Assigning Metadata Security Privileges

Assigning Metadata Security Privileges

There are three types of Metadata Security privileges that can be granted: privileges for Dimensions, for Cubes, and for Slices. In addition, there are three levels of Security for each type of privilege: Read, Add and Design levels. Each type of privilege, or level, has a different consequence and would be assigned for a different purpose. (Consequences are summarized in the table that follows this topic.) 

We will consider each Metadata Privilege in turn, giving the general procedure and providing an example for why we might want to grant the privilege. (The assumption is always that a user with administrative privileges is performing the actions described, such as  granting Metadata Security Privileges to users or Groups.

Dimension Metadata Privilege

We will consider Dimension Metadata Privileges first, which allow a user to add an “on the fly” Member to an already existing Dimension. This user may, for example, need to enter budget numbers.

  1. From the Model ribbon, click Dimensions to open the Dimensions dialog.

  2. Select the Version dimension and click Meta Security to open the Dimension Security dialog:

dimensionsecuritydialog.png

Figure 1.    Dimension Security Dialog

By using the Add or Delete buttons and selecting an Access Level from the drop-down menu, you can assign Dimension Metadata Security to users and Groups.

  1. Click the Add button to access the Select Users & Groups dialog. Alternatively, you can open the Users & Groups dialog by clicking Define Users & Groups... in the Select Users and Groups dialog.

selectusersandgroupspopulated.png

Figure 2.    Select Users and Groups Dialog

  1. Select the user Brian Orland.

  2. Click OK. You are returned to the Dimension Security dialog. The default “Read” is selected within the Access Level column.

  3. Select an Access Level (i.e., Read, Add or Design) from the drop-down. This level is now shown in the Access Level column (refer to the following figure, where the user has been given the Add Access Level).

dimensionsecuritybrianorland.png

Figure 3.    Dimension Security - User Added

  1. Click OK to return to the Dimensions dialog.

  2. Click OK to return to proCube Management Studio.

Imagine, for the purposes of this example, that Brian Orland must create a Member in the Version dimension, called BudgetUSstaff. He has this privilege based on the Add Access Level just granted. (This capability is not related to the privilege granted previously, Add Dimensions and Cubes.)

Cube metadata privilege

Metadata Security for a Cube provides varying Access Levels to a Cube. For example, you may want to allow some users to see and create slices of a Cube, and in certain cells, to enter data. To provide such fine-grained access, first provide these users access to the Cube.

  1. From the Model ribbon, click Cube. The Cubes dialog opens listing all Cubes in the database.

  2. Select the Margin cube. Click on the Meta Security button on the right in the dialog. The Cube Security dialog appears.

Again, by using the Add or Delete buttons, and selecting an Access Level from the drop-down, you assign Cube Metadata Security to Users and Groups.

  1. Click the Add button to open the Users & Groups dialog.

  2. In the Select Users & Groups dialog, select US Staff.

selectusersandgroupsdialogusstaff.png

Figure 4.    Select Users and Groups

  1. Click OK. You are returned to the Cube Security dialog. Note that the default “Read” is selected and shows in the Access Level column.

  2. Select an Access Level of Read  for the US Staff group.

cubesecuritydialogusstaffread.png

Figure 5.    Cube Security Dialog

  1. Click OK. You are returned to the Cubes dialog. For the purposes of the example, do the same for the Products Cube, providing Read access to US Staff.

In slice metadata privileges, we will provide access to a slice. In order to see a slice from a cube, you must have been granted access to the cube itself.

  1. Click OK to return to proCube Management Studio.

With Read level of access to a cube, users cannot see any data in the cube! They can access the cube, create slice arrangements (without seeing figures), even double-click on Dimensions and see their constituent Members. For a user to see, and enter, figures, they require Fact Data Security Privileges.

Slice metadata privileges

You may want to provide users access to a particular slice (i.e., point your staff to the slice), but not allow users to change the composition, or layout, of the slice.

Recall that before granting this privilege, you must have first granted users access to the cube from which the slice was created.

  1. From the Model ribbon, click Slices to open the Slices dialog.

  2. From the Cube drop-down, select the Products cube.

slicesdialogproducts&products.png

Figure 6.    Slices Dialog - Products Slice

  1. Select the Products slice and click Meta Security... to open the Slice Security dialog.

Again, by using the Add or Delete buttons, and selecting an Access Level from the drop-down, you assign Slice Metadata Security to users and Groups.

  1. Click Add to open the Select Users & Groups dialog.

  2. Select a US Staff.

  3. Click OK to return to the Slice Security dialog. The Access Level “Read” is selected for the User Group US Staff.

slicesecurityusstaffread.png

Figure 7.    Slice Security Dialog - US Staff

  1. Click OK. You are returned to the Slices dialog.
  2. Click OK to return to proCube Management Studio.

We have now succeeded in creating Metadata Security Privileges for dimensions, cubes and slices. The general procedure is the same for all cases—the choices you make depend on the security requirements you have for particular database users.

There remains a very important step—at least for the purposes of this  example: to give named users privileges to Fact Data. This is covered in Assigning Fact Data Security Privileges.

Summary of Metadata Privileges

The table directly below provides a detailed summary of the consequences of each level of Metadata Privileges. Fact Data Security Privileges may also need to be granted to certain users.

Table 1.       Metadata Privileges

Access Level Privilege

Dimension

Cube

Slice

Read

Can see the dimension

Can see its members

Can see its hierarchy

Can see its alias Groups

Can see its subsets

Cannot see its Metadata security properties

Cannot rename or delete the dimension

Can see the cube

Can create a slice

Can access data locks

Cannot see its formulas

Cannot see its Metadata security properties

Cannot see its Fact Data security definitions

Cannot see push ranges

Cannot rename or delete cube

Can see the slice

Slice opens read-only; cannot edit

Cannot rename or delete the slice

Cannot rename or delete the slice

Cannot see its Metadata security properties

Cannot save slice Metadata edits

Add

Can see the dimension

Can see its members

Can add members

Can rename and delete newly added members*

Can see its hierarchy

Can add members to root of the hierarchy only

Can see its alias Groups

Can add alias Groups

Can add aliases

Can see its subsets

Cannot see its Metadata security properties

Cannot rename or delete the dimension

Cannot rename or delete existing members

Cannot modify aggregates

Can see the cube

Can create a slice

Can access data locks

Cannot see its formulas

Cannot see its Metadata security properties

Cannot see its Fact Data security definitions

Cannot see push ranges

Cannot rename or delete cube

Can see the slice

Slice opens editable

Cannot rename or delete the slice

Cannot see its Metadata security properties

Cannot save slice Metadata edits

Design

Full privileges

Full privileges

Full privileges

Owner/Administrator/ Creator

Full privileges

Full privileges

Full privileges

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk