SSAS Analytics Service role-based dynamic authorization

Background:

An analysis database that contains multiple products, business data for various regions of the country (such as sales data, etc.),

Requirements

1: Individual product owners view data for their products

2: Each region can only view its own data

Scheme:

SQL 2005 has role-based licensing services that control access to data by setting up product and region roles.

Steps:

0: Set up accounts and security groups on the domain

Setting up security groups: Products (mbiproducts), Regions (mbidepartment)

If you have not established an account to view your product or region data, set up your account

1: Add account attributes in the region dimension and Product Dimensions (the account's data should be imported into this property when processing data)

2: Add the Role "product",

Account mapping:

The data source is: Read

One of the key points is "Cell Data": [Product]. [Account].currentmember=strtotuple ("[Product].[ Account].&["+lcase (UserName) +"] "), which controls that the role does not allow access to other unauthorized cells (show N/a when accessed).

Key point two: StrToTuple ("[Product].[ Account].&["+lcase (UserName) +"] "),

This is used to control the use of the dimension when only the authorized dimension is displayed, the other dimensions will not be displayed (because the data displayed is N/a)

Note Enable, so that total is the authorized total instead of the real total.

Here, the function is set up.

Test tip:

Using the cube's browser (Browser) to test role-based permissions is most convenient.

Simply click the switch user in the upper-left corner to switch to the desired user,

Final effect:

Admin user, can see all varieties:

Individual product users, looking at only a single symbol:

Region-based authorization and the above product-based authorization process are identical.

SSAS Analytics Service role-based dynamic authorization