April 23, 2020 at 3:57 pm
So I'm working up a Cube for HR type folks. In it I have an employee dimension setup as Parent/Child.
HR has a role, where they get full read access to the cube, but I was thinking that the data might be handy for Management as well. What I'd like to do is create a role for the general business management group (AD) and then lock down what portion of the employee dimension they can see based on where they are within it.
Am I grasping at straws, or can I create a role for an AD group, and then use the AD Username of each person accessing the SSAS database to lock down one dimension, or would I need to create a role for each manager individually and lock it down that way?
April 23, 2020 at 4:15 pm
You can use AD Groups in Analysis Services roles to limit data, but row-level-security is to limit data from the end user and not entire entities (tables) or attributes. There are ways around it but it's cumbersome.
If you're using Multidimensional cubes, use Perspectives to create separate views of the cube that excludes certain attributes and/or entities.
April 23, 2020 at 5:44 pm
What I have are about 180 managers at varying levels within the Parent Child Employee dimension. I was hoping there was a way to create a single role that I could take a group (say Managers with Direct Reports) that they all belong to and give them access to the MDX Database that way, then limit the portion of the employee dimension they could see by using the AD Account Name attribute of the employee dimension to match to their AD Account name and limit them to that portion of the tree that they are the root of.
April 23, 2020 at 9:38 pm
You'll probably have to do something like this: https://docs.microsoft.com/en-us/analysis-services/tutorial-tabular-1200/supplemental-lesson-implement-dynamic-security-by-using-row-filters?view=asallproducts-allversions
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply