Creating a cube security model with the Design Studio

Use Design Studio to define how the cube server restricts access to cubes and dimension members.

Before you begin

You must create a cube as a part of your cube model before you can create a security model.

Procedure

To create a security model:
  1. Open the Properties view of the cube, hierarchy, or cube facts object for which you want to restrict access.
    1. In the Data Project Explorer view, expand the Data Models folder of your data warehousing project and open the OLAP Objects folder of your data source.
    2. Under your cube model, select the cube, hierarchy, or cube facts object for which you want to restrict access.
    3. Click Window > Show View > Properties.
  2. Enable security for your cube, hierarchy, or cube facts object.
    1. In the Properties view, click the Authorizations tab.
    2. Select Enable Security.
  3. Optional:
    Hierarchies and cube facts objects each have two default security policies that cannot be modified: a policy that allows all access and a policy that denies all access. Additionally, you can define your own custom security policies. A custom security policy contains two MDX expressions that specify the elements to which you are allowing or restricting access.
    Note:
    Cubes have only the two default policies. You cannot create custom security policies for cubes.

    To create a custom security policy for a hierarchy or a cube facts objects:

    1. In the Properties view, click the Policies tab.
    2. Click Add policy plus sign .
    3. Type a name and description for your new policy.
    4. If you want to specify elements to which to allow access, select the Allowed field of your new policy and click the ellipsis ellipsis button. Use the MDX Expression Builder window to specify the elements to allow access. You can either directly type an expression in the window, or build an expression by double-clicking items in the lists.
    5. If you want to specify elements to which to deny access, select the Denied field of your new policy and click the ellipsis ellipsis button. For member set policies of hierarchies and cube facts, you can use the MDX Expression Builder window to specify the elements to restrict.
      Important: If you deny access to a complete dimension, user roles that are assigned to this policy will not have access to any of the data of the cube because no queries will return results. In this situation, your reporting application will generally indicate an error.
    Repeat steps b–e for each custom policy that you want to define.
  4. Specify authorizations for your cube, hierarchy, or cube facts object. An authorization assigns security policies to user roles. The user roles that you specify in the design studio correspond to the user roles that you specify for your cube server by using the administration console. When you import your security model, you will map the user roles in the model to user roles in the cube server.
    Note: All the hierarchies of a shared dimension share policies and authorizations. When the policies and authorizations of a particular hierarchy are imported, all hierarchies that belong to the same shared dimension are affected.
    1. In the Properties view, click the Authorizations tab.
    2. Click Add authorization plus sign.
    3. Type the name of a user role in the Role Name field. You can create a new user role, or specify an existing user role.
      Tip: If any user roles are already defined, you can see a list of them in the Properties view of the OLAP Roles object in your OLAP Objects folder.
    4. Type the name of a security policy in the Policy Name field. You can create a new policy, or specify an existing policy.
    Repeat steps b–d for each authorization that you want to define.
  5. Optional: Validate your security model.
    1. Right-click your cube model and click Analyze Model.
    2. In the Analyze Model window, select Physical Data Model > OLAP constraints > Security to select all security constraints.
    3. Click Finish.
    The Console view displays a summary of any errors in your security model. The Problems View has more detail.
    Note: Validating your model does not indicate contradictions in your security configuration, such as authorizing a role with both the Read Allowed and Read Denied policies of a cube.

What to do next

After you create a security model for your cube, you can deploy your security settings to your cube server by exporting the model to a file, and then importing the OLAP security model with the Administration Console of your warehouse server.
Parent topic: Configuring cube, hierarchy, and fact security
Related tasks:
Activating a security model with the Administration Console
Exporting OLAP metadata by using the Design Studio

Feedback | Information roadmap