Assigning Metadata Security Privileges

There are three types of Metadata Security privileges that can be granted: privileges for Dimensions, for Cubes, and for Slices. In addition, there are three levels of Security for each type of privilege: Read, Add and Design levels. Each type of privilege, or level, has a different consequence and would be assigned for a different purpose. (Consequences are summarized in the table that follows this topic.) 

We will consider each Metadata Privilege in turn, giving the general procedure and providing an example for why we might want to grant the privilege. (The assumption is always that a user with administrative privileges is performing the actions described, such as  granting Metadata Security Privileges to users or Groups.

Dimension Metadata Privilege

We will consider Dimension Metadata Privileges first, which allow a user to add an “on the fly” Member to an already existing Dimension. This user may, for example, need to enter budget numbers.

1. From the Model ribbon, click Dimensions to open the Dimensions dialog.

2. Select the Version dimension and click Meta Security to open the Dimension Security dialog:

Figure 1.    Dimension Security Dialog

By using the Add or Delete buttons and selecting an Access Level from the drop-down menu, you can assign Dimension Metadata Security to users and Groups.

3. Click the Add button to access the Select Users & Groups dialog. Alternatively, you can open the Users & Groups dialog by clicking Define Users & Groups... in the Select Users and Groups dialog.

Figure 2.    Select Users and Groups Dialog

4. Select the user Brian Orland.

5. Click OK. You are returned to the Dimension Security dialog. The default “Read” is selected within the Access Level column.

6. Select an Access Level (i.e., Read, Add or Design) from the drop-down. This level is now shown in the Access Level column (refer to the following figure, where the user has been given the Add Access Level).

Figure 3.    Dimension Security - User Added

7. Click OK to return to the Dimensions dialog.

8. Click OK to return to proCube Management Studio.

Imagine, for the purposes of this example, that Brian Orland must create a Member in the Version dimension, called BudgetUSstaff. He has this privilege based on the Add Access Level just granted. (This capability is not related to the privilege granted previously, Add Dimensions and Cubes.)

Cube metadata privilege

Metadata Security for a Cube provides varying Access Levels to a Cube. For example, you may want to allow some users to see and create slices of a Cube, and in certain cells, to enter data. To provide such fine-grained access, first provide these users access to the Cube.

1. From the Model ribbon, click Cube. The Cubes dialog opens listing all Cubes in the database.

2. Select the Margin cube. Click on the Meta Security button on the right in the dialog. The Cube Security dialog appears.

Again, by using the Add or Delete buttons, and selecting an Access Level from the drop-down, you assign Cube Metadata Security to Users and Groups.

3. Click the Add button to open the Users & Groups dialog.

4. In the Select Users & Groups dialog, select US Staff.

Figure 4.    Select Users and Groups

5. Click OK. You are returned to the Cube Security dialog. Note that the default “Read” is selected and shows in the Access Level column.

6. Select an Access Level of Read  for the US Staff group.

Figure 5.    Cube Security Dialog

7. Click OK. You are returned to the Cubes dialog. For the purposes of the example, do the same for the Products Cube, providing Read access to US Staff.

In slice metadata privileges, we will provide access to a slice. In order to see a slice from a cube, you must have been granted access to the cube itself.

8. Click OK to return to proCube Management Studio.

With Read level of access to a cube, users cannot see any data in the cube! They can access the cube, create slice arrangements (without seeing figures), even double-click on Dimensions and see their constituent Members. For a user to see, and enter, figures, they require Fact Data Security Privileges.

Slice metadata privileges

You may want to provide users access to a particular slice (i.e., point your staff to the slice), but not allow users to change the composition, or layout, of the slice.

Recall that before granting this privilege, you must have first granted users access to the cube from which the slice was created.

1. From the Model ribbon, click Slices to open the Slices dialog.

2. From the Cube drop-down, select the Products cube.

Figure 6.    Slices Dialog - Products Slice

3. Select the Products slice and click Meta Security... to open the Slice Security dialog.

Again, by using the Add or Delete buttons, and selecting an Access Level from the drop-down, you assign Slice Metadata Security to users and Groups.

4. Click Add to open the Select Users & Groups dialog.

5. Select a US Staff.

6. Click OK to return to the Slice Security dialog. The Access Level “Read” is selected for the User Group US Staff.

Figure 7.    Slice Security Dialog - US Staff

7. Click OK. You are returned to the Slices dialog.

8. Click OK to return to proCube Management Studio.

We have now succeeded in creating Metadata Security Privileges for dimensions, cubes and slices. The general procedure is the same for all cases—the choices you make depend on the security requirements you have for particular database users.

There remains a very important step—at least for the purposes of this  example: to give named users privileges to Fact Data. This is covered in Assigning Fact Data Security Privileges.

Summary of Metadata Privileges

The table directly below provides a detailed summary of the consequences of each level of Metadata Privileges. Fact Data Security Privileges may also need to be granted to certain users.

Table 1.       Metadata Privileges

Access Level Privilege	Dimension	Cube	Slice
Read	Can see the dimension Can see its members Can see its hierarchy Can see its alias Groups Can see its subsets Cannot see its Metadata security properties Cannot rename or delete the dimension	Can see the cube Can create a slice Can access data locks Cannot see its formulas Cannot see its Metadata security properties Cannot see its Fact Data security definitions Cannot see push ranges Cannot rename or delete cube	Can see the slice Slice opens read-only; cannot edit Cannot rename or delete the slice Cannot rename or delete the slice Cannot see its Metadata security properties Cannot save slice Metadata edits
Add	Can see the dimension Can see its members Can add members Can rename and delete newly added members* Can see its hierarchy Can add members to root of the hierarchy only Can see its alias Groups Can add alias Groups Can add aliases Can see its subsets Cannot see its Metadata security properties Cannot rename or delete the dimension Cannot rename or delete existing members Cannot modify aggregates	Can see the cube Can create a slice Can access data locks Cannot see its formulas Cannot see its Metadata security properties Cannot see its Fact Data security definitions Cannot see push ranges Cannot rename or delete cube	Can see the slice Slice opens editable Cannot rename or delete the slice Cannot see its Metadata security properties Cannot save slice Metadata edits
Design	Full privileges	Full privileges	Full privileges
Owner/Administrator/ Creator	Full privileges	Full privileges	Full privileges