a 1 for all the
BU's.

I have then created the virtual cube, containing my unsecured cube that also
works, and the security cube. I can process this cube OK with no restrictions
defined in the database role, but if I browse the cube data, I only see the
Fact data when All is selected in the security dimension. No data is
displayed if I select a User’s name in Security dimension.

If I try to add the MDX expression in the database role, to restrict the
Business dimension, invalid token errors are displayed when I try to save it
and the following error is then displayed when I try to process the virtual
cube: “Cannot save object inside a Decision Support Objects (DSO)
transaction”.

Any ideas, as I appear to be near to a working solution, but not quite...

Thanks,
Neil