Contents
Overview 1
Introducing Analysis Services Security 2
Understanding Administrator Security 3
Securing User Authentication 5
Understanding Database Roles 6
Implementing Dimension Security 13
Managing Cube Roles 17
Lab A: Implementing Cube Security 27
Review 32

Module 15:
Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. Replace this example list with list of trademarks provided by copy editor.
Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order. > are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other
countries.

<This is where mention of specific, contractually obligated to, third party trademarks, which are
added by the Copy Editor>

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 15: Implementing Security iii

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Instructor Notes
In this module, students will gather the skills necessary to implement security in
Microsoft
®
SQL Server

™
2000 Analysis Services. Students will learn the
concepts and mechanics of administrative permissions, database roles, and cube
roles. In the lab, students create and test a role that uses dimension and cell
security.
After completing this module, students will be able to:
!
Understand the use of security in Analysis Services.
!
Explain administrator security.
!
Describe authentication methods.
!
Assign database roles.
!
Apply dimension security.
!
Manage cube roles.

Materials and Preparation
This section lists the required materials and preparation tasks that you need to
teach this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft PowerPoint
®
file 2074A_15.ppt

Preparation Tasks

To prepare for this module, you should:
!
Read all the student materials.
!
Read the instructor notes and margin notes.
!
Complete all the demonstrations.
!
Practice the lecture presentation and demonstration.
!
Complete the lab.
!
Review the Trainer preparation presentation for this module on the Trainer
Materials compact disc.
!
Review any relevant white papers that are located on the Trainer Materials
compact disc.


Presentation:
60 Minutes

Lab:
30 Minutes
iv Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Module Strategy
Use the following strategy to present this module:

!
Introducing Analysis Services Security
Explain that Analysis Services allows security to be defined at different
levels in online analytical processing (OLAP) databases and cubes—from
the server level down to the cell level.
!
Understanding Administrator Security
Explain that to administer Analysis Services, you must be a member of the
Microsoft Windows
®
2000 or Microsoft Windows NT
®
OLAP
Administrators group.
!
Securing User Authentication
Introduce ways to connect to Analysis Server. Explain that user security is
controlled by authentication.
!
Understanding Database Roles
Introduce roles by defining what they are and by giving some key
parameters. Introduce the Database Role Manager dialog box and describe
its use. Show how to define, delete, edit, and copy a new role. Define
database role properties and introduce the Create a Database Role dialog
box and how it allows you to define properties of a role. Display the dialog
box as you discuss the user interface elements.
!
Implementing Dimension Security
Introduce dimension security. Explain that, with dimension security, you
can prevent users from viewing specified dimension members, and data

associated with those members. Show how dimension security is defined by
using the Custom Dimension Security dialog box. Display the dialog box
as you discuss the user interface elements.
!
Managing Cube Roles
Introduce the Cube Role Manager, explain dimension and cell security,
describe advanced cell security permissions, and introduce administration
and custom options.

Module 15: Implementing Security 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
Introducing Analysis Services Security
!
Understanding Administrator Security
!
Securing User Authentication
!
Understanding Database Roles
!
Implementing Dimension Security
!
Managing Cube Roles


This module teaches you how to implement security in Microsoft
®

SQL
Server
™
2000 Analysis Services. You will learn the concepts and mechanics of
administrative permissions, database roles, and cube roles. In the lab, you will
create and test a role that uses dimension and cell security.
After completing this module, you will be able to:
!
Understand the use of security in Analysis Services.
!
Explain administrator security.
!
Describe authentication methods.
!
Assign database roles.
!
Apply dimension security.
!
Manage cube roles.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about Analysis Services
security.
2 Module 15: Implementing Security


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Introducing Analysis Services Security
!
Administrator Security
!
Cube Security
!
Dimension Security
!
Cell Security
!
Special Options


By implementing security in Analysis Services, you limit access to data.
Analysis Services allows security to be defined at different levels and for
different reasons in databases and cubes. For example, the following are types
of Analysis Services security:
!
Administrator security defines who can administer an Analysis Server.
!
Cube security allows you to specify which users can read and write to an
online analytical processing (OLAP) cube.
!
Dimension security allows you to restrict users from viewing specified
dimension members.
!
Cell security, the most granular level of security, allows you to define the

cells that users can read and write to.
!
Special options define security for drillthrough, cube linking, and SQL
queries.

