Skip to content

Get the most out of MSSQL !

Consultant & Trainer for all things MSSQL

  • Home
  • Company
  • Business Intelligence
  • Simply Better Business

User based security in SSAS

Posted on October 25, 2014March 20, 2021 by jayanth.kurup

Recently a trainee from one of my MSBI trainings contacted me about how to implement user based security in SSAS. This is a common requirement where companies want all users to be able to access and use the cube but not all parts of it. A simple example would be to split metrics for sales data by region so that the manager of one region cannot see data for other managers in order to find out where he stands relatively.

The best way to manage a large number of users is to create a mapping table between all users and any permission they might have. E.g. in the below screenshot I am mapping a training co-ordinator with a client so that each manager can see the survey results only for his clients. The basic ER diagram shows the fact table answers which contain 15 Million rows, each row maps to an answer for 1 out of 17 questions asked to the student who attended the course. The student is mapped to a company and the company in turn is managed by a manager. The users table contains the Windows username of the allowed users and the Coordinator table contains the mapping between the user and the accounts or clients that he manages.

The below screenshots show examples of the data in the users and coordinator tables

Once the mapping table is related to the Companyid column in the student table we get to see how the bridge table connects the users to the dimension Students and in turn to the Fact table answers.

If all the dimensions and facts are properly related to each other then we can now start establishing the permissions by creating a role for allowed users.

Grant the role permission to read the cube first.

Then under Dimension data select the dimension to which the bridge table is connected (this could require selecting multiple tables such as region, SBU, Branch, etc.).

Under the dimension drop down select the attribute on which the mapping takes place , in this case I am filtering rows based on Company id which sis a column in the student dimension.

If there is already a permission defined then you will find the attributes security defined in brackets else it will be blank.

Next select the Advanced tab and enter the MDX expression to limit the rows to attribute keys that this user has permission for.

nonempty ([Student].[Company Id].[company id] ,

([Measures].[Coordinator Count],

STRTOMEMBER(“[Users].[Username].&[“+username()+”]”)))

I am getting the user name of the current user and converting the string into a member. This member is then based to the set to find out what company ids this user is mapped to which result in nonempty results. If non empty is not specified the user has access across the board. Instead of managing individual user level permission here we usually recommend the AD create roles for groups of users and the group are mapped within the cube. This ensures that permissions are granted and revoked cleanly across the enterprise.

Be sure to check the box for visual totals if you don’t want managers to reverse engineer the splits by deducting from grant total.

And you’re all set. Knowing MDX is very important to implement security in SSAS and as such the role of granting and removing permissions lie with the developer and not the DBA as is common with the relational database.

Please Consider Subscribing

Subscribe

CategoriesDatabasesTagsaccess, account, administration, age, AI, Analysis Services, answer, app, AWS, Azure, azurewebsites, Bangalore, basic, Bengaluru, BigData, BLR, board, box, branch, bridge table, Business Intelligence, case, check, clean, client, Cloud, column, company, Company id, Consultant, Consulting, contact, COO, coordinator, Coordinator table, Corporate, count, course, CREATE, CTE, cube, Current User, Data, database, dba, defined, developer, development, diagram, dimension, dimension data, drop, E.g, Enabled Business Solutions, enabledbusiness, end, enterprise, etc., example, expert, expression, fact, fact table, fact table answer, fine, Grant, group, index, India, individual, int, Jayanth, key, Kurup, large number, level, lie, limit, manager, mapping, mapping table, mdx, measure, member, metrics, Migration, ML, ms sql server, MSBI, MSBI training, MSSQL, MYSQL, name, network, number, Oracle, part, permission, place, png, power pivot, Power Query, PowerApps, PowerBI, Powershell, pre, Press, Python, question, RAM, RDBMS, region, Remote, requirement, result, role, roles, row, ROWS, sale, sales data, screenshot, screenshots, sec, security, SELECT, set, show, shows, Simple, simple example, site, split, SQL 2000, SQL 2005, SQL 2008, sql 2008 r2, sql 2012, SQL 2014, SQL 2016, SQL 2017, SQl 2019, SSAS, SSIS, SSMS, SSRS, star, start, string, student, T-SQL, tab, Tables, tools, total, trainee, trainer, training, Transact, tuning, Upgrade, uploads, Uri, user, User Name, username, USER_NAME, Very large database, Virtual, virtual machine, visual studio, visual total, VM, Web, website, Websites, window, windows

