Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas

You are running into this problem because you are crossing dimensions.

Role 1 can see all stores but only two vendors
Role 2 can see all vendors but only two stores

A user who is in both roles sees a *UNION* of all members that they can see in each dimension. Thus your user 3 is able to see all stores and all vendors.
You are going to have to create a 3rd role and restrict members in both dimensions.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas

Dave,

Thank for you answer, but the problem still exsits.

as I undrestant, you offer to include user 3 into the role Role 1 and Role 2 then create Role 3, include user 3 into the Role 3. In the Role 3 select dimensions "Stores" and "Vendors" as "Fully restricted" via edit database role interface.

Something wrong?

In "excel xp", user 3 can browse from entire Vendors dimension and from entire Stores dimension.


Ramunas

"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

You are running into this problem because you are crossing dimensions.

Role 1 can see all stores but only two vendors
Role 2 can see all vendors but only two stores

A user who is in both roles sees a *UNION* of all members that they can see in each dimension. Thus your user 3 is able to see all stores and all vendors.
You are going to have to create a 3rd role and restrict members in both dimensions.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas

Is the user a machine administrator or in the OLAP Administrators group?
If so, try a different user.
Administrators see all data.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Dave,

Thank for you answer, but the problem still exsits.

as I undrestant, you offer to include user 3 into the role Role 1 and Role 2 then create Role 3, include user 3 into the Role 3. In the Role 3 select dimensions "Stores" and "Vendors" as "Fully restricted" via edit database role interface.

Something wrong?

In "excel xp", user 3 can browse from entire Vendors dimension and from entire Stores dimension.


Ramunas

"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

You are running into this problem because you are crossing dimensions.

Role 1 can see all stores but only two vendors
Role 2 can see all vendors but only two stores

A user who is in both roles sees a *UNION* of all members that they can see in each dimension. Thus your user 3 is able to see all stores and all vendors.
You are going to have to create a 3rd role and restrict members in both dimensions.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas

User is only in the users groups, so no additional rights he has.
Have you already tested such behaviour, or have you some sample about that?

Ramunas
"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

Is the user a machine administrator or in the OLAP Administrators group?
If so, try a different user.
Administrators see all data.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Dave,

Thank for you answer, but the problem still exsits.

as I undrestant, you offer to include user 3 into the role Role 1 and Role 2 then create Role 3, include user 3 into the Role 3. In the Role 3 select dimensions "Stores" and "Vendors" as "Fully restricted" via edit database role interface.

Something wrong?

In "excel xp", user 3 can browse from entire Vendors dimension and from entire Stores dimension.


Ramunas

"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

You are running into this problem because you are crossing dimensions.

Role 1 can see all stores but only two vendors
Role 2 can see all vendors but only two stores

A user who is in both roles sees a *UNION* of all members that they can see in each dimension. Thus your user 3 is able to see all stores and all vendors.
You are going to have to create a 3rd role and restrict members in both dimensions.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas

This is easy to reproduce with Foodmart (which I just did).

1) create a machine account called test1 on the Analysis server -- just a regular user account

2) create three roles in the Foodmart 2000 Sales cube with:
- role: WASH ONLY, user "test1" as a member; custom restrict the Customer dimension to just WA
- role: DRINK ONLY, user "test1" as a member; custom restrict just the Product dimension to just DRINK
- role: BOTH WASH AND DRINK ONLY, user "test1" as a member; custom restrict both the Customer dimension to just WA and the Product dimension to just DRINK

3) Start with all 3 roles disabled; the Everyone role enabled

Add a shortcut to your desktop with the MDX Sample application. Right click on it and select "Run As..." -- then enter test1 as the username and whatever password you assigned in step #1 above. You should be able to see all dimension members (since test1 is part of the Everyone role). Leave the MDX Sample application running.

4) Disable all roles but the WASH ONLY role (there are checkboxes for enabling/disabling roles on the Manage Roles dialog box).

Using the MDX Sample application, disconnect and re-connect to your server. Select the Sales cube and browse the Customer and Product dimensions. You should only see the WA customers; but all products.

5) Disable all roles but the DRINK ONLY role..

Using the MDX Sample application, disconnect and re-connect to your server. Select the Sales cube and browse the Customer and Product dimensions. You should only see the DRINK product, but all customers.

6) Enable both WASH ONLY and DRINK ONLY roles -- everything else is disabled.
..
Using the MDX Sample application, disconnect and re-connect to your server. Select the Sales cube and browse the Customer and Product dimensions. You should all customers and all products. This is because the WASH ONLY allows you to see all products; and the DRINK ONLY role allows you to see all customers. When permissions are merged, the system does a UNION.

7) Disable all roles but the BOTH WASH AND DRINK ONLY role..

Using the MDX Sample application, disconnect and re-connect to your server. Select the Sales cube and browse the Customer and Product dimensions. You should only see WA customers and DRINK products.

Hope this helps.

--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

User is only in the users groups, so no additional rights he has.
Have you already tested such behaviour, or have you some sample about that?

Ramunas
"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

Is the user a machine administrator or in the OLAP Administrators group?
If so, try a different user.
Administrators see all data.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Dave,

Thank for you answer, but the problem still exsits.

as I undrestant, you offer to include user 3 into the role Role 1 and Role 2 then create Role 3, include user 3 into the Role 3. In the Role 3 select dimensions "Stores" and "Vendors" as "Fully restricted" via edit database role interface.

Something wrong?

In "excel xp", user 3 can browse from entire Vendors dimension and from entire Stores dimension.


Ramunas

"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

You are running into this problem because you are crossing dimensions.

Role 1 can see all stores but only two vendors
Role 2 can see all vendors but only two stores

A user who is in both roles sees a *UNION* of all members that they can see in each dimension. Thus your user 3 is able to see all stores and all vendors.
You are going to have to create a 3rd role and restrict members in both dimensions.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ramunas Balukonis" <ramblk1 (AT) hotmail (DOT) com> wrote

Hello,

In my sales cube I have about 10 dimensions: vendors, materials, managers, stores etc.
Generally, users needs to view information from one dimensions. So, using the role manager, I easily configure via custom dimension security.

Examples (2 different users ):

User No 1 views information only about vendors: "Sanitex", "Unilever".
User No 2 views information only about stores: "Store No 300" and "Store No 555".

my problem is:

user No 3 is a head of users 1 and 2. he would like to see information about vendors ("Sanitex" and "Unilever") or (stores no 300 and store no 555).

Is it possible to implement such composite security?? Have anybode some experience about that??

Ramunas