Database security can be applied in Analysis Services only when the
Analysis Server is installed on an NTFS file system. Therefore, it is
recommended that Analysis Services always be installed on an NTFS partition.


Topic Objective
To introduce the concept of
security.
Lead-in
By implementing security in
Analysis Services, you limit
access to data.
Key Point
Database security can be
applied in Analysis Services
only when the Analysis
Server is installed on an
NTFS file system.
Therefore, it is
recommended that Analysis
Services always be installed
on an NTFS partition.
Im
p
ortan

t

Module 15: Implementing Security 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Understanding Administrator Security
!
Administrator Security Is Based on Windows 2000 or
Windows NT 4.0 Security
!
The User Who Installs Analysis Services Is
Automatically Placed in the OLAP Administrators Group
!
Additional Administrators Must Be Added to the OLAP
Administrators Group
!
All Administrators Have Identical Privileges
!
An Administrator Retains Full Access Privileges when
Connected through a Client


Administrator security defines who can administer an Analysis Server. It is
important to understand how to grant administrators the required rights needed
to gain access to the Analysis Server.
The following are characteristics of administrator security:
!
To administer Analysis Services, you must be a member of the Microsoft

Windows
®
2000 or Microsoft Windows NT
®
4.0 OLAP Administrators
group. When Analysis Services is installed, a user group named OLAP
Administrators is automatically created on the Analysis Server.
!
The user who performs the installation is automatically placed in the OLAP
Administrators group.
!
Any additional administrators must be added to the OLAP Administrators
group. You add administrators to the OLAP Administrators group outside
Analysis Manager by using Windows 2000 or Windows NT 4.0 user
administration.
!
Only one level of administrator privilege exists in Analysis Services. An
administrator can perform all operations in a database—they can even delete
the database.
!
When connected to a cube through a client, administrators retain full read
and write access to all cubes, dimensions, and cells, regardless of any
defined cube, dimension, or cell security.

Administrators maintain write access to only those cubes that are
write-enabled.

Topic Objective
To explain administrator
security.

Lead-in
Administrator security
defines who can administer
an Analysis Server.
Note
4 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

It is recommended that you establish specific Windows 2000 or Windows NT
accounts to administer Analysis Services. Administrators should refrain from
accessing Web pages, productivity applications, and e-mail applications that
support scripts or macros when using the administrative accounts because of the
extensive data access rights of administrative account holders.
Module 15: Implementing Security 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Securing User Authentication
!
Direct Connection
#
A user connects to Analysis Server directly
#
Authentication is based on credentials granted in the
user domain account
!
HTTP Connection through IIS
#

A user connects to Analysis Server through IIS by using
HTTP
#
Analysis Server relies on IIS authentication


User security is controlled by authentication. There are two ways to connect to
an Analysis Server, each with its own authentication method.
!
Direct Connection
When a user attempts to connect to an Analysis Server directly, the server
attempts to authenticate based on credentials granted in the domain account
of the user.
If the connection string specifies a user name and password different from
the login account of the user, the specified name and password are ignored.
If the credentials of the user do not permit access to the Analysis Server
from the network, authentication is unsuccessful and the connection fails.
Analysis Services uses Security Support Provider Interface (SSPI), and
supports various providers that use SSPI.
!
Internet Information Services (IIS)
Users can connect to an Analysis Server through IIS by using Hypertext
Transfer Protocol (HTTP). A connection string specifies the data source
property.
When a user attempts to connect through IIS, Analysis Server relies on IIS
authentication. If authentication on IIS is unsuccessful, the connection to the
Analysis Server is denied.

IIS provides several authentication methods. For additional
information, refer to the Internet Information Services online

documentation.

