Hi

I have a cube with 2 roles defined in the Manage Roles section

For the first role, I have made the Dimension 1 - "FULLY RESTRICTED" and in the cell security I have defined some MDX expressions which includes elements only from other Dimensions (i.e. other than Dimension 1 - As Dimension 1 is fully restricted in Dimension Security)

For the Second Role, I have made the Dimension 1 - "Custom" and in the cell security I have defined some MDX expressions which includes elements from Dimension 1 also

Now I have a User 'A' who is added to both the Roles. From various documents I could infer that For User 'A' both the security rules will be executed and a particular cell will be displayed if atleast one of the roles resolves to show that cell value

User 'A' uses OWC to access the cubes
User 'A' is able to access Dimension 1 as the second role gives him partial access to the dimension. (some cells are blocked because of the Cell Security defined in second role

The Issue is - I expected User 'A' will be able to access only those cell values which passed the Cell Security defined on the Second Role. But unfortunately it is not the case.... User 'A' is able to access all the cell values of Dimension 1.
To correct this issue - I included a MDX expression in Cell Secutiy of Role 1 which will block all the Cell Values of Dimension I even though the Dimension has been fully restricted in the Dimension Security.

Is this an expected behaviour !!!

Cheers
Sank

1) Role permissions are UNIONs. Meaning that if you can see something in one
role then that is good enough, you will see it regardless of the others.
2) Any user who is also the OLAP Adminisrators group is automatically given
full access regardless of their role participation.
--
Dave Wickert [MS]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI Practices Team
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Sanka" <loonysan (AT) mailcity (DOT) com> wrote

elements only from other Dimensions (i.e. other than Dimension 1 - As
Dimension 1 is fully restricted in Dimension Security).
from Dimension 1 also.
executed and a particular cell will be displayed if atleast one of the roles
resolves to show that cell value.
Cell Security defined in second role)
unfortunately it is not the case.... User 'A' is able to access all the cell
values of Dimension 1.
Dimension has been fully restricted in the Dimension Security.

Dave

I totally agree with your statements

But I am referring to a slightly different context where in the User doesn't get access to a particular cell when he is a part of only one of the User Roles. But gets access to the Cell when he is a part of both User Roles

Let me try to explain with an example
Create two Roles in SALES Cube

In the First Role, completely restrict the access to Time Dimension using Dimension Security. So, all Users who belong to only this User Role will not have access to the TIme Dimension Elements

In the second role, Don't completely restrict the access to Time Dimension in Dimenion Security, but put the follwoing MDX in the cell securit
iif([time].currentmember is [Time].&[1997].&[Q1],0,1). So, all Users who belong to only this User Role will have access to the Time Dimension but they will not be able to see values for all measures for [Time].&[1997].&[Q1]

Under the above settings, if U add the user to both the User Roles... He will be able to access [Time].&[1997].&[Q1] values...

What I want to make is that the Cell Security and the Dimension Security of the Roles are probably not getting implemented in sync
Please let me know if need any further clarifications

(Note: The Users added to the roles are not OLAP Admins

- Sank





----- Dave Wickert [MSFT] wrote: ----

1) Role permissions are UNIONs. Meaning that if you can see something in on
role then that is good enough, you will see it regardless of the others
2) Any user who is also the OLAP Adminisrators group is automatically give
full access regardless of their role participation
--
Dave Wickert [MS
dwickert (AT) online (DOT) microsoft.co
Program Manage
BI Practices Tea
SQL BI Product Unit (Analysis Services
-
This posting is provided "AS IS" with no warranties, and confers no rights


"Sanka" <loonysan (AT) mailcity (DOT) com> wrote in messag
newsAAC4DBC-AB3A-4F51-ACD8-245ECE7E0CBB (AT) microsoft (DOT) com..
elements only from other Dimensions (i.e. other than Dimension 1 - A
Dimension 1 is fully restricted in Dimension Security)
from Dimension 1 also
executed and a particular cell will be displayed if atleast one of the role
resolves to show that cell value
Cell Security defined in second role
unfortunately it is not the case.... User 'A' is able to access all the cel
values of Dimension 1
Dimension has been fully restricted in the Dimension Security

Because of the different execution locations for cell security and dimension
security this might be possible, I've never tried it.
You might have to convert the member name to a string for the comparsion, or
use the ID to match.
Have you tried to do it?
--
Dave Wickert [MS]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI Practices Team
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Sanka" <loonysan (AT) mailcity (DOT) com> wrote

User Roles. But gets access to the Cell when he is a part of both User
Roles.
have access to the TIme Dimension Elements.
they will not be able to see values for all measures for
[Time].&[1997].&[Q1].

Hi

As the Cell Security are always executed at the client side..
Do you mean for the discussed scenario, we need to change the execution location of all the dimension security also to Cell side..
Isn't it a huge overhead on security perspectives..

Thanks
Sanka

----- Dave Wickert [MSFT] wrote: ----

Because of the different execution locations for cell security and dimensio
security this might be possible, I've never tried it
You might have to convert the member name to a string for the comparsion, o
use the ID to match
Have you tried to do it
--
Dave Wickert [MS
dwickert (AT) online (DOT) microsoft.co
Program Manage
BI Practices Tea
SQL BI Product Unit (Analysis Services
-
This posting is provided "AS IS" with no warranties, and confers no rights


"Sanka" <loonysan (AT) mailcity (DOT) com> wrote in messag
news:AB72D4C6-DCC4-48D7-A5CB-67AC14872352 (AT) microsoft (DOT) com..
User Roles. But gets access to the Cell when he is a part of both Use
Roles
have access to the TIme Dimension Elements
they will not be able to see values for all measures fo
[Time].&[1997].&[Q1]

You don't have to change anything. This is just the way that cell level
security works. The entire dataset is moved down to the client and *then*
the MDX statement is evaluated by PTS on the client and the resultset is
returned to the client. You are mistaken if you believe that the protected
empty cells are not transfered down the wire. This is true for dimension
security (which is done on the server); but cell security is always
evaluated on the client.
--
Dave Wickert [MS]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI Practices Team
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Sanka" <loonysan (AT) mailcity (DOT) com> wrote