Hi All,

In MS Analysis Server you can define custom roles, and you can hide/show the
particular CELLS/Levels or Data to End User.

When you create the Roles, you need to define the MemberShip of the Role. It
is bassically NT_User_ID or NT_Group_Name. But if you assign NT_user_Name
other than EVERYONE it is not working properly and the Server is not
connecting from client like Excel or OWC.

Finally the Solution is,

Create any Role and by Default assign the MemberShip as EveryOne for all the
Roles.

In the Connecting String Specify the Role Name to Connect with Server. You
can define more than one Role.

Example.
Provider=MSOLAP.2; Data Source=http://Servername; Roles=Role1; Initital
Catalog=Foodmart 2000

Provider=MSOLAP.2; Data Source=http://Servername;
Roles=�Role1,Role2,Role3�; Initital Catalog=Foodmart 2000

First of all, thank you for sharing your experience. Your experience and
solution could be very valuable to us.

But, It looks strange. I don't understand your scenario. Could you give us
more detailed information? What is the authentication method of IIS Server?
Are Analysis Server and IIS Server on the same machine or difference
machine?

Ohjoo Kwon


"Manivannan" <Manivannan (AT) discussions (DOT) microsoft.com> wrote

Hi this is the scenario:

1. Analysis Server and IIS Server are in Same Machine
2. The Analysis Server and all client Machines are under same Domain
3. The Client uses OWC component to Connect with MSOLAP.2 Provider
4. The IIS Server uses Windows Authentication to Connect the Analysis
Server

For Example.

Current Client User name : Client_User_01
The IIS/Analysis Server Name : INDIA_OLAP_Server_01

In Analysis Server create the Role called ROLE1 and asign the Membership
value
as Client_User_01. (and imagine there is no other ROLES are available).

The ROLE1 designed to hide Measaure_X and Measaure_Y of CUBE1.
It also hide some set of Data of CUBE1's DIMENSION1.

Now try to connect the INDIA_OLAP_Server_01 from Client_User_01's
Machine using HTTP Connection String(Basically Our Application is
ASP.NET).

NOW You will get the COM error.

So the Membership property is not working Properly.
If I put some NT_User name (other than EVERYONE) the Client (Excel/OWC)
is
failed to connect the server.

So I used the Following Solution,

1. Create the ROLE named as ROLE1
2. Assign the Memebership value as EVERYONE.
3. From the Client Machine's Connection String Pass the ROLES Attribue
along
with required role-name(ROLES=ROLE1).

Are you Got IT?

"Ohjoo Kwon" wrote:

I understand what you did, but I don't still understand why everyone must be
added to the roles.

Could you add calculated member whose definition is UserName and verity the
results?

And does local users group of IIS machine contain domain users group? (Now
I'm at home and not on the domain environment, so the second question may
not be appropriate.)

Ohjoo Kwon


"Manivannan" <Manivannan (AT) discussions (DOT) microsoft.com> wrote

Every role should have the Membership value(NT User name/Group)
If you give other-than Everyone as Membeship the Cube
is not connecting via HTTP Connecting String from Client.

There is no calculated member verifying the UserName..!

-Mani

"Ohjoo Kwon" wrote:

I agree it does make sense that you add everyone for anonymous users. But
for the users logged on to the domain normally, it does not make sense when
IIS uses Windows authentication method.

If I understand the security behavior wrong, any information would be
appreciated.

Ohjoo Kwon

"Manivannan" <Manivannan (AT) discussions (DOT) microsoft.com> wrote