Topic Objective
To introduce ways to
connect to Analysis Server.
Lead-in
User security is controlled
by authentication.
Note
6 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


$
$$
$

Understanding Database Roles
!
Defining Roles
!
Using the Database Role Manager
!
Defining Database Role Properties


To give users access to Analysis Services databases and cubes, you must first
create roles to assign the access. To effectively manage roles, you need to
understand the use of roles in Analysis Services, and how to create roles by

using Analysis Manager.
In the next section, you will learn about the following security topics relating to
roles:
!
Defining roles.
!
Using the Database Role Manager.
!
Defining database role properties.
Topic Objective
To describe the concept of
roles in Analysis Services.
Lead-in
To give users access to
Analysis Services
databases and cubes, you
must first create roles to
assign the access.
Module 15: Implementing Security 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Defining Roles
!
Are Used to Grant Access to Analysis Services
Databases and Cubes
!
Must Be Created—None Exist By Default
!
Cannot Be Shared Across Multiple Databases

!
Are Automatically Created at the Database Level if You
Create Roles at the Cube Level
!
Are Managed in the Database Role Manager and the
Cube Role Manager


You create roles to define the access of users to cube data or data mining
models while they connect to Analysis Server through client applications. Each
role includes a list of user accounts and groups, and defines the access
permissions that these users share.
The following are key parameters regarding roles:
!
You define roles for Analysis Services databases and for the cubes in the
databases.
!
By default, OLAP databases and cubes have no roles. When no roles are
defined, only OLAP Administrators have access to the cubes.
!
You cannot share roles across multiple databases.
!
When you create a cube role, a database role of the same name is
automatically created.
• When you delete a cube role, the database role of the same name is not
deleted.
• Some properties of a database role are overridden by the corresponding
cube or virtual cube roles without changing the properties of the
database role.


Database roles cannot be overridden for a data mining model. For
more information on data mining, see Module 17, “Introduction to Data
Mining,” in course 2074A, Designing and Implementing OLAP Solutions
with Microsoft SQL Server 2000.

!
There are two user interfaces for defining and managing roles—the
Database Role Manager dialog box and the Cube Role Manager dialog
box.
To display the Database Role Manager for a database, right-click the
database, and then click Manage Roles. To display the Cube Role
Manager for a cube, right-click the cube, and then click Manage Roles.
Topic Objective
To define Analysis Services
roles.
Lead-in
You create roles to define
the access of users to cube
data or data mining models
while they connect to
Analysis Server through
client applications.
Note
8 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Using the Database Role Manager



You use the Database Role Manager dialog box to define and administer roles
for databases. Roles can be assigned to cubes, including virtual and linked
cubes, and data mining models.
Defining a Role
To define a new role for a database, perform the following steps:
1. Right-click the database, and then click Manage Roles.
2. Click New in the Database Role Manager dialog box.
3. Define the role properties by using the Create a Database Role dialog box
that is discussed later in this section.
Deleting a Role

To delete a role in a database, perform the following steps:
1. Right-click the database, and then click Manage Roles.
2. In the Database Role Manager dialog box, click the role you want to
delete.
3. Click Delete.
Editing a Role

To edit a role in a database, perform the following steps:
1. In the Database Role Manager dialog box, click the role you want to edit.
2. Click Edit.

Topic Objective
To introduce the Database
Role Manager dialog box.
Lead-in
You use the Database Role
Manager dialog box to
define and administer roles

for the database.
Delivery Tip
Display the Database Role
Manager dialog box as you
discuss the user interface
elements.
Module 15: Implementing Security 9

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Copying a Role
To copy a role in a database, perform the following steps:
1. In the Database Role Manager dialog box, click the role you want to copy.
2. Click Duplicate.
3. Enter a name for the new role, and then click OK.

10 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Defining Database Role Properties


The Create a Database Role dialog box allows you to define the following
properties of a role:
!
The users and user groups that belong to the role
!
The cubes to which the role is assigned

!
The data mining models to which the role is assigned
!
The shared dimensions for which you want to restrict user access
The Create a Database Role dialog box contains interface elements similar to
the Create a Cube Role dialog box. Both interfaces are straightforward to use
when defining database and cube security.
Role Name
The role name can be up to 50 characters long. After a role is defined, the role
name cannot be changed.
Enforce On
Roles can be enforced on either the client or the server. By default, roles are
enforced on the client. Client enforcement provides superior performance, but
increases the risk of unauthorized access. Server enforcement is more secure,
but may affect performance.

Cell security, discussed later, requires that security be enforced on the
client.

Membership
On the Membership tab, you specify which users or user groups belong to the
role. Users and user groups must be predefined by using Windows 2000 or
Windows NT 4.0 user administration.
Topic Objective
To explain database role
properties.
Lead-in
The Create a Database
Role dialog box allows you
to define properties of a

role.
Delivery Tip
Display the Create a
Database Role dialog box
as you discuss the user
interface elements.
Note
Module 15: Implementing Security 11

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Cubes
On the Cubes tab, you specify the cubes to which the role is assigned. A role
can be assigned to any type of cube—regular, virtual, or linked. After a role is
assigned to a cube, some properties of the role can be customized for the cube
without changing the database role.
Mining Models
On the Mining Models tab, you specify the data mining models to which the
role is assigned.
Dimensions
The Dimensions tab allows you to restrict access to dimension members. Only
shared dimensions display on this tab. To restrict access to a private dimension,
you must use the Cube Role Manager dialog box.
12 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Implementing Dimension Security



By using dimension security, you prevent users from viewing specified
dimension members and data associated with those members. For example, the
preceding illustration shows a dimension security rule that limits access to
Roberta Damstra employees. Any users connecting to the cube through this
role will see data and dimension members for only Roberta Damstra and her
subordinate employees at lower levels in the Employee dimension.
Dimension security is defined by using the Custom Dimension Security dialog
box, which contains three tabs.
Basic Tab
The Basic tab on the Custom Dimension Security dialog box provides the
following security properties:
!
Select visible levels
This pane allows you to specify the top and bottom visible levels in the
dimension. Use these settings if you want to deny access to entire levels.
!
Select members
This pane displays a check box next to each dimension member. Selected
members are visible to users assigned to the role. Deselected members are
not visible to the users.
Topic Objective
To introduce dimension
security.
Lead-in
By using dimension security,
you prevent users from
viewing specified dimension
members and data
associated with those

members.
Delivery Tip
Display the Custom
Dimension Security dialog
box as you discuss the user
interface elements.
Key Point
By using dimension security,
you prevent users from
viewing specified dimension
members and data
associated with those
members.
Module 15: Implementing Security 13

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Advanced Tab
For complex dimension security, the Advanced tab allows you to enter
multidimensional expression (MDX) statements that define the dimension
members viewable by users assigned to the role.
On the Advanced tab:
!
Data inputs from the Basic tab are represented as MDX statements. You can
edit the MDX statements directly in the edit boxes, or you can click the
ellipsis buttons (…) to display the MDX Builder dialog box.
!
Separate MDX statements define the top viewable level, the bottom
viewable level, the visible members, and the invisible members.
Common Tab

The Common tab lists two important features:
!
Visual Totals
When you enabled this property, members that are hidden because of
dimension security are not included in aggregations.
When you do not enable the Visual Totals property, a parent member value
may not equal the value of its visible children. In addition, when visual
totals are disabled, users may be able to deduce the values for hidden
members. When you hide dimension members, you normally enable the
Visual Totals property to prevent these problems from occurring.

Visual totals cannot be enabled for a cube containing a measure based
on a distinct count. For more information on distinct count measures, see
Module 6, “Working with Cubes and Measures,” in course 2074A,
Designing and Implementing OLAP Solutions with Microsoft SQL Server
2000.

!
Default Member
For users assigned to the role, this property—an MDX statement—specifies
the default member for the defined dimension. The MDX statement can be a
simple member name, or a complex expression that evaluates the member
name dynamically.
Note
14 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Demonstration: Defining a New Database Role



In this demonstration, you learn how to add a new role to the FoodMart 2000
database.
!
To display the Create a Database Role dialog box
1. In Analysis Manager, right-click the FoodMart 2000 database, and then
click Manage Roles.
2. In the Database Role Manager dialog box, click New.

!
To specify basic properties
1. In the Create a Database Role dialog box, type My New Role in the Role
name box.
2. In the Enforce on list, click Server.

!
To specify role membership
1. In the Create a Database Role dialog box, click the Membership tab, and
then click Add.
2. In the Add Users and Groups dialog box, click any user group, and then
click Add.
3. Click OK to close the Add Users and Groups dialog box.

