Creating Security Roles

This topic describes procedures for enabling cube users to access cube data. For information about enabling administrators to access cube data and metadata, see Access Control.

Microsoft® SQL Server™ OLAP Services uses Microsoft Windows NT® user accounts and groups to define roles for user access to databases and cube data. Essentially, you combine user accounts and groups into roles and then assign the roles to cubes. Set up these user accounts and groups in Windows NT User Manager before creating roles in OLAP Services.

To implement cube-specific security using roles, you must perform two procedures. First, you create roles for each database by combining user accounts and groups. Second, for each cube in the database, you select the roles that can access the cube. These procedures are described this topic.

The default permission for roles is read (that is, read-only), but you can also allow read/write permission for select role-cube combinations. Read/write permission allows users in the role to save changes to the cube’s data. However, because the changes are saved separately from the original cube data, they affect only displayed cube data and can be deleted if necessary. The separately stored changes are called write-back data. For more information, see Maintaining Write-Enabled Cubes and Write-Back Data.

To create a role for a database, use the Create a Database Role dialog box.

To create a database role

  1. In the OLAP Manager tree view, under a database, expand the Library folder.
  2. Right-click the Roles folder, and then click New Role.
  3. In the Create a Database Role dialog box, type a role name and description.
  4. Click Groups and Users.
  5. In the Add Users and Groups dialog box, in the List Names From list, click the domain from which to select users and groups.
  6. To display users under Names, click Show Users.
  7. To display a group’s members, click the group, and then click Members.
  8. To add a user or group to the role, click the user or group, and then click Add.
  9. After you have added all desired users and groups to the role, click OK.
  10. In the Create a Database Role dialog box, click OK.

After you create all required database roles, use the Manage Roles dialog box to select the database roles that can access a cube.

To select the database roles that can access a cube

  1. In the OLAP Manager tree view, under a database, expand the Cubes folder.
  2. Right-click the cube, and then click Manage Roles.
  3. In the Manage Roles dialog box, select the roles that will access the cube, and then click > (Add).
  4. To grant read/write permission to a role, under Cube access, click the role, and then select Grant read/write permission.
  5. Click OK.

Read/write permission granted to a role is effective only if the cube is write-enabled. For more information, see Write-Enabling a Cube.

After you change the roles of a cube, you must process dependent virtual cubes to provide users continuing access to them. (This processing is much faster than processing the component cubes if the component cubes’ structures have not changed since their last processing.) When you change the roles, virtual cube users connected to the server computer are unaffected as long as they remain connected. However, until you process the dependent virtual cubes, users who connect will be unable to see them.

See Also

Security

(c) 1988-1998 Microsoft Corporation. All Rights Reserved.