Dimension Security in Analysis Services 2005 (by Richard Tkachuk)
Introduction
Analysis Services 2005 has two security models for securing data: dimension security and cell security. Dimension security is used to permit or deny access to members of a dimension and any data associated with those members. Cell security permits or denies access to cell values only.
For example, consider the example of a cube containing a customers dimension with a country attribute hierarchy and two measures, sales and expense.
Measures Customer.Country |
Sales |
Expense |
|
10 |
30 |
|
30 |
18 |
|
20 |
20 |
If this simple example secures the values for
Measures Customer.Country |
Sales |
Expense |
|
10 |
30 |
|
30 |
18 |
|
#N/A |
#N/A |
If
Measures Customer.Country |
Sales |
Expense |
|
10 |
30 |
|
30 |
18 |
Unlike the cell security example, the member doesn’t appear to exist.
Dimension security is defined on each attribute hierarchy and is applied wherever the attribute is used. For example, if dimension security is defined on Product.[Product Name] attribute hierarchy and the attribute sources the [Product Name] level in separate user hierarchy, dimension security is applied in both places.
AllowedSets and DeniedSets
Dimension security is defined with AllowedSets and DeniedSets on a dimension’s attribute hierarchies. As their names suggest, users can see members in the AllowedSet and can’t see them if included in DeniedSet (if included in both, the member is denied).
The interesting thing is how security one attribute affects other attributes. For allowed sets, the behavior is straightforward. If a member of another attribute exists with the allowed set, it is allowed unless explicitly disallowed. If a member does not exist with a member of the allowed set, it is disallowed (unless explicitly allowed).
For example, if the allowed set is {Customer.Country.USA}, all states, cities, customers in
For denied sets, the behavior is different. Members of other attribute hierarchies that exist with the denied set are disallowed if the attribute on which the denied set is defined is directly or indirectly related to the other attribute. In other words, denied sets on an attribute A affect another attribute B only if there is relationship between them such that A is related directly or indirectly to B.
That might have to be read a couple times before it can be understood so let’s consider an example. If the denied set is {Customer.State.WA} and attribute relationships are defined as Customer.Name à Customer.City à Customer.State à Customer.Country (where the symbol à represents an attribute relationship), then all cities and names in Washington are denied because they only exist in WA and because State is directly related to City and indirectly related to Name. However, members of the Country attribute hierarchy are unaffected. Any other attributes such as gender, age or whatever would be unaffected.
Common Scenarios with AllowedSets and Denied Sets
Four common security scenarios are described below. In each it is assumed that an attribute relationship exists between each attribute sourcing the levels; that is, Customer.Name à Customer.City à Customer.State à Customer.Country.
Scenario 1: Ascendants and descendants of a member are allowed
Attribute |
AllowedSet |
DeniedSet |
Country |
|
|
State |
|
|
City |
{Customer.State.SJ} |
|
Name |
|
|
Scenario 2: Descendants of a member are not allowed
Attribute |
AllowedSet |
DeniedSet |
Country |
|
|
State |
|
{Customer.State.OR} |
City |
|
|
Name |
|
|
Scenario 3: Bottom Level Cut Off
Attribute |
AllowedSet |
DeniedSet |
Country |
|
|
State |
|
|
City |
|
|
Name |
|
Customer.Name.Name.members |
Scenario 4: Unbalanced Hierarchy
Security is defined such that more detail is available among some members of a hierarchy, but are secured in others:
Attribute |
AllowedSet |
DeniedSet |
Country |
|
|
State |
|
|
City |
|
Exists(Customer.City.City.members, Customer.State.CA) |
Name |
|
Customer.Name.Name.members |
Visual Totals
If a member of an attribute hierarchy is secured, one has two choices to how data rolls up to the all member of the hierarchy:
- users see the true totals
- users see the totals of the data they are permitted to see
This is best illustrated with an example. Returning to the original example of Sales in countries:
Customer.Country |
Sales |
All |
60 |
|
10 |
|
30 |
|
20 |
If Country.Mexico is secured, what is the value for the sales for all countries?
Customer.Country |
Sales |
All |
??? |
|
10 |
|
30 |
Is it 60 (the original total) or 40 (the aggregate of the values the user is permitted to see)?
The answer is up to the individual designing the security definition and how the Visual Totals property is defined for the country attribute. If Visual Totals is off, the totals remain their true value; if on, users see the aggregate of what they are permitted to see.
Dimension Security Inheritance
Dimension security can be defined on the shared dimension or on the cube dimension. If dimension security is defined on the shared dimension, it is inherited in all cubes containing the dimension. If dimension security is defined on the cube dimension, this inheritance relationship is severed; however, if the dimension security on the cube dimension is completely eliminated the inheritance rules are restored.
This behavior reduces administration costs – dimension security can be defined in one place and automatically inherited wherever it is used.
Conclusion
Dimension security allows security to be defined such that almost any part of a dimension can be secured from view. Visual totals can be turned on or off such that users need not be aware that the dimension contains members they are not permitted to see.
Tags: security