Topic Objective
To demonstrate how to
define a database role.
Lead-in
In this demonstration, you
learn how to add a new role

to the FoodMart 2000
database.
Delivery Tip
Encourage students to
follow along with your
demonstration.
Module 15: Implementing Security 15

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

!
To assign the role to a cube
1. In the Create a Database Role dialog box, click the Cubes tab.
2. Select the HR cube check box.
3. Click OK to close the Create a Database Role dialog box.
4. Click Close to close the Database Role Manager dialog box.
5. In the FoodMart 2000 database, expand the Cubes folder.
6. Click the HR cube, and then click the Meta Data tab.
7. In the Meta Data pane, scroll down to Roles. Verify that role My New
Role is assigned to the cube.

16 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


$
$$
$


Managing Cube Roles
!
The Cube Role Manager
!
Dimension and Cell Security
!
Advanced Cell Security Permissions
!
Administration of Custom Options


This section introduces how to manage cube roles by using the Cube Role
Manager. The section also explains dimension and cell security, advanced cell
security permissions, and the administration of custom options.
Topic Objective
To introduce the concept of
managing cube roles.
Lead-in
This section explains how to
manage cube roles.
Module 15: Implementing Security 17

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


The Cube Role Manager


A cube role defines access permissions for cubes, including virtual cubes and
linked cubes. To create and maintain cube roles, use the Cube Role Manager

dialog box.
To display the Cube Role Manager dialog box, perform the following steps:
1. Expand the database, and then expand the Cubes folder.
2. Right-click the cube, and then click Manage Roles.

The Cube Role Manager Dialog Box
The Cube Role Manager dialog box is similar to the Database Role Manager
dialog box. However, there are a few differences:
!
The leftmost column on the dialog box contains check boxes. Only the
selected roles are assigned to the cube.
!
The Cube Role Manager allows you to define cell security.
!
The Cube Role Manager allows you to define drillthrough, cube linking,
and SQL query permissions.

For more information about drillthrough, see Module 14, “Using
Actions, Drillthrough, and Writeback,” in course 2074A, Designing and
Implementing OLAP Solutions with Microsoft SQL Server 2000.

!
The Cube Role Manager allows you to establish security for both private
and shared dimensions, whereas the Database Role Manager lists only
shared dimensions.
Topic Objective
To introduce cube roles.
Lead-in
A cube role defines access
permissions for cubes,

including virtual cubes and
linked cubes.
Delivery Tips
Display the appropriate
interface of the Cube Role
Manager dialog box as you
discuss this section and the
following slides pertaining to
cube role management.

As necessary, switch
between the slides and the
Cube Role Manager
interfaces.
Key Point
A cube role defines access
permissions for cubes,
including virtual cubes and
linked cubes.
Note
18 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Working with the Cube Role Manager
When you create a new role by using the Cube Role Manager, a database role
of the same name is automatically created.
To define a new cube role by using the Cube Role Manager, perform the
following steps:
1. In the Cube Role Manager dialog box, click New.

2. Define the role properties by using the Create a Cube Role dialog box.

To edit a cube role in the Cube Role Manager, perform the following steps:
1. In the Cube Role Manager dialog box, click the appropriate role.
2. Click Edit.

To copy a cube role in the Cube Role Manager, perform the following steps:
1. In the Cube Role Manager dialog box, click the role you want to copy.
2. Click Duplicate.
3. Enter a name for the new role, and then click OK.

To test a cube role the Cube Role Manager, perform the following steps:
1. In the Cube Role Manager dialog box, click the role you want to test.
2. Click Test Role.
The Cube Browser dialog box appears, showing what an assigned user sees
in the cube.

To delete a cube role in the Cube Role Manager, perform the following step:
• In the Cube Role Manager dialog box, deselect the check box of the role.