jayanth.kurup

This post was written by Jayanth Kurup. A Microsoft SQL Server Consultant and Trainer based out of Bangalore, India. Jayanth has been working on MS SQL Server for over 15 years. He is a performance tuning and Business Intelligence expert. Having worked with companies like Microsoft, DELL, Wells Fargo, Thomson Reuters and many other fortune 100 companies. Some other technologies Jayanth works on include Microsoft Azure, PowerBI, Python and AWS. When he isn’t consulting or training, Jayanth like to travel, paint and read. He is also very active in social causes and the founder of Enabled Business Solutions. Visit his company by clicking the link in the menu or email him directly.

Post navigation

PreviousPrevious post: Game Theory and Databases
NextNext post: Proof that MS SQL Server is the better relational database

The Latest

  • Query to find execution time of Jobs July 28, 2021
  • A simple script to decapitalize Column names July 19, 2021
  • My personal side effects with Covishield June 27, 2021
  • Setting up and Configuring CUDA, CUDNN and PYTorch for Python Machine Learning. June 3, 2021
  • keras.utils.generic_utils’ has no attribute ‘populate_dict_with_module_objects May 30, 2021
  • Simple Function to capitalize a string May 13, 2021
  • Boolean Hell – Missed rows when grouping in SQL April 20, 2021
  • What is the role of the DBA in a Cloudy world? April 15, 2021
  • Memory Configuration in MS SQL Server April 15, 2021
  • No process is on the other end of the pipe April 9, 2021

Find By Category

  • Azure
  • Databases
  • Events
  • Performance Tuning
  • PowerBI
  • Uncategorized
  • Website Design

Archive

  • July 2021 (2)
  • June 2021 (2)
  • May 2021 (2)
  • April 2021 (5)
  • March 2021 (10)
  • January 2021 (2)
  • November 2020 (2)
  • October 2020 (3)
  • September 2020 (4)
  • August 2020 (6)
  • July 2020 (1)
  • June 2020 (32)
  • May 2020 (18)
  • April 2020 (2)
  • March 2020 (4)
  • February 2020 (5)
  • January 2020 (1)
  • December 2019 (1)
  • November 2019 (14)
  • October 2019 (3)
  • September 2019 (1)
  • July 2019 (3)
  • June 2019 (2)
  • May 2019 (1)
  • April 2019 (2)
  • March 2019 (1)
  • January 2019 (4)
  • December 2018 (2)
  • November 2018 (4)
  • September 2018 (6)
  • August 2018 (2)
  • July 2018 (3)
  • June 2018 (4)
  • May 2018 (1)
  • April 2018 (4)
  • March 2018 (3)
  • February 2018 (3)
  • January 2018 (1)
  • December 2017 (2)
  • November 2017 (4)
  • August 2017 (2)
  • July 2017 (5)
  • May 2017 (1)
  • March 2017 (3)
  • January 2017 (3)
  • December 2016 (2)
  • November 2016 (2)
  • October 2016 (4)
  • September 2016 (1)
  • August 2016 (1)
  • July 2016 (1)
  • June 2016 (1)
  • May 2016 (2)
  • April 2016 (1)
  • March 2016 (14)
  • February 2016 (10)
  • January 2016 (19)
  • December 2015 (3)
  • November 2015 (5)
  • October 2015 (10)
  • September 2015 (9)
  • August 2015 (16)
  • July 2015 (13)
  • June 2015 (4)
  • May 2015 (2)
  • April 2015 (2)
  • March 2015 (7)
  • February 2015 (3)
  • January 2015 (22)
  • December 2014 (1)
  • November 2014 (5)
  • October 2014 (12)
  • September 2014 (5)
  • August 2014 (7)
  • July 2014 (41)
  • June 2014 (9)
  • May 2014 (12)
  • April 2014 (32)

Members Only

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Proudly powered by WordPress