Book Image

Instant SQL Server Analysis Services 2012 Cube Security

By : Satya Shyam K Jayanty
Book Image

Instant SQL Server Analysis Services 2012 Cube Security

By: Satya Shyam K Jayanty

Overview of this book

SQL Server 2012 includes BI-specific features such as cube analytics, reporting-related features, multidimensional BI semantic models, and many more. This is a new addition that is of great use to Business Analysts, who can now build BI semantic models using the relational tables from the database engine rather than the dimensions from analysis services. Instant Microsoft SQL Server Analysis Services 2012 Cube Security is a practical, hands-on guide that provides clear, step-by-step recipes for getting started with cube security. As a Database Administrator and Data Architect, data security is of prime concern, and this book highlights the key concepts of securing cubes. By the end of this book, you will understand the SQL Server security model and how to effectively implement the same on the data platform. Security is paramount within a data platform, and thankfully, the issues surrounding data access can be fixed in the initial stages of its design. This allows you to avoid any breach of data access layers. The recipes in this book consist of the required ingredients to implement and administer OLAP & BI security management for your cubes. With this book, you will master the key aspects of implementing and managing security essentials and securing data layers. The recipes in this book incorporate best practice implementation, which include step-by-step instructions for creating models that implement security based on the currently logged on Windows user name or based on custom data passed to analysis services. The new BI platform features will help end users, business users, and technology users by providing a robust environment for IT, planning, budgeting, forecasting with scorecards, and reporting capabilities for the business users. These analytics will help end users to create a comprehensive management application to view the data with ease.

Related Content you might be interested in

Current Title:

Small book image
Instant SQL Server Analysis Services 2012 Cube Security
Satya Shyam K Jayanty
Jul, 2013 | 68 pages
No titles found
Table of Contents (7 chapters)
Instant SQL Server Analysis Services 2012 Cube Security
Instant SQL Server Analysis Services 2012 Cube Security
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Instant SQL Server Analysis Services 2012 Cube Security
Instant SQL Server Analysis Services 2012 Cube Security
Designing and creating security roles in an OLAP database (Intermediate)
Creating security roles (Intermediate)
Defining dimension access privileges (Advanced)
Managing role-based security – database to cube level (Advanced)
Managing role-based security – dimension to cell level (Advanced)
Accessing restrictions on dimensions and defining default members – full and partial (Intermediate)
Securing data at the cell level (Intermediate)
Preventing read/access to cell data (Intermediate)
Managing user-access privileges on a cube (Advanced)
Managing security roles for processing (Intermediate)
Data source and access control on cubes (Advanced)
Building a secure BI platform – the journey from SQL Server 2008 R2 to 2012 (Intermediate)
Securing key points in SSAS (Advanced)

Preventing read/access to cell data (Intermediate)

By default, if the database role has granted permissions on a cube, the role members have access to view all cell data. In order to limit the cell data access within the cube or dimension, we must explicitly restrict cell access.

For the specific dimension members, it is possible to limit the access; to grant relevant access we can use MDX to define a range of cells with the required permissions such as read, read-contingent, or read/write.

Note

The prerequisite for this recipe can be obtained from the Getting ready section in the Designing and creating security roles in an OLAP database recipe.

How to do it...

Perform the following steps:

  1. Start the SQL Server Management Studio and connect to the SQL Server 2012 Analysis Services instance.

  2. Expand the Databases folder.

  3. Choose the AdventureWorksDM database (created within the Getting ready section previously mentioned) and expand the Roles folder.

    Note

    If you are reading this recipe directly without the previous recipes, you can create the necessary roles as per the Creating security roles (Intermediate) recipe.

  4. Right-click on the role (here I have selected the DBIA_Processor role) to choose Role Properties.

  5. Click on Cell Data in the Select a page option to be presented with a relevant permissions list.

    Note

    In some cases, if you have observed that there is no option available in the Cube drop-down list in the Cell Data option, ensure you check that the relevant cube is set with the appropriate Access and Local Cube/Drillthrough options by choosing the Cubes option on the left-hand side under Select a page.

  6. Refer to the following screenshot:

Now let us continue with the Cell Data options:

  1. Click on Cell Data in the Select a page option to be presented with a relevant permissions list.

  2. Select the appropriate cube from the drop-down list; here I have selected the Adventure Works DW2012 cube.

  3. Choose the Enable read-contingent permissions option and then click on the Edit MDX button. You will be presented with the MDX Builder screen. Then, choose the presented Metadata to grant this permission.

  4. Similarly, for the Enable read-contingent permissions and the Enable read/write permissions options, perform the previous step:

    Note

    As shown in the following screenshot, choose the [Dim Product] measure for read-contingent permissions and the [Dim Customer] measure for the read/write permissions option.

  5. As a final check, either we can click on the Check button or the OK button, which will check whether the valid syntax is parsed from the previous MDX expressions.

  6. If there are any syntax errors, you can fix them by choosing the relevant Edit MDX button to correct.

This completes the steps to prevent access to certain cell data using a defined role in the Analysis Services database.

How it works...

As we discussed in the previous recipe, irrespective of a database role with read or read-contingent permission to the cell data, there are certain steps that we have followed in this recipe to restrict the access to certain cell data and measures.

From the steps mentioned, we have selected the [Dim Product] measure for the read-contingent permission and the [Dim Customer] measure for the read/write permissions. In this case, the DBIA_Processor role has permissions for the cells of the product measure assigned as read-contingent that will allow reading of cell content contingent on cell security. This identifies the cells to which the database role has allocated permissions as per the steps. These measures are visible to the database role; however, the role does not have permissions to write on cells in product measure.

Just a note on how read-contingent permission works; with any cell that is specified as read-contingent, to which a database role has been assigned, this permission is only viewable if one of the following conditions is met:

  • The read-contingent permissions are not derived from other cells

  • The cells with read-contingent permissions are derived from the other cells; however, the database role has read permission on all the cells from which the cell was derived

The access permission for a specific database role cannot exceed the permissions that are granted to a database role on the entire cube. Also, access to certain cell databases does not give access to the dimension data. Access is granted to the dimension attributes to which the database role has access, but it cannot extend access to the dimension attributes to which the database role does not have access.

As we have seen in the previous steps, the MDX is necessary to allow that database role to contain relevant permissions. If the default allowed set is empty, the corresponding database role will be checked against permissions and no data will be allowed from the cell due to the empty set.

Previous Section
End of Section 9
Next Section