Module 15: Implementing Security 19

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Dimension and Cell Security
!
Dimension Security in Cubes
#
The cube interface is almost identical to the database

interface
#
You can define dimension security for shared and
private dimensions
!
Cell Security
#
It is the most detailed level of security
#
You first define the cell security policy
•Unrestricted Read
•Unrestricted Read/Write
•Advanced


You assign detailed access to a cube by applying dimension and cell level
security in the Create a Cube Role dialog box. The Create a Cube Role
dialog box is a superset of the Create a Database Role dialog box. Discussed
below are the elements that are unique to cube roles.
Dimension Security in Cubes
As with database roles, cube roles allow you to define dimension security. The
user interface for defining dimension security in a cube is identical to the
interface for defining dimension security in a database, with one key exception:
a cube role allows for dimension security for private dimensions in addition to
shared dimensions.
Cell Security
Cell security is the most detailed level of security—you use cell security to
restrict access to cell values. Define cell level security on the Cells tab in the
Create a Cube Role dialog box.
To define cell security, you must first specify the cell security policy. The cell

security policy designates the overriding policy for the cube and is set to one of
the following three options:
!
Unrestricted Read. Users belonging to the role can view all cells. This is the
default policy.
!
Unrestricted Read/Write. Users belonging to this role can view and update
all cell values. This option is only available if the cube, or underlying base
cubes for a virtual cube, is write-enabled.
!
Advanced. The role can view only those cells specified by the advanced cell
security described in the next section.
Topic Objective
To explain dimension and
cell security.
Lead-in
You can assign detailed
access to a cube by
applying dimension and cell
level security in the Create
a Cube Role dialog box.
20 Module 15: Implementing Security

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Advanced Cell Security Permissions
!
Read Permission
#

Determines the cells that users can view
!
Read Contingent Permission
#
Determines if cells derived from restricted cells are
viewable by users
•Cells are viewable if derived from viewable cells
•Cells are not viewable if derived from restricted cells
!
Read/Write Permission
#
Determines the cells that users can update


If you select the Advanced policy for cell security, you can define three types of
permissions for cells, each of which has three types of rules that can be applied.
The three types of advanced permissions are Read Permission, Read Contingent
Permission, and Read/Write Permission.
In each of these permissions, the three types of rules that can be applied are
Unrestricted, Fully Restricted, and Custom.
Read Permission
Read permission determines the cells that are viewable to users of the role. The
cells specified with this permission are viewable regardless of whether they are
derived from other cells that are not viewable. The read permission choices are:
!
Unrestricted. Users belonging to the role can view all cells. This is the
default read permission choice.
!
Fully Restricted. The users belonging to this role can view only those cells
specified by read contingent or read/write permissions described below.

!
Custom. The users belonging to this role can view only those cells specified
by an MDX statement.

If the Advanced Cell Security Rule for the Read Contingent or
Read/Write Permission is Unrestricted and you create a Custom Rule for the
Read Permission, the setting for Read Contingent and Read/Write is changed
automatically to Fully Restricted on saving the role.

Topic Objective
To introduce advanced cell
security permissions.
Lead-in
The three types of advanced
permissions are Read
Permission, Read
Contingent Permission, and
Read/Write Permission.
Note
Module 15: Implementing Security 21

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Read Contingent Permission
Read contingent permission determines whether cells that are derived from
restricted cells are viewable to the user. Cells specified with this permission and
derived from other cells are viewable only if all the source cells are also
viewable.
For example, suppose a cube contains the measures Sales and Cost and the
calculated member Profit, which equals Sales minus Cost. If a custom MDX

expression grants access to all measures except Cost, Cost and Profit would
both be unavailable.
The read contingent permission choices are:
!
Unrestricted. Users belonging to the role can view all cells. This is the
default choice.
!
Fully Restricted. Users belonging to the role can view only those cells
specified by Read or Read/Write permissions.
!
Custom. Viewable cells are specified by an MDX expression. By using the
above example, if Cost were restricted, Profit would also be restricted
because it uses the restricted Cost measure in its calculation.
Read/Write Permission
Read/write permission determines the cells that users can update by using the
writeback capability of Analysis Services. The cube must be write-enabled for
this setting to take effect.
Read/write permission overrides read permission—that is, if a user is granted
read/write permission, that user is able to view the cell even if read permission
is denied.
The read/write permission choices are:
!
Unrestricted. Users belonging to the role can update all cells.
!
Fully Restricted. Users belonging to the role cannot update any cells but can
read cells as specified by Read or Read Contingent permissions.
!
Custom. An MDX expression defines the cells that can be both read and
updated.


For more information on writeback, see Module 14, “Using Actions,
Drillthrough, and Writeback,” in course 2074A, Designing and Implementing
OLAP Solutions with Microsoft SQL Server 2000